openSUSE Security Announce
Threads by month
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2000 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1999 -----
- December
- November
- October
- September
- August
July 2021
- 2 participants
- 144 discussions
openSUSE-SU-2021:2439-1: moderate: Security update for curl
by opensuse-security@opensuse.org 21 Jul '21
by opensuse-security@opensuse.org 21 Jul '21
21 Jul '21
openSUSE Security Update: Security update for curl
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:2439-1
Rating: moderate
References: #1188217 #1188218 #1188219 #1188220
Cross-References: CVE-2021-22922 CVE-2021-22923 CVE-2021-22924
CVE-2021-22925
CVSS scores:
CVE-2021-22922 (SUSE): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVE-2021-22923 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2021-22924 (SUSE): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CVE-2021-22925 (SUSE): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Affected Products:
openSUSE Leap 15.3
______________________________________________________________________________
An update that fixes four vulnerabilities is now available.
Description:
This update for curl fixes the following issues:
- CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220)
- CVE-2021-22924: Bad connection reuse due to flawed path name checks.
(bsc#1188219)
- CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218)
- CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2021-2439=1
Package List:
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
curl-7.66.0-4.22.1
curl-debuginfo-7.66.0-4.22.1
curl-debugsource-7.66.0-4.22.1
libcurl-devel-7.66.0-4.22.1
libcurl4-7.66.0-4.22.1
libcurl4-debuginfo-7.66.0-4.22.1
- openSUSE Leap 15.3 (x86_64):
libcurl-devel-32bit-7.66.0-4.22.1
libcurl4-32bit-7.66.0-4.22.1
libcurl4-32bit-debuginfo-7.66.0-4.22.1
References:
https://www.suse.com/security/cve/CVE-2021-22922.html
https://www.suse.com/security/cve/CVE-2021-22923.html
https://www.suse.com/security/cve/CVE-2021-22924.html
https://www.suse.com/security/cve/CVE-2021-22925.html
https://bugzilla.suse.com/1188217
https://bugzilla.suse.com/1188218
https://bugzilla.suse.com/1188219
https://bugzilla.suse.com/1188220
1
0
openSUSE-SU-2021:1071-1: important: Security update for caribou
by opensuse-security@opensuse.org 21 Jul '21
by opensuse-security@opensuse.org 21 Jul '21
21 Jul '21
openSUSE Security Update: Security update for caribou
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:1071-1
Rating: important
References: #1186617 #1187112
Cross-References: CVE-2021-3567
CVSS scores:
CVE-2021-3567 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________
An update that solves one vulnerability and has one errata
is now available.
Description:
This update for caribou fixes the following issues:
Security issue fixed:
- CVE-2021-3567: Fixed a segfault when attempting to use shifted
characters (bsc#1186617).
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-1071=1
Package List:
- openSUSE Leap 15.2 (x86_64):
caribou-0.4.21-lp152.7.3.1
caribou-common-0.4.21-lp152.7.3.1
caribou-debuginfo-0.4.21-lp152.7.3.1
caribou-debugsource-0.4.21-lp152.7.3.1
caribou-devel-0.4.21-lp152.7.3.1
caribou-gtk-module-common-0.4.21-lp152.7.3.1
caribou-gtk2-module-0.4.21-lp152.7.3.1
caribou-gtk2-module-debuginfo-0.4.21-lp152.7.3.1
caribou-gtk3-module-0.4.21-lp152.7.3.1
caribou-gtk3-module-debuginfo-0.4.21-lp152.7.3.1
libcaribou0-0.4.21-lp152.7.3.1
libcaribou0-debuginfo-0.4.21-lp152.7.3.1
typelib-1_0-Caribou-1_0-0.4.21-lp152.7.3.1
- openSUSE Leap 15.2 (noarch):
caribou-lang-0.4.21-lp152.7.3.1
References:
https://www.suse.com/security/cve/CVE-2021-3567.html
https://bugzilla.suse.com/1186617
https://bugzilla.suse.com/1187112
1
0
openSUSE-SU-2021:2427-1: important: Security update for the Linux Kernel
by opensuse-security@opensuse.org 21 Jul '21
by opensuse-security@opensuse.org 21 Jul '21
21 Jul '21
openSUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:2427-1
Rating: important
References: #1153720 #1174978 #1179610 #1181193 #1185428
#1185701 #1185861 #1186463 #1186484 #1187038
#1187050 #1187215 #1187452 #1187554 #1187595
#1187601 #1188062 #1188116
Cross-References: CVE-2020-24588 CVE-2020-26558 CVE-2020-36385
CVE-2020-36386 CVE-2021-0129 CVE-2021-0512
CVE-2021-0605 CVE-2021-22555 CVE-2021-33200
CVE-2021-33624 CVE-2021-33909 CVE-2021-34693
CVE-2021-3609
