Repo-sync

nextcloud-releases · Jun 25, 2024 · a864ed2 · a864ed2
1 parent a233134
commit a864ed2
Show file tree

Hide file tree

Showing 6 changed files with 12 additions and 8 deletions.
diff --git a/Containers/clamav/Dockerfile b/Containers/clamav/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:latest
 # Probably from this file: https://github.com/Cisco-Talos/clamav-docker/blob/main/clamav/1.1/alpine/Dockerfile
-FROM clamav/clamav:1.3.1-54
+FROM clamav/clamav:1.3.1-57
 
 COPY clamav.conf /tmp/clamav.conf
 

diff --git a/Containers/nextcloud/Dockerfile b/Containers/nextcloud/Dockerfile
@@ -7,7 +7,7 @@ ENV PHP_MAX_TIME=3600
 ENV SOURCE_LOCATION=/usr/src/nextcloud
 
 # AIO settings start # Do not remove or change this line!
-ENV NEXTCLOUD_VERSION=29.0.2
+ENV NEXTCLOUD_VERSION=29.0.3
 ENV AIO_TOKEN=123456
 ENV AIO_URL=localhost
 # AIO settings end # Do not remove or change this line!

diff --git a/manual-install/latest.yml b/manual-install/latest.yml
@@ -219,6 +219,7 @@ services:
       - nextcloud-aio
     cap_add:
       - MKNOD
+      - SYS_ADMIN
     cap_drop:
       - NET_RAW
 

diff --git a/php/domain-validator.php b/php/domain-validator.php
@@ -2,11 +2,11 @@
 
 $domain = $_GET['domain'] ?? '';
 
-if (strpos($domain, '.') === false) { 
+if (!str_contains($domain, '.')) { 
     http_response_code(400); 
-} elseif (strpos($domain, '/') !== false) { 
+} elseif (str_contains($domain, '/')) { 
     http_response_code(400);  
-} elseif (strpos($domain, ':') !== false) { 
+} elseif (str_contains($domain, ':')) { 
     http_response_code(400);  
 } elseif (filter_var($domain, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) === false) { 
     http_response_code(400); 

diff --git a/php/src/Data/ConfigurationManager.php b/php/src/Data/ConfigurationManager.php
@@ -271,17 +271,17 @@ public function SetTalkRecordingEnabledState(int $value) : void {
      */
     public function SetDomain(string $domain) : void {
         // Validate that at least one dot is contained
-        if (strpos($domain, '.') === false) {
+        if (!str_contains($domain, '.')) {
             throw new InvalidSettingConfigurationException("Domain must contain at least one dot!");
         }
 
         // Validate that no slashes are contained
-        if (strpos($domain, '/') !== false) {
+        if (str_contains($domain, '/')) {
             throw new InvalidSettingConfigurationException("Domain must not contain slashes!");
         }
 
         // Validate that no colons are contained
-        if (strpos($domain, ':') !== false) {
+        if (str_contains($domain, ':')) {
             throw new InvalidSettingConfigurationException("Domain must not contain colons!");
         }
 

diff --git a/readme.md b/readme.md
@@ -824,3 +824,6 @@ Afterwards apply the correct permissions with `sudo chown root:root /root/automa
 1. Open the cronjob with `sudo crontab -u root -e` (and choose your editor of choice if not already done. I'd recommend nano). 
 1. Add the following new line to the crontab if not already present: `0 5 * * * /root/automatic-updates.sh` which will run the script at 05:00 each day. 
 1. save and close the crontab (when using nano the shortcuts for this are `Ctrl + o` then `Enter` to save, and close the editor with `Ctrl + x`).
+
+### Securing the AIO interface from unauthorized ACME challenges
+[By design](https://github.com/nextcloud/all-in-one/discussions/4882#discussioncomment-9858384), Caddy that runs inside the mastercontainer, which handles automatic TLS certificate generation for the AIO interface, is vulnerable to receiving DNS challenges for arbitrary hostnames from anyone on the internet. While this does not compromise your server's security, it can result in cluttered logs and rejected certificate renewal attempts due to rate limit abuse. To mitigate this issue, it is recommended to place the AIO interface behind a VPN and/or limit its public exposure.