Nextcloud version (eg, 12.0.2): 17.0.4
Operating system and version (eg, Ubuntu 17.04): Ubuntu 18.04
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.29
PHP version (eg, 7.1): 7.2.24
The issue you are facing:
I see that there is a new version 17.0.5, and that is is a security fix. Therefore I’d like to update my server quickly. But the Updater (either via web or command line) only offers me 18.0.3.
I’m on the Stable update channel, and not quite ready to switch this server to NC18 yet, due to missing support for the README.md plugin, but I don’t see a way to upgrade to 17.0.5 without doing it completely manually.
Is there a way to tell the Updater to install any version other that the one it chooses? Or do I need to do the update manually?
I have the same question.
I’m also concerned that I don’t see the 17.0.5 release in Github.
I couldn’t find a current issue in the bugtracker. An old one refers to the production channel which does not exist any more: https://github.com/nextcloud/updater/issues/159
Make a feature request on the bug tracker and patch the security fix manually. Perhaps wait until tomorrow if it’s not just because the update is not yet offered by the updater servers.
@tflidd, thanks, but I still have questions.
Yes, I’d like to have the choice to update within a release. But that’s not even my primary concern.
Mostly, I’d like to find out what are the “critical bugfixes” mentioned on the Nextcloud blog. What is the “Security update” mentioned in the changelog?
I see a bounty was awarded for an undisclosed bug on Hactivity five days ago. Could that be related?
Since I don’t see the 17.0.5 or 18.0.3 release in Github, I can’t investigate that directly. And, anyway, how can there be new releases available for download that aren’t described in Github?
Maybe I don’t understand how to use Github properly, but this makes me worry that the security issue is so dangerous that the people who created the new release want to see it adopted widely before it is disclosed. Am I being paranoid?
@tflidd suggested, “Make a feature request on the bug tracker and patch the security fix manually.” How do I patch the security fix manually if it isn’t available on Github? (If the “feature request” you’re suggesting is to be able to update within a release, sure, but not my priority right now.)
I have the same question: howto upgrade my production enviroment to version 17.0.5. I sincerely do not we have to go back to the old days with manual upgrades.
I’ve read on this forum somewhere they have removed the “Production” channel and replaced it with “Enterprise”.
The “new” stable channel does only do mayor upgrades only Enterprise does minors within the latest stable branch which is quite stupid…
I feel strongly that Nextcloud could have communicated far more clearly about these releases. I had to really dig around to find this comment from @Jospoortvliet that explains quite clearly what happened.
And, yes, my concern was increased because the updater doesn’t let me update within the installed release. I see several tickets on that, most of them closed. I couldn’t easily tell whether that’s still considered an open issue.
I guess I’ll go back and refresh my memory about manual updates. But I hope next time Nextcloud needs to do an unscheduled release, they’ll explain much more clearly what it’s for, even before fully disclosing the vulnerability.
I disagree. When you see a business release a security update but provide no information it’s generally because they don’t want to draw attention to the bug in question. They are likely letting people patch now and will release a statement later.
My assumption at this point is the bug is likely a zero day exploit and even mentioning what is patched might be all someone needs to start exploiting nextcloud instances.
Otherwise, yes, they should have communicated this better.
But I hope next time Nextcloud needs to do an unscheduled release, they’ll explain much more clearly what it’s for, even before fully disclosing the vulnerability.
This would assume that it is possible to give more information without disclosing the vulnerability. But what if not?
We’ll never know… oh well, maybe in two weeks.
Regarding your update-issue: Have you tried to switch from stable to beta channel and back to stable? Just for the sake of refreshing the update-check…
@Paradox551 and @Boki4d, I understand the need to delay disclosure. But I stand by what I said: Nextcloud should have said, “Please see our security release process. We’ll disclose more later.” (@keresztg agrees.)
That’s what @Jospoortvliet said after two days of discussion and concern. I think it should have been in the original announcement.
Right but as a general rule of thumb silent security updates are typically major security patches. It takes a while for large hosts like hetzner to roll out those patches into their infrastructure.
Reminds me of when SolusVM patched and disclosed the security vulnerability at the same time and less then five hours later there was a script public on the internet that let anyone take down the control panel and download the database. That actually happened to several large providers at the same time.
I think currently the easiest way is the manual update. Like @Boki4d said, they probably wait with the disclosure until most have run the update, so we should pin-point the fix.
Please mention in the bug report the potential security risk that people could hold back with their update because they have to use the manual update in order to keep the current version and will probably delay the installation of security fixes.
Yes, would have been better. The changelog is on github and you can create a pull request:
I have posted an issue https://github.com/nextcloud/updater/issues/278, specific to this situation. I didn’t want to post one until I was reasonably sure that it was unintended behaviour, or just needed a little more time for them to push 17.0.5 to the update channel. But considering it is a security update, and it’s been a few days now I think it’s worthwhile.
Personally, I’m comfortable enough to update manually, but since I have several users depending on the service far more than usual with the current Covid-19 lock-down, I’m putting off the disruption and chance of an issue until the weekend.
@Lawrence_Owen, thanks, #278 prompted #348. Looking at the patch, it appears it was just a typo in the configuration of the update server.
I just updated my 17.0.4 through the Updater smoothly, and now my 17.0.5 is offered 18.0.3, as expected.
@sbw Yes, I accessed my the server I’m managing today to do the update manually, and immediately received a notification that the 17.0.5 update was now available via the updater
Typo’s in configuration files happen, I’ve done it myself enough times. Thanks to the Nextcloud team for reacting.