3
0
Fork 0
forked from mirrors/nixpkgs
nixpkgs/pkgs/servers/nextcloud/default.nix
Maximilian Bosch 520b10453f
nextcloud: 19.0.4 -> 19.0.6, 20.0.1 -> 20.0.3, mark v19 as insecure
ChangeLogs:

* https://nextcloud.com/changelog/#20-0-3
* https://nextcloud.com/changelog/#19-0-6

For Nextcloud 20, security advisories for CVE-2020-8259[1] &
CVE-2020-8152[2] were published. The only way to fix those is to upgrade
to v20, although v19 and v18 are supported, the issue won't be fixed
there[3].

Even though both CVEs are only related to the encryption module[4] which
is turned off by default, I decided to add a vulnerability note to
`nextcloud19` since CVE-2020-8259's is rated as "High" by NIST (in
contrast to Nextcloud which rates it as "Low").

If one is not affected by the issue, `nextcloud19` can still be used by
declaring `permittedInsecurePackages`[5].

[1] https://nvd.nist.gov/vuln/detail/CVE-2020-8259,
    https://nextcloud.com/security/advisory/?id=NC-SA-2020-041
[2] https://nvd.nist.gov/vuln/detail/CVE-2020-8152,
    https://nextcloud.com/security/advisory/?id=NC-SA-2020-040
[3] https://help.nextcloud.com/t/fixes-for-cve-2020-8259-cve-2020-8152-in-nextcloud-18-19/98289
[4] https://docs.nextcloud.com/server/20/admin_manual/configuration_files/encryption_configuration.html
[5] https://nixos.org/manual/nixpkgs/stable/#sec-allow-insecure

Closes #106212
2020-12-11 12:39:57 +01:00

65 lines
1.8 KiB
Nix

{ stdenv, fetchurl, nixosTests }:
let
generic = {
version, sha256,
eol ? false, extraVulnerabilities ? []
}: stdenv.mkDerivation rec {
pname = "nextcloud";
inherit version;
src = fetchurl {
url = "https://download.nextcloud.com/server/releases/${pname}-${version}.tar.bz2";
inherit sha256;
};
passthru.tests = nixosTests.nextcloud;
installPhase = ''
mkdir -p $out/
cp -R . $out/
'';
meta = with stdenv.lib; {
description = "Sharing solution for files, calendars, contacts and more";
homepage = "https://nextcloud.com";
maintainers = with maintainers; [ schneefux bachp globin fpletz ma27 ];
license = licenses.agpl3Plus;
platforms = with platforms; unix;
knownVulnerabilities = extraVulnerabilities
++ (optional eol "Nextcloud version ${version} is EOL");
};
};
in {
nextcloud17 = throw ''
Nextcloud v17 has been removed from `nixpkgs` as the support for it will be dropped
by upstream within the lifetime of NixOS 20.09[1]. Please upgrade to Nextcloud v18 by
declaring
services.nextcloud.package = pkgs.nextcloud18;
in your NixOS config.
[1] https://docs.nextcloud.com/server/18/admin_manual/release_schedule.html
'';
nextcloud18 = generic {
version = "18.0.10";
sha256 = "0kv9mdn36shr98kh27969b8xs7pgczbyjklrfskxy9mph7bbzir6";
eol = true;
};
nextcloud19 = generic {
version = "19.0.6";
sha256 = "sha256-pqqIayE0OyTailtd2zeYi+G1APjv/YHqyO8jCpq7KJg=";
extraVulnerabilities = [
"Nextcloud 19 is still supported, but CVE-2020-8259 & CVE-2020-8152 are unfixed!"
];
};
nextcloud20 = generic {
version = "20.0.3";
sha256 = "sha256-4PZFBNM49k08Z3NX8AEs+LDtDcQuwI+Vi23E/3Dt8XU=";
};
}