diff options
| author | Maximilian Bosch <maximilian@mbosch.me> | 2020-12-10 20:57:42 +0100 |
|---|---|---|
| committer | Maximilian Bosch <maximilian@mbosch.me> | 2020-12-11 12:39:57 +0100 |
| commit | 520b10453f65a1ef6edf99092914b5bca61bdf3f (patch) | |
| tree | 7ff70f027857485587b7c15f8df202c298ebb17c /pkgs/development/python-modules/python-mapnik/python-mapnik_std_optional.patch | |
| parent | 656888e1ec079e98de5dd0e3b28a29d290ea101d (diff) | |
nextcloud: 19.0.4 -> 19.0.6, 20.0.1 -> 20.0.3, mark v19 as insecure
ChangeLogs:
* https://nextcloud.com/changelog/#20-0-3
* https://nextcloud.com/changelog/#19-0-6
For Nextcloud 20, security advisories for CVE-2020-8259[1] &
CVE-2020-8152[2] were published. The only way to fix those is to upgrade
to v20, although v19 and v18 are supported, the issue won't be fixed
there[3].
Even though both CVEs are only related to the encryption module[4] which
is turned off by default, I decided to add a vulnerability note to
`nextcloud19` since CVE-2020-8259's is rated as "High" by NIST (in
contrast to Nextcloud which rates it as "Low").
If one is not affected by the issue, `nextcloud19` can still be used by
declaring `permittedInsecurePackages`[5].
[1] https://nvd.nist.gov/vuln/detail/CVE-2020-8259,
https://nextcloud.com/security/advisory/?id=NC-SA-2020-041
[2] https://nvd.nist.gov/vuln/detail/CVE-2020-8152,
https://nextcloud.com/security/advisory/?id=NC-SA-2020-040
[3] https://help.nextcloud.com/t/fixes-for-cve-2020-8259-cve-2020-8152-in-nextcloud-18-19/98289
[4] https://docs.nextcloud.com/server/20/admin_manual/configuration_files/encryption_configuration.html
[5] https://nixos.org/manual/nixpkgs/stable/#sec-allow-insecure
Closes #106212
Diffstat (limited to 'pkgs/development/python-modules/python-mapnik/python-mapnik_std_optional.patch')
0 files changed, 0 insertions, 0 deletions