help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.
In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:
example
Or for longer, use three backticks above and below the code snippet:
longer
example
here
Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can
Nextcloud version (eg, 20.0.5): 24.0.2.1
Operating system and version (eg, Ubuntu 20.04): Ubuntu 20.04
Apache or nginx version (eg, Apache 2.4.25): replace me
PHP version (eg, 7.4): replace me
The issue you are facing: Security Scanner give’s a good A rating for installation but NC settings warns of unsupported Version. Which is correct?
I can see that NC 24 is end of support this month. Maybe that’s why there is a warning, but then the security scanner should also be updated, right?
Additionally, the advise it to upgrade to 24.0.12. However that should then also be end of life. I suppose I need to upgrade to 24.0.12 in order to be able to upgrade to NC 26, but the text implies that I only need to upgrad to 24.0.12 and things are fine
Up until now I was in the opinion that 24.0.2 is a supported version because of the security scanner rating.
Is this the first time you’ve seen this error?(Y/N): Y
The security scanner says that the major version 24 is still supported, which is kind of correct, because 24.0.12 was just released. However, this was the last update for version 24, which makes NC24 technically EOL now, and you should plan to upgrade to 25 in a timely manner.
Nextcloud tells you that the currently installed version is no longer supported, but doesn’t specify whether it refers to the major or the minor version. However, since you are still on on 24.0.2 this is correct too, because technically, only the latest minor release of a major release is supported, which would be 24.0.12 in your case.
Generally, you should always perform minor version updates as soon as possible, because they also include security updates. In addition to that, you should keep an eye on this: Maintenance and Release Schedule · nextcloud/server Wiki · GitHub in order to plan the upgrades to new major releases.
While I fully agree with @bb77 regarding patching the scanner is wrong even to it’s own definition:
The rating is calculated as follows:
* F = This server version is end of life and has no security fixes anymore. It is likely trivial to break in and steal all the data or even take over the entire server.
* E = This server is vulnerable to at least one vulnerability rated "high". It is likely quite easy to break in and steal data or even take over the server.
* D = This server is vulnerable to at least one vulnerability rated "medium". With bit of effort, like creating a specially crafted URL and luring a user there, an attacker can likely steal data or even take over the server.
* C = This server is vulnerable to at least one vulnerability rated "low". This might or might not provide a way in for an attacker and will likely need some additional vulnerabilities to be exploited.
* A = This server has no known vulnerabilities but there are additional hardening capabilities available in newer versions making it harder for an attacker to exploit unknown vulnerabilities to break in.
* A+ = This server is up to date, well configured and has industry leading hardening features applied, making it harder for an attacker to exploit unknown vulnerabilities to break in. [Learn more about these preventive hardening features.](https://nextcloud.com/blog/nextcloud-11-delivers-verified-security-improvements)
running 24.0.2 must result in “E” rating as this version is affected by CVE-2023-26482 Scope of workflow operations is not validated and lot of other issues - majority of the issues might be not very critical in real life but the scanner as main security hint must reflect them very well and motivate admins to faster upgrades…
I didn’t know that each patch contains security updates. I was always relying on the security scanner which told me that everything is fine with A rating, security wise. So IMO this is quite serious to me - as @wwe also points out.
It would be good if the rating was up to date. If you agree, does this need a Git issue to get the security scanner being always up to date?
Let me be more precise: It can contain security fixes. If there are no known vulnerabilities, and there is nothing to fix in this regard, then of course the respective update won’t contain any security updates.
Honestly, I was always under the impression that the Security Check is more about checking whether your configuration is secure (web server configuration, SSL etc…), and I’m not sure if it’s even supposed to tell you about specific security vulnerabilities in Nextcloud itself. It would of course be good if that were the case, but I wouldn’t rely a 100% on it, and rather patch in a timely manner whenever possible, or at least read the release notes.
sounds for me exactly like such feedback is intended…
Release notes often don’t include security-related stuff to keep issues secret hidden as long as possible. In general frequent updates is the way to go with every application (especially internet facing). One can discuss about “how fast” but in general you should patch the software as fast as possible. Other factors like new bugs and instability of new version might make you little more conservative but 6 months are definitely too long…
Personally I would recommend you patch 1-2 weeks after each minor release… and move to next major release 1-2 weeks after x.1 release if your are “normal” and maybe 2-3 weeks after .2 release if your are conservative
I’m a lazy, never change a running system, admin
I want to spend as little time as possible and necessary with backup/upgrade bug fixing, backup/upgrade / bugfixing… I think you get the point.
Maybe the text in the security scanner should be adjusted then, because it gives me the impression that I’m fine if I only check the scanner and update if I’m on a grade that is not green.
Anyways, I then have to rethink my update strategy.
Thanks all.
Ah yes, there is a Vulnerabilities section that is supposed to show known vulnerabilities… Must have slipped my mind, it’s been a while since I used the check.
Yep, that’s about what I do, usually even a bit faster. Minor updates immediately, major updates usually after the first .point release.
Securtity Scanner show’s A rating.
