Is update to 18.03 real?

Hi all

Sorry to bother you but i have something strange going on. I have just checked my Nextcloud and it is showing that an update to 18.03 is available on the stable channel.

image1217×325 25.7 KB

image622×711 34.8 KB

I cant find any change log though or info on github to suggest there should be a new release.

Is this legitimate or is this a clever way someone is trying to compromise my system.

Currently running nexctloud 18.02 installed though nexcloud pi in docker on x86/amd64 hardware.

Thanks for taking the time to look and any advice

I also found an update to 18.0.3 and now i test it.
It stops at “Create Backup” like update to 18.0.2 .

" Is update to 18.03 real"
Probably not. I’m on 16.0.9 and get 17.0.5 for update which is due April 20 and only 14% ready.

@mds-uk

you ask it update to 18.0.3. is real.
well apparently it IS real. looks as if devs decided to get it out earlier than planned.

Slow downloads are back and the web update fails because of it.

Yay!

Oh yes. Normal software projects uses mirrors. Greetings to Nextcloud GmbH

Looks like there are still open issues. Is there something critical which needs fast updating?

I’d say so yes.

Yes, it is:

Both are in milestone 18.0.4, so these aren’t open issues for 18.0.3 anymore.

18.0.3 and 17.0.5 are unplanned security fix releases. That would also explain why the git repo does not have it yet.

Roeland is the security lead.

Please make sure to update your instance soon. It’s better to have that fix

The official website is still at 18.0.2. But I can manually edit the URL address to 18.0.3 and download 18.0.3. I’m worried that Changelog is still not updating. Is there a sense of urgency to this update?

Why do you think one would release a new version out of the regular schedule if it’s not urgent?

At this time the site hasn’t been updated. If urgent it should be announced more, otherwise this update is suspect.

really anyone forces you to do things you don’t feel ok with… so it’s all good… you decide yourself

Got the notification last night, just upgraded. All went smooth, as usual.

I appreciate all the time you invest here, however, please also understand that people don’t like to simply assume anything and love to have detailed information.
As Nextcloud always advertises: you want to have your personal data and files as secure as possible. So careful admins don’t simply hit the update button and install any package which isn’t announced.

I followed all the links so far and tried to understand, what exactly made this update so urgent, but still I don’t understand it.
All I read so far is: “It’s better to have that fix”. But why? What can happen if not?

While we link from here to Github and from Github to this forum here back and forth, why not explain the issue at some place and link to that place?

So what I’m asking for is simply: please take the people’s concerns serious. We all are just human
Some a bit more scared than others and some don’t understand every issue instantly

Usually when a company releases a security update but refuses to say what it patches means it’s a serious exploit/vulnerability that can be exploited by anyone.

I’d hop on the update asap.

@kesselb It’s not unheard of for a project’s infrastructure to be compromised and malicious updates posted.

Not seeing documentation in the usual channels raises suspicion that something like this may have occurred. Most of us are used to the release appearing on github and the update server only notifying after a week or so. This release was the other way around and so surprising.

Especially so for an important security update, I would expect to see some notification somewhere with accompanying CVE if applicable.