I’ve updated my Nextcloud yesterday, everything works fine and the update process was smooth as usual. But I have to agree, some background information regarding the changes/fixes would be appreciated (as long as it doesn’t expose an attack vector for older versions I guess).
diff tells two different stories:
- updated files_pdfviewer including a newer PDFJS
- some small fixes around authentication tokens. Here I can feel what’s the problem and what the fix does but frankly I do not understand why Nextcloud GmbH is so afraid of making a little bit more detailed announcement. Of course nobody wants them to disclose the exact details till most of the deployments are updated, but telling “Security update” is so weak and embarrassingly non-transparent. Something like “Critical security update, please update as soon as possible. More details about the vulnerability will be disclosed later” would be more prudent.
Actually it’s called responsible disclosure. Our security advisories with details are published 2-4 weeks after the release on https://nextcloud.com/security/advisories/ together with an assigned CVE number.
Everyone, 2 things.
First apologies that we were so late announcing the update, after it had already been pushed out. This was indeed a security thing but we’re pretty flooded atm with customer requests and I just didn’t find time to blog, update the website etc in time so that came a day late.
Second, we don’t give details about security problems, we just say “please update asap”. We do out-of-plan updates when there are significant issues. Could be security, could be file loss, could be something else, but only important things. So these updates do have some important fixes, please update asap. Just like any update, btw, it is usually really wise to update as quick as you reasonably can (no need to lose sleep over it but don’t wait 2 weeks). That’s what we also always say in our announcements
As a matter of policy, we don’t give details about security fixes until 2 weeks after release because that gives the Bad Folks tips on how to exploit them. In 2 weeks, we will have published security advisories with impact analysis on https://nextcloud.com/security/ as usual. See what Joas said.
When I try to update with the GUI updater, the update gets stuck at step 4 (Backup).
The command line tells me:
Current version is 18.0.2. No update available. Nothing to do.
occ update:check tells me, that “1 update available”.
As it seems, it’s not possible to upgrade my installation.
So I suggest you manual update. You can use bash scripts if you prefer (you have many on internet), even if it is not perfect, mine works with 17.0.5 (not tested with 18.x).
I have already tried to upgrade manually via the command line. The update to 18.0.3 does not show up.
@fenvarien maybe you should open an issue in github to inform the NC team.
What error do you get when updating via the web ui? That a backup is still in progress? If so, just keep clicking the button to try again and eventually it’ll go through.
You have to download it, extract it and then run the update.
before you urge people to update, please check the following issue, several people have. And I mean, this is some serious issue.
Many thanks and Rgds and keep sane
why do you deactivate this post? I mean I did not insult someone and I did not discrace NC. deaktvating a post without a reason is some kind of interresting uh?