[SECURITY] [DLA 4303-1] nextcloud-desktop security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4303-1] nextcloud-desktop security update
From: Abhijith PA <abhijith@debian.org>
Date: Thu, 18 Sep 2025 08:40:31 +0530
Message-id: <[🔎] aMt4J3MjuuqIQYzb@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4303-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Abhijith PA
September 18, 2025                            https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : nextcloud-desktop
Version        : 3.1.1-2+deb11u2
CVE ID         : CVE-2022-39331 CVE-2022-39332 CVE-2022-39333 CVE-2022-39334 
                 CVE-2023-28997

Multiple vulnerabilities were discovered in nextcloud-desktop,
nextcloud folder synchronization tool.

CVE-2022-39331

    An attacker can inject arbitrary HyperText Markup Language into
    the Desktop Client application in the notifications.

CVE-2022-39332

    An attacker can inject arbitrary HyperText Markup Language into
    the Desktop Client application via user status and information.

CVE-2022-39333

    An attacker can inject arbitrary HyperText Markup Language into
    the Desktop Client application.

CVE-2022-39334

    A CLI utility called nextcloudcmd which is sometimes used for
    automated scripting and headless servers would incorrectly trust
    invalid TLS certificates, which may enable a Man-in-the-middle
    attack that exposes sensitive data or credentials to a network
    attacker.

CVE-2023-28997

    A malicious server administrator can recover and modify the
    contents of end-to-end encrypted files.

For Debian 11 bullseye, these problems have been fixed in version
3.1.1-2+deb11u2.

For Debian 11 bullseye, these problems have been fixed in version
3.1.1-2+deb11u2.

We recommend that you upgrade your nextcloud-desktop packages.

For the detailed security status of nextcloud-desktop please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nextcloud-desktop

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmjLeCcACgkQhj1N8u2c
KO9Egg/+KozU+OPvxstsop1Ginym6Km+JwJDCDVfW2cdCQ2CoJxixLstWoLFMizm
EBd4hmQiwYELwuljKPoy5STHUNCLVzHXspMYH7083fbpp4szc+W+jc29qHni0ZR9
zkGaq3dvYeIFJHOs+aEdvr8XzqXu7b4ZdqN6wBKEVa+s8qwpPvgI7KBgokIQo0NJ
uE+/QS/bvrY6+trCuXqc+uY4cLrZMSyAputNE36CXU9kGnQ1d3PDTTFP1z+uScNr
S3WA3nqrSO1V9ROvvcQ9SqqsvIqrm/TIrP7SvEr+QV9r7sPhKq77ui1UVaMpr71g
hNYfHfOSV5OeDTnWJYMJMDdxZNwVwcUBygE5aMqXmyxI0usblkbvxpJQqj1k37ii
Qg51U+2b4I9/f1u+YSTNNektyHoKSZaUb34wtIFDzWjlOEtogggo81nw6yDh4RZU
5nuwd6pZyXC1sxl9SEwLqikuIBTQGeclAaeMvvNpZdotiAs47QawXiGYCoCyTlwi
0Ctz1sngFbgeSGW9HFt+nYql9RP7BKazI/kcO76ZplXCbCKfQIkGlNX8at7+z01J
DL9cuidpE8b/u+KJvGKnACqp9f7vGrogivuHRkeFrwXjpsrfpuCBAiri1JvFZqX5
dNjQ1BUtmQruJDVxLyxb+gw1bFa42MiqFLvi6CmRYHYVevqJCOc=
=g0gG
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4301-1] python-django security update
Previous by thread: [SECURITY] [DLA 4301-1] python-django security update
Index(es):
- Date
- Thread