CVSS scores:
CVE-2020-24588 (NVD) : 3.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2020-24588 (SUSE): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2020-26558 (NVD) : 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CVE-2020-26558 (SUSE): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CVE-2020-36385 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2020-36385 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2020-36386 (NVD) : 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CVE-2020-36386 (SUSE): 5.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
CVE-2021-0129 (NVD) : 5.7 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2021-0129 (SUSE): 6.4 CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
CVE-2021-0512 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-0605 (NVD) : 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CVE-2021-0605 (SUSE): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-22555 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-22555 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-33200 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-33200 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-33624 (NVD) : 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2021-33624 (SUSE): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2021-33909 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-34693 (SUSE): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2021-3609 (SUSE): 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Leap 15.3
______________________________________________________________________________
An update that solves 13 vulnerabilities and has 5 fixes is
now available.
Description:
The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various
security and bugfixes.
The following security bugs were fixed:
- CVE-2021-22555: Fixed an heap out-of-bounds write in
net/netfilter/x_tables.c that could allow local provilege escalation.
(bsc#1188116)
- CVE-2021-33624: Fixed a bug which allows unprivileged BPF program to
leak the contents of arbitrary kernel memory (and therefore, of all
physical memory) via a side-channel. (bsc#1187554)
- CVE-2021-0605: Fixed an out-of-bounds read which could lead to local
information disclosure in the kernel with System execution privileges
needed. (bsc#1187601)
- CVE-2021-0512: Fixed a possible out-of-bounds write which could lead to
local escalation of privilege with no additional execution privileges
needed. (bsc#1187595)
- CVE-2020-26558: Fixed a flaw in the Bluetooth LE and BR/EDR secure
pairing that could permit a nearby man-in-the-middle attacker to
identify the Passkey used during pairing. (bnc#1179610)
- CVE-2021-34693: Fixed a bug in net/can/bcm.c which could allow local
users to obtain sensitive information from kernel stack memory because
parts of a data structure are uninitialized. (bsc#1187452)
- CVE-2021-0129: Fixed an improper access control in BlueZ that may have
allowed an authenticated user to potentially enable information
disclosure via adjacent access. (bnc#1186463)
- CVE-2020-36386: Fixed an out-of-bounds read in
hci_extended_inquiry_result_evt. (bsc#1187038)
- CVE-2020-24588: Fixed a bug that could allow an adversary to abuse
devices that support receiving non-SSP A-MSDU frames to inject arbitrary
network packets. (bsc#1185861 bsc#1185863)
- CVE-2021-33909: Fixed an out-of-bounds write in the filesystem layer
that allows to andobtain full root privileges. (bsc#1188062)
- CVE-2021-3609: Fixed a race condition in the CAN BCM networking protocol
which allows for local privilege escalation. (bsc#1187215)
- CVE-2020-36385: Fixed a use-after-free flaw in ucma.c which allows for
local privilege escalation. (bsc#1187050)
- CVE-2021-33200: Fix leakage of uninitialized bpf stack under
speculation. (bsc#1186484)
The following non-security bugs were fixed:
- af_packet: fix the tx skb protocol in raw sockets with ETH_P_ALL
(bsc#1176081).
- kabi: preserve struct header_ops after bsc#1176081 fix (bsc#1176081).
- net: Do not set transport offset to invalid value (bsc#1176081).
- net: Introduce parse_protocol header_ops callback (bsc#1176081).
- net/ethernet: Add parse_protocol header_ops support (bsc#1176081).
- net/mlx5e: Remove the wrong assumption about transport offset
(bsc#1176081).
- net/mlx5e: Trust kernel regarding transport offset (bsc#1176081).
