Nextcloud 9 update brings security, open source enterprise capabilities and support subscription, iOS app

Originally published at: https://nextcloud.com/nextcloud-9-update-brings-security-open-source-enterprise-capabilities-and-support-subscription-ios-app/
serverwebui
We’re excited to announce that our Enterprise Support Subscriptions are available! With the Nextcloud update available today come enterprise capabilities including Windows Network Drive storage support, Shibboleth/SAML authentication integration, theming capabilities and control over password policy. These provide the most important capabilities for enterprises, under an open source license and developed in an open and transparent way with direct feedback from prospective users. This release also fixes critical security issues discovered as part of our $5000 Security Bug Bounty Program. Together with TWSweb, developers of the popular Cryptocloud app, we announce a partnership to provide Nextcloud users with a capable client for iOS.

Enterprise capabilities

[caption id="attachment_522" align="alignright" width="326"]externalstorage Windows Network Drive integration[/caption]
  • SAML Single Sign-On Authentication (SSO)
  • Extensive logging and reporting capabilities
  • Windows Network Drive integration
  • Password policy
  • Easy branding and theming
  • Improved anonymous upload (former Files Drop)
  • Calendar and Contacts
  • Secure WebRTC Conferencing
  • Online Office integration
You can learn more about our capabilities on our feature page.
In the coming weeks, further capabilities will become available. These features are part of the core of Nextcloud or can be installed easily as apps, all available under an open source license. We believe that transparent development processes ultimately benefit users and customers, not only because more contributors makes for better code but the closer collaboration with partners enables a better alignment with the needs of users. We thus invite prospective users and customers to get involved in development.

Federated Cloud Sharing and the Open Cloud Mesh initiative

Yesterday, Nextcloud announced participation in the Open Cloud Mesh initiative. Under the umbrella of research collaborative GÉANT it aims to link researchers and universities in Europe, the Americas and Asia via a series of interconnected, secure private clouds. The project builds on the Federated Cloud Syncing protocol developed by Nextcloud contributors over the past years and already allows syncing between Nextcloud and Pydio servers, a first important step in breaking the barrier between the various public and private cloud silos.
Theming Nextcloud in half a minute.
We've published our plans for pushing this important initiative forward over the coming months.

The support you need to be successful

Our open approach extends to support. Nextcloud offer customers direct access to Nextcloud engineers, the latest knowledge and best practices. We provide technical expertise, guidance and collaboration with phone and chat contact. Pro-active security support helps customers identify and address vulnerabilities and harden their servers to protect the safety and integrity of sensitive data.

Our annual support subscription starts at 1500€ for 50 users and our offerings include options with up to 24/7 support and a 24 hour SLA with up to 15 years with Extended Life Cycle support. You can view our available subscriptions and their benefits on our enterprise pricing page.

For organizations or teams with less than 50 users, we recommend purchasing the spreedbox Business. This provides Nextcloud and web conferencing capabilities in a convenient and secure hardware appliance coming with a one year support contract.

The spreedbox offers a low-barrier entree to Nextcloud capabilities.

iOS and other clients

To provide the best possible experience to users on various platforms, we're working with various partners. Today we announce that the makers of the popular Cryptocloud app provide the official Nextcloud client for iOS. This app can be grabbed from the appstore.

The Nextcloud iOS client supports all the needed capabilities like:

  • File handling like renaming, deleting and moving of files
  • Display of documents, photos, videos, audio files with previews
  • Favorite files to keep them synchronized and available offline
  • Automatic uploading of images taken with the phone camera
More abilities are under development and a new update to the Android app is coming soon!

Security Bug Bounties

Security is important for Nextcloud users and customers. This is why we released our Security Bug Bounty program, offering bounties up to USD 5000 for critical security issue disclosures. Among the highest payouts in the open source world, our offer has paid off and we've received reports from a number of high profile experts from the security community.

This program is a big part of what makes Nextcloud the most secure open source solution for file sync and share and with the release of enterprise capabilities and support options today, we make available a security and stability release of Nextcloud 9. We strongly recommend users to upgrade at their earliest convenience.

Customers can expect to be informed about security vulnerabilities and available workarounds or mitigation options as part of our service with a Enterprise Support Subscription.

Available now

You can get the latest release of Nextcloud on our install page and learn more about our Enterprise Support Subscriptions here and about our features here.
4 Likes

…so just to clarify… the enterprise features such as webrtc conferencing and Collabora integration… are these available to non enterprise users (ie users without a support subscription)?

