ocis

v8.0.4 Security

This release includes 6 security fixes for security teams reviewing exposed deployments.

Published 12d File Storage & Sync

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 6 known CVEs

Topics

ocis reva

Affected surfaces

deps breaking_upgrade

ReleasePort's take

Light signal

editorial:auto 12d

Upgrade libvips to version 8.18.2 to fix a stack buffer overflow affecting all Docker images.

Why it matters: The overflow (severity 50) impacts every Docker image; upgrading resolves the vulnerability immediately.

Summary

AI summary

Updates Summary, Details, and Table of Contents across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Upgrade libvips to 8.18.2 fixes a stack buffer overflow. Upgrade libvips to 8.18.2 fixes a stack buffer overflow. Source: llm_adapter@2026-05-22 Confidence: low	—
Security	Medium	Bump Go to 1.25.10 resolves multiple CVEs. Bump Go to 1.25.10 resolves multiple CVEs. Source: llm_adapter@2026-05-22 Confidence: low	—
Bugfix	Medium	SpaceEditorWithoutTrashbin roles now allow file editing correctly. SpaceEditorWithoutTrashbin roles now allow file editing correctly. Source: llm_adapter@2026-05-22 Confidence: high	—

Full changelog

Changelog for 8.0.4

Changes in 8.0.4

Summary

Security - Upgrade libvips to 8.18.2: #12301
Security - Bump Go to 1.25.10: #12306
Bugfix - SpaceEditorWithoutTrashbin roles now correctly allow file editing: #12346

Details

Security - Upgrade libvips to 8.18.2: #12301

Bumped libvips to 8.18.2 in all Docker images to pick up the fix for a stack
buffer overflow.

https://github.com/owncloud/ocis/pull/12301
Security - Bump Go to 1.25.10: #12306

Fixes CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39836,
CVE-2026-42499.

https://github.com/owncloud/ocis/pull/12306
Bugfix - SpaceEditorWithoutTrashbin roles now correctly allow file editing: #12346

Fixed a bug where the *WithoutTrashbin space editor roles were rendered as
read-only in the Web frontend. The OCS PermissionWrite bit was not set for these
roles because the RoleFromResourcePermissions round-trip required
RestoreRecycleItem, which these roles intentionally omit.

https://github.com/owncloud/ocis/pull/12346

Security Fixes

Go upgraded to 1.25.10 – fixes CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39836, CVE-2026-42499
libvips bumped to 8.18.2 – resolves stack buffer overflow vulnerability
CVE-2026-33814
CVE-2026-39820
CVE-2026-39836
CVE-2026-42499

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track ocis

Get notified when new releases ship.

About ocis

atom_symbol: ownCloud Infinite Scale Stack

All releases →

ocis

ReleasePort's take

Summary

Changes in this release

Table of Contents

Changes in 8.0.4

Summary

Details

Security Fixes

Related context

Related tools