- net/packet: Ask driver for protocol if not provided by user
(bsc#1176081).
- net/packet: Remove redundant skb->protocol set (bsc#1176081).
- resource: Fix find_next_iomem_res() iteration issue (bsc#1181193).
- scsi: scsi_dh_alua: Retry RTPG on a different path after failure
(bsc#1174978 bsc#1185701).
- SUNRPC in case of backlog, hand free slots directly to waiting task
(bsc#1185428).
- SUNRPC: More fixes for backlog congestion (bsc#1185428).
- x86/crash: Add e820 reserved ranges to kdump kernel's e820 table
(bsc#1181193).
- x86/debug: Extend the lower bound of crash kernel low reservations
(bsc#1153720).
- x86/e820, ioport: Add a new I/O resource descriptor IORES_DESC_RESERVED
(bsc#1181193).
- x86/mm: Rework ioremap resource mapping determination (bsc#1181193).
Special Instructions and Notes:
Please reboot the system after installing this update.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2021-2427=1
Package List:
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
kernel-default-base-debuginfo-4.12.14-197.99.1
kernel-vanilla-4.12.14-197.99.1
kernel-vanilla-base-4.12.14-197.99.1
kernel-vanilla-base-debuginfo-4.12.14-197.99.1
kernel-vanilla-debuginfo-4.12.14-197.99.1
kernel-vanilla-debugsource-4.12.14-197.99.1
kernel-vanilla-devel-4.12.14-197.99.1
kernel-vanilla-devel-debuginfo-4.12.14-197.99.1
kernel-vanilla-livepatch-devel-4.12.14-197.99.1
- openSUSE Leap 15.3 (ppc64le x86_64):
kernel-debug-base-4.12.14-197.99.1
kernel-debug-base-debuginfo-4.12.14-197.99.1
- openSUSE Leap 15.3 (x86_64):
kernel-kvmsmall-base-4.12.14-197.99.1
kernel-kvmsmall-base-debuginfo-4.12.14-197.99.1
- openSUSE Leap 15.3 (s390x):
kernel-default-man-4.12.14-197.99.1
kernel-zfcpdump-man-4.12.14-197.99.1
References:
https://www.suse.com/security/cve/CVE-2020-24588.html
https://www.suse.com/security/cve/CVE-2020-26558.html
https://www.suse.com/security/cve/CVE-2020-36385.html
https://www.suse.com/security/cve/CVE-2020-36386.html
https://www.suse.com/security/cve/CVE-2021-0129.html
https://www.suse.com/security/cve/CVE-2021-0512.html
https://www.suse.com/security/cve/CVE-2021-0605.html
https://www.suse.com/security/cve/CVE-2021-22555.html
https://www.suse.com/security/cve/CVE-2021-33200.html
https://www.suse.com/security/cve/CVE-2021-33624.html
https://www.suse.com/security/cve/CVE-2021-33909.html
https://www.suse.com/security/cve/CVE-2021-34693.html
https://www.suse.com/security/cve/CVE-2021-3609.html
https://bugzilla.suse.com/1153720
https://bugzilla.suse.com/1174978
https://bugzilla.suse.com/1179610
https://bugzilla.suse.com/1181193
https://bugzilla.suse.com/1185428
https://bugzilla.suse.com/1185701
https://bugzilla.suse.com/1185861
https://bugzilla.suse.com/1186463
https://bugzilla.suse.com/1186484
https://bugzilla.suse.com/1187038
https://bugzilla.suse.com/1187050
https://bugzilla.suse.com/1187215
https://bugzilla.suse.com/1187452
https://bugzilla.suse.com/1187554
https://bugzilla.suse.com/1187595
https://bugzilla.suse.com/1187601
https://bugzilla.suse.com/1188062
https://bugzilla.suse.com/1188116
1
0
openSUSE-SU-2021:2435-1: moderate: Security update for crmsh
by opensuse-security@opensuse.org 21 Jul '21
by opensuse-security@opensuse.org 21 Jul '21
21 Jul '21
openSUSE Security Update: Security update for crmsh
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:2435-1
Rating: moderate
References: #1163460 #1175982 #1179999 #1184465 #1185423
#1187553 SLE-17979
Cross-References: CVE-2020-35459
CVSS scores:
CVE-2020-35459 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2020-35459 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Leap 15.3
______________________________________________________________________________
An update that solves one vulnerability, contains one
feature and has 5 fixes is now available.