4 Likes

I’m a little disappointed you’re going externally for iOS. What happened to working out the GPL issues on the code OC already has?

Or have I misunderstood that?

Well, the GPL issue is simply that oC would have to release the app under a more liberal license. That doesn’t seem to be happening anytime soon…

Of course, anyone can install them as of today. I’m preparing a blog about installing Spreed and we’ll do something with the Collabora once that is officially announced, too.

3 Likes

Oh I see. So is this a stopgap while the iOS app is (presumably) rebuilt or is it a permanent solution? I support having a client as quickly as possible for all involved, I just assumed it was going to be built inhouse (eventually).

This will be the case, at the moment this is a solution that is “good enough” for now. We will actively work on getting an app out that will be licensed as FOSS and allows contributions by external parties :slight_smile:

Stay tuned! And any help of course welcome :slight_smile:

3 Likes

And to add to what Lukas said - who knows, we might be able to work with the Cryptocloud team to open source their app. If done the same way as the ownCloud app (GPL) it won’t hurt their business model…

1 Like

Hello,

congrats to Nc 9.52! :slight_smile:

Just 2 questions:

Ciao,
Joachim

Hello, is it possible in the feature to change the background image at the login page with the Theming App?

At the moment the integrated updater has been disabled for known bugs on many cases. The new updater that can be tested at Test our new work-in-progress upgrader script should be able to offer this update. You need to configure it to “updates.nextcloud.org/updater_server/” and might need to wait for up to one hour until our caching is all gone. (will manually clear caches soon though as well)

Added there :slight_smile:

Yes. Check the video that is linked:

2 Likes

Thanks for the information.

Lars Müller
Threema ID:
threema://add?id=DH6JMCKC
Tel. : 0174/7165042

Curious, I have a complete theme created already. What are the implications here with the new theming capabilities?

None. Existing themes should work quite fine, if you however change some theming defaults with the theming app it will probably overwrite your themes :slight_smile:

(e.g. change the color to red and it might overwrite your theme’s color)

I’m happy some thought was put into that :smiley:

Implications: Do not accidentally choose the folder name of the existing theme when using the GUI :stuck_out_tongue_winking_eye:

Other than that: you should be fine

3 Likes

We are working to make Nextcloud a platform that can meet the needs of all, I am sure that we will succeed in the future to find a good deal also with the community open source. :grinning:

4 Likes

I want to provide some feedback for the newsletter/news post:
You mention there were some security issues but you provide absolutely no detail as to what the impact of those might have been.
I initially assumed they were paid out $5000, so qualified as a RCE. But looking at the nextcloud hackerone page only a $750 bounty and some smaller ones have been paid out. Still the reports are not (yet?) public there.

Have they been assigned a CVE number? For those of us who still have instances which are not yet upgraded, is owncloud also affected? Have they been notified?

I could probably start looking through the github commit log, but without knowing what to look for the is pretty fruitless.

Regarding the links in the newsletter, I pretty much don’t care that tehy are tracked, but as a side effect you don’t see where a particular link is leading. I.e. in the current newsletter there was a link “(you should update!)” which I expected to lead to some description of the bugs fixed. It just lead to the nextcloud download page, which wasn’t very useful when reading the email on mobile…

We don’t publicly disclose any security information to third parties until 14 days after the release, following industry best practices. On July 19th advisories will be published, we do recommend to have updated instances until then.

As you can see by the HackerOne bounties the found vulnerabilities range all from low to medium. You can also see on that page what we consider as low and medium.

We contact our CNA shortly before the advisory release date. Until then, no CVE identifiers are assigned.

The quote from http://www.eweek.com/cloud/nextcloud-improves-security-adds-enterprise-support.html should answer that question:

“With regard to these vulnerabilities, we have made ownCloud a proposal on how we believe this information exchange should work, but they have not agreed on a proposal yet,” Karlitschek said. “We hope that we can agree on a process so that ownCloud users also benefit from the security fixes we do.”

So yes, ownCloud is affected by these bugs as well, as a courtesy we informed them about the vulnerabilities but they didn’t release any patched version or whatsoever yet.

Note that migrating to Nextcloud is often a simple “replace all program files”, so that is always an option and I’d personally go that route if you care about security.

2 Likes

The claws are coming out there :laughing: