Stay Secure with the Latest Linux Advisories

security advisoryremote threatlow severity

Arch Linux: 202109-42 Medium: Nextcloud Mail Vulnerability Announcement

The package nextcloud-app-mail before version 1.10.1-1 is vulnerable to information disclosure. . Arch Linux Security Advisory ASA-202107-41 ========================================= Severity: Low Date : 2021-07-20 CVE-ID : CVE-2021-32707 Package : nextcloud-app-mail Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-2145 Summary ====== The package nextcloud-app-mail before version 1.10.1-1 is vulnerable to information disclosure. Resolution ========= Upgrade to 1.10.1-1. # pacman -Syu "nextcloud-app-mail> =1.10.1-1" The problem has been fixed upstream in version 1.10.1. Workaround ========= None. Description ========== In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with `background-image` CSS attribute. Note that the images were still passed through the Nextcloud image proxy, and thus there was no IP leakage. Impact ===== A remote attacker could disclose whether an email message has been read by embedding a remote CSS background image. References ========= https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xxp4-44xc-8crh https://hackerone.com/reports/1215251 https://github.com/nextcloud/mail/pull/5189 https://github.com/nextcloud/mail/commit/e54c2331f4b98cc39a5b3899c8ed1468dfc5cc30 https://security.archlinux.org/CVE-2021-32707 . Nextcloud Mail on Arch Linux versions below 1.10.1-1 are prone to information exposure through remote images. Please update to ensure security.. Nextcloud Security, Arch Linux Advisory, Information Disclosure. . Severity: Medium. LinuxSecurity.com Team

Jul 20, 2021 •Medium ArchLinux