[Bug]: Nextcloud 29.0.11 & 30.0.5 contain CVE-2024-50345

[knight-of-ni]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

CVE-2024-50345 was reported against Nextcloud in Fedora & EPEL last November.
https://bugzilla.redhat.com/show_bug.cgi?id=2324262
https://bugzilla.redhat.com/show_bug.cgi?id=2324257

Nextcloud 29.0.11 contains http-foundation 5.4.25 and Nextcloud 30.0.5 contains http-foundation 6.4.12.

The recommended fix is to upgrade to http-foundation to 5.4.46 and 6.4.14, respectively.

Does the Nextcloud team plan to address this CVE in either or both Nextcloud releases? Thank you.

Steps to reproduce

1. Install the latest release of Nextcloud 29 or 30
2. Check version of htt-foundation
3. Observe the version contains the named CVE

Expected behavior

Version of http-foundation is upgraded

Nextcloud Server version

29

Operating system

RHEL/CentOS

PHP engine version

None

Web server

Apache (supported)

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

List of activated Apps

Nextcloud Signing status

Nextcloud Logs

Additional info

No response

[solracsf]

6.4.14 is on v31: #50314
In all cases, you should follow https://github.com/nextcloud/server?tab=security-ov-file#readme

[knight-of-ni]

Apologies. In hindsight I overlooked the link to the security policy, which I now see is shown in the github issue template.

I get it, this has been fixed in master branch and will be part of the next release, but the question remains. Will it be fixed in NC 29 or 30? Both versions are still supported according to release policy.

As the fedora packager, this will help me plan my own release schedule. Nextcloud 29 is of particular concern, as we can't move past that for el9 distros due to PHP requirements.

[joshtrichards]

Cc: @nickvergessen

I know this isn't technically what you're asking, but for what it's worth: I don't see any use of the impacted function or classes across our ecosystem. I only see usage of IPUtils and it's an entirely independent class (that just happens to be bundled as part of http-foundation by Symfony).

[nickvergessen]

Yeah we will update them soon to avoid this yields everywhere, but at the same time we are not aware the bits would be used, so it's less urgent than indicated by the SA

[knight-of-ni]

That's perfect. Thank you. I completely understand this is low priority.

[nickvergessen]

30 is fixed by #50463