After upgrade to Hub 7 (28.0.4) get issues of security

abkrim · March 29, 2024, 10:11am

Version Nextcloud Hub 7 (28.0.4)
Ubuntu 22.04
Apache 2.4 + Mod PHP
PHP 8.1.27

occ integrity:check-core
  - INVALID_HASH:
    - core/js/mimetypelist.js:
      - expected: 550ab566d30693bfa24ec4b15d9df87731ae8a3be8f79dabf94757e5b8b20eec6e4b678f17af1718297f2872f6b04519eeb024d1dff11947f29da431c7f11201
      - current: 301654cbbe168b8723530db88fd2e40ad688f4e6b0bdaeade5b4fe34bd94d9d3cfe760821e97dc792e585d4b6ccff838597bfd46466bb07d30ff84df4cb79518
  - EXTRA_FILE:
    - core/img/filetypes/drawio.svg:
      - expected:
      - current: 92e0974cf869bf8ab969c3442dc2b80d55fde36441d22924db74916a06b407520aa2a9dc39336f9157195ebede697ffac0e639360879255ab91932d406e1897d
    - core/img/filetypes/dwb.svg:
      - expected:
      - current: 43731dd5f17a048112ea5109b40b02ec019b3ee2324385a0f448e3bd2264cb13dc160ab018d893f92f8e2f168fd09009b51578c8c6b97a02a1617c67ac087701

Apreciate help.

SysKeeper · March 29, 2024, 10:23am

See Is there a command line to update to specific versions of Nextcloud? - #24 by SysKeeper and feel free to report to the apps repo

tflidd · March 29, 2024, 10:23am

How did you upgrade? If you do the manual upgrade, make sure to remove all the old code files first (not copy and replace the directory). (don’t delete the data folder and/or config folder).
Anyway, do a full backup before!

Rayn0r · March 29, 2024, 1:55pm

I see the exact same error as @abkrim under Ubuntu 22.04 with php8.1.

I started the update via WebUI updater and then finished things by running:

sudo -u www-data php /usr/share/nextcloud/occ upgrade
sudo -u www-data php /usr/share/nextcloud/occ maintenance:mode --off

as usual inside a terminal.

I upgraded twice today.
My initial version was 27.1.4. I upgraded this one to 27.1.8 and from there directly to 28.0.4.

Rayn0r · March 29, 2024, 2:09pm

I downloaded the Nextcloud releases 28.0.4 and 27.1.8.
The file mimetypelist.js inside the nextcloud-28.0.4.zip has the sha512 hash 550ab566d30693bfa24ec4b15d9df87731ae8a3be8f79dabf94757e5b8b20eec6e4b678f17af1718297f2872f6b04519eeb024d1dff11947f29da431c7f11201
the one inside 27.1.8 has
4b0a99fbab7bc4824176101150bd0ab2b553e128a390e0f872580db4541462b31aad13099fd41533b6695d1b185dabca26a45e9a78227cfb9479eafa439c7bff

so it is not a leftover from the old installation.

The diff from 28.0.4 to the one under /usr/share/nextcloud/core/js/mimetypelist.js looks as follows:

--- /tmp/nextcloud-28.0.4/core/js/mimetypelist.js        2024-03-28 07:54:44.000000000 +0100
+++ mimetypelist.js     2024-03-29 13:35:30.964386786 +0100
@@ -13,6 +13,7 @@
     "application/font-sfnt": "font",
     "application/font-woff": "font",
     "application/gpx+xml": "location",
+    "application/gzip": "package/x-generic",
     "application/illustrator": "image",
     "application/javascript": "text/code",
     "application/json": "text/code",
@@ -80,7 +81,7 @@
     "application/x-fictionbook+xml": "text",
     "application/x-font": "font",
     "application/x-gimp": "image",
-    "application/x-gzip": "package/x-generic",
+    "application/x-gzip": "application/gzip",
     "application/x-iwork-keynote-sffkey": "x-office/presentation",
     "application/x-iwork-numbers-sffnumbers": "x-office/spreadsheet",
     "application/x-iwork-pages-sffpages": "x-office/document",
@@ -120,6 +121,8 @@
     "application",
     "application-pdf",
     "audio",
+    "drawio",
+    "dwb",
     "file",
     "folder",
     "folder-drag-accept",

So how did the file get changed?

abkrim · March 29, 2024, 2:56pm

Upgrade from web. Web download package. After. run occ upgrade.

Rayn0r · March 29, 2024, 3:05pm

It seems like the issue is being caused by the draw.io app:
https://github.com/jgraph/drawio-nextcloud/issues/26