Httpoxy Can Effect Nextcloud, Get Your Update Now

system · July 18, 2016, 3:02pm

Originally published at: https://nextcloud.com/httpoxy-can-affect-nextcloud-get-your-update-now/

We ship Guzzle 5 as part of Nextcloud. This handles http requests and supports HTTP_PROXY environment variable which can be abused, in some special scenario’s, by an attacker to read content. In the worst case, when you use the ajax cron feature, an attacker can potentially see external storage credentials and data. We recommend not to use the ajax cron feature but the system cron if possible, as that also improves performance and reliability.

As a precaution and because security and privacy are paramount for our users, we released a security update. Grab the latest from the install page! Here is documentation on doing a manual upgrade or migrate.

Learn more about httpoxy here.

jakob42 · July 25, 2016, 5:32am

Could you please add the version number in which a security related bug is fixed in your news article? (On https://nextcloud.com/news/) I recently upgraded from owncloud and wasn’t sure if I had the fix already, would be quicker if I could see the number directly in the news, especially since there could have been newer minor releases since then.

Thanks!

nickvergessen · July 25, 2016, 8:17am

Just for the record it was fixed in 9.0.53

jospoortvliet · August 8, 2016, 7:26am

Hey Jakob, sorry for the lack of clarity here. We’d like to have an ‘official’ number that is different from the ‘real’ number (that is needed for compatibility), which causes some confusion yes. Should be solved starting Nextcloud 11 or so