Nextcloud Server versions <= 19.0.x have two open CVEs, CVE-2020-8259 and CVE-2020-8252, which impacts F32 (currently on nextcloud 18.0.10) and F33 (nextcloud 19.0.4).

The CVEs are related to how public keys are handled when server-side encryption of data is used. Detailed description of the attack vectors are here and here, but in brief, if an attacker gains access to the folder where NC stores it's data (regardless of whether that folder resides on the NC server or elsewhere) they can replace public keys used for encryption with their own, gaining access to any data that is modified going forward. This might go unnoticed for some time if the server has and the attacker targets rarely used keys like recovery keys.

Both CVEs are fixed in all versions of the 20.0.x branch, but upstream has decided not to backport the fix to their older-but-fully-supported 18.0.x/19.0.x releases, as the fix involves an extensive and - more importantly for us - irreversible change to how keys are handled by the server.

Impact of a rebase:
- Pro: Two known CVEs are fixed
- Con: Upstream judges them to be low impact
- Con: NC20 has a significantly different UI than previous versions, this is not an unobstrusive change
- Con: It is possible that user-installed extensions stop working because they are not compatible with NC20.
- Con: The upgrade to NC20 is irreversible due to changes in database formats and key handling

Mitigation w/o the rebase:
The package has modular streams of all supported NC branches, so if these vulnerabilities fall within a user's threat model they can switch from the normal package to the nextcloud-20/nextcloud-stable stream, but obviously that requires users being aware of the issues and seeking out the streams.

I'm inclined towards not rebasing, but since that would mean deliberately not fixing known CVEs, I think it's better if there is a policy decision on this.