Originally published at: https://nextcloud.com/blog/nextcloud-bugfix-and-security-updates/
Today Nextcloud makes available updates for Nextcloud 9, 10 and 11 with a number of bug fixes and a precautionary update for the SwiftMailer vulnerability discovered recently. We recommend to update at your earliest convenience. Read on to find out what has changed.
FixesNextcloud 11.0.1 introduces about two dozen fixes dealing with Safari's lack of decent CSPv3 support, a fix for LDAP issues, the Calendar/Contact DAV endpoint and more. About a dozen is relevant for 10.0.3, making updates more reliable and fixing some translation and visual issues.
Find more details in our changelogs.
Precautionary update for SwiftMailerJust before the end of 2016, a security researcher published a security advisory for an unfixed critical vulnerability in SwiftMailer. SwiftMailer is a widely used library for sending e-mails from PHP applications and used by many popular frameworks such as Yii2, Laravel or Symfony.
This library in question is also used by Nextcloud and we’ve immediately begun analyzing the vulnerability as well as it’s exploitation path. After extensive analysis by members of our security team we believe that a standard Nextcloud server installation is not affected by this specific vulnerability. However, as we include the library in our public programming API third-party app authors may call the library in an exploitable way.
Security MattersNextcloud takes security very seriously and protecting user data is of utmost importance to us. We want to state again, that this is purely a security pre-caution and based on our research this seems like a non-exploitable issue in a default Nextcloud server installation. However, as we didn't want to take even any slightly theoretical chance of exploitation we've decided to err on the side of caution to protect our users.
Nextcloud employs dedicated security personnel, is subject to regular penetration testing, static and dynamic analysis and offers bug bounties up to $5,000 for critical security vulnerabilities.