Alerts This Week
Warning Icon 1 485
Alerts This Week
Warning Icon 1 485

Mageia 8: 2021-0421 Moderate: Nextcloud Client SSL Risk and Fix

mageia
Calendar Grey September 23, 2021
Dist Mageia Esm H88
Mageia has issued a security patch targeting SSL authentication issues identified in the Nextcloud application, aiming to bolster user safety.
Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the "Register with a Provider" flow

Summary

Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the "Register with a Provider" flow. (CVE-2021-22895)
In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. This issue is fixed in Nextcloud Desktop Client version 3.3.0

References

- https://bugs.mageia.org/show_bug.cgi?id=29043

- https://security-tracker.debian.org/tracker/source-package/nextcloud-desktop

- https://www.cve.org/CVERecord?id=CVE-2021-22895

- https://www.cve.org/CVERecord?id=CVE-2021-32728

Resolution

SRPMS

- 8/core/nextcloud-client-3.3.3-1.mga8

Publication date: 23 Sep 2021
URL: https://advisories.mageia.org/MGASA-2021-0421.html
Type: security
CVE: CVE-2021-22895, CVE-2021-32728

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here