Is update to 18.03 real?

The official website is still at 18.0.2. But I can manually edit the URL address to 18.0.3 and download 18.0.3. I’m worried that Changelog is still not updating. Is there a sense of urgency to this update?

Why do you think one would release a new version out of the regular schedule if it’s not urgent?


At this time the site hasn’t been updated. If urgent it should be announced more, otherwise this update is suspect.


really anyone forces you to do things you don’t feel ok with… so it’s all good… you decide yourself :wink:

Got the notification last night, just upgraded. All went smooth, as usual. :slight_smile:

I appreciate all the time you invest here, however, please also understand that people don’t like to simply assume anything and love to have detailed information.
As Nextcloud always advertises: you want to have your personal data and files as secure as possible. So careful admins don’t simply hit the update button and install any package which isn’t announced.

I followed all the links so far and tried to understand, what exactly made this update so urgent, but still I don’t understand it.
All I read so far is: “It’s better to have that fix”. But why? What can happen if not?

While we link from here to Github and from Github to this forum here back and forth, why not explain the issue at some place and link to that place?

So what I’m asking for is simply: please take the people’s concerns serious. We all are just human :slight_smile:
Some a bit more scared than others and some don’t understand every issue instantly :wink:


Usually when a company releases a security update but refuses to say what it patches means it’s a serious exploit/vulnerability that can be exploited by anyone.

I’d hop on the update asap.

@kesselb It’s not unheard of for a project’s infrastructure to be compromised and malicious updates posted.

Not seeing documentation in the usual channels raises suspicion that something like this may have occurred. Most of us are used to the release appearing on github and the update server only notifying after a week or so. This release was the other way around and so surprising.

Especially so for an important security update, I would expect to see some notification somewhere with accompanying CVE if applicable.


I’ve updated my Nextcloud yesterday, everything works fine and the update process was smooth as usual. But I have to agree, some background information regarding the changes/fixes would be appreciated (as long as it doesn’t expose an attack vector for older versions I guess).

1 Like

diff tells two different stories:

  • updated files_pdfviewer including a newer PDFJS
  • some small fixes around authentication tokens. Here I can feel what’s the problem and what the fix does but frankly I do not understand why Nextcloud GmbH is so afraid of making a little bit more detailed announcement. Of course nobody wants them to disclose the exact details till most of the deployments are updated, but telling “Security update” is so weak and embarrassingly non-transparent. Something like “Critical security update, please update as soon as possible. More details about the vulnerability will be disclosed later” would be more prudent.
1 Like

Actually it’s called responsible disclosure. Our security advisories with details are published 2-4 weeks after the release on together with an assigned CVE number.


Everyone, 2 things.
First apologies that we were so late announcing the update, after it had already been pushed out. This was indeed a security thing but we’re pretty flooded atm with customer requests and I just didn’t find time to blog, update the website etc in time so that came a day late.
Second, we don’t give details about security problems, we just say “please update asap”. We do out-of-plan updates when there are significant issues. Could be security, could be file loss, could be something else, but only important things. So these updates do have some important fixes, please update asap. Just like any update, btw, it is usually really wise to update as quick as you reasonably can (no need to lose sleep over it but don’t wait 2 weeks). That’s what we also always say in our announcements :wink:

As a matter of policy, we don’t give details about security fixes until 2 weeks after release because that gives the Bad Folks tips on how to exploit them. In 2 weeks, we will have published security advisories with impact analysis on as usual. See what Joas said.


When I try to update with the GUI updater, the update gets stuck at step 4 (Backup).

The command line tells me:

Current version is 18.0.2.

No update available.

Nothing to do.

occ update:check tells me, that “1 update available”.
As it seems, it’s not possible to upgrade my installation.

So I suggest you manual update. You can use bash scripts if you prefer (you have many on internet), even if it is not perfect, mine works with 17.0.5 (not tested with 18.x).

I have already tried to upgrade manually via the command line. The update to 18.0.3 does not show up.

@fenvarien maybe you should open an issue in github to inform the NC team.

What error do you get when updating via the web ui? That a backup is still in progress? If so, just keep clicking the button to try again and eventually it’ll go through.

You have to download it, extract it and then run the update.

Hey all,

before you urge people to update, please check the following issue, several people have. And I mean, this is some serious issue.

Many thanks and Rgds and keep sane


why do you deactivate this post? I mean I did not insult someone and I did not discrace NC. deaktvating a post without a reason is some kind of interresting uh?