|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2024-37313: nextcloud: ability to bypass the second factor of 2FA after successfully providing the user credentials | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Distribution | Reporter: | SMASH SMASH <smash_bz> |
| Component: | Security | Assignee: | Eric Schirra <ecsos> |
| Status: | NEW --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | camila.matos |
| Version: | Leap 15.6 | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/410914/ | ||
| Whiteboard: | |||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
SMASH SMASH
2024-06-14 18:57:13 UTC
This once again shows a problem with the stubborn adherence to the default of no major or minor update of packages. The major version 24 is EndOfLife since 2023-04. https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule Leap 15.6 just came out a few days ago. With a package that has been dead for a year. You can't update from 24 to 29 either. Even if you are allowed to according to suse specifications. Because in nextcloud you only have to/may only update one level at a time. 24 -> 25 -> 26 -> 27 -> 28 -> 29. 24.0.12.13 is not open source and can not download. So what should you do in this case? |