Affected Versions / Ability to by-pass second factor CVE-2024-37313

[juergen852]

The problem was filed 3 days ago.

• Server 29.xxx is not mentioned as affected, although 29.0.0 and later updates are already out months ago...
  Did you know about CVE-2024-37313 already for such a long time ago, that it was fixed when 29.0.0 was released months ago?
  Or did you forget to mention 29.0.0 as affected and 29.0.2 as patched?

• Server 28.0.0 is said to be affected, 28.0.4 is said to have the fix.
  But 28.0.6 has been out for weeks now.
  Again: Is only 28.0.4 safe and latest 28.0.6 is not?

[markuman]

Did you know about CVE-2024-37313 already for such a long time ago,

I'm not a nextcloud developer, but IMHO, yes. Critical CVE are always kept some time and published after some releases. So on publish date, most nextcloud servers who update frequently are already patched.
That's the way most software-release-cve-workflow works like.

that it was fixed when 29.0.0 was released months ago?

Thank good, it's open source and not microsoft here.
The fix was merged on 20th march: nextcloud/server#44276 and the 29.0.0 release was one mnoth later: https://github.com/nextcloud/server/releases/tag/v29.0.0
So yes, 29.0.0 was never affected.

[markuman]

Again: Is only 28.0.4 safe and latest 28.0.6 is not?

Patched versions
26.0.13, 27.1.8, 28.0.4

So 28.0.4 is safe, and every 28-release after 28.0.4 (like 28.0.6) is also safe.
Release date of 28.0.4 was march 28th. https://github.com/nextcloud/server/releases/tag/v28.0.4