Description:
This update for crmsh fixes the following issues:
Update to version 4.3.1+20210624.67223df2:
- Fix: ocfs2: Skip verifying UUID for ocfs2 device on top of raid or lvm
on the join node (bsc#1187553)
- Fix: history: use Path.mkdir instead of mkdir command(bsc#1179999,
CVE-2020-35459)
- Dev: crash_test: Add big warnings to have users' attention to potential
failover(jsc#SLE-17979)
- Dev: crash_test: rename preflight_check as crash_test(jsc#SLE-17979)
- Fix: bootstrap: update sbd watchdog timeout when using diskless SBD with
qdevice(bsc#1184465)
- Dev: utils: allow configure link-local ipv6 address(bsc#1163460)
- Fix: parse: shouldn't allow property setting with an empty
value(bsc#1185423)
- Fix: help: show help message from argparse(bsc#1175982)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2021-2435=1
Package List:
- openSUSE Leap 15.3 (noarch):
crmsh-4.3.1+20210702.4e0ee8fb-5.59.1
crmsh-scripts-4.3.1+20210702.4e0ee8fb-5.59.1
crmsh-test-4.3.1+20210702.4e0ee8fb-5.59.1
References:
https://www.suse.com/security/cve/CVE-2020-35459.html
https://bugzilla.suse.com/1163460
https://bugzilla.suse.com/1175982
https://bugzilla.suse.com/1179999
https://bugzilla.suse.com/1184465
https://bugzilla.suse.com/1185423
https://bugzilla.suse.com/1187553
1
0
openSUSE-SU-2021:1070-1: important: Security update for fossil
by opensuse-security@opensuse.org 21 Jul '21
by opensuse-security@opensuse.org 21 Jul '21
21 Jul '21
openSUSE Security Update: Security update for fossil
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:1070-1
Rating: important
References: #1047218 #1175760
Cross-References: CVE-2020-24614
CVSS scores:
CVE-2020-24614 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Backports SLE-15-SP2
______________________________________________________________________________
An update that solves one vulnerability and has one errata
is now available.
Description:
This update for fossil fixes the following issues:
- fossil 2.12.1:
* CVE-2020-24614: Remote authenticated users with check-in or
administrative privileges could have executed arbitrary code
[boo#1175760]
* Security fix in the "fossil git export" command. New "safety-net"
features were added to prevent similar problems in the future.
* Enhancements to the graph display for cases when there are many
cherry-pick merges into a single check-in. Example
* Enhance the fossil open command with the new --workdir option and the
ability to accept a URL as the repository name, causing the remote
repository to be cloned automatically. Do not allow "fossil open" to
open in a non-empty working directory unless the --keep option or the
new --force option is used.
* Enhance the markdown formatter to more closely follow the CommonMark
specification with regard to text highlighting. Underscores in the
middle of identifiers (ex: fossil_printf()) no longer need to be
escaped.
* The markdown-to-html translator can prevent unsafe HTML (for example:
<script>) on user-contributed pages like forum and tickets and wiki.
The admin can adjust this behavior using the safe-html setting on the
Admin/Wiki page. The default is to disallow unsafe HTML everywhere.
* Added the "collapse" and "expand" capability for long forum posts.
* The "fossil remote" command now has options for specifying multiple
persistent remotes with symbolic names. Currently
only one remote can be used at a time, but that might change in the
future.
* Add the "Remember me?" checkbox on the login page. Use a session
cookie for the login if it is not checked.
* Added the experimental "fossil hook" command for managing "hook
scripts" that run before checkin or after a push.
* Enhance the fossil revert command so that it is able to revert all
files beneath a directory.
* Add the fossil bisect skip command.
* Add the fossil backup command.
* Enhance fossil bisect ui so that it shows all unchecked check-ins in
between the innermost "good" and "bad" check-ins.
* Added the --reset flag to the "fossil add", "fossil rm", and "fossil
addremove" commands.
* Added the "--min N" and "--logfile FILENAME" flags to the backoffice
command, as well as other enhancements to make the backoffice command
a viable replacement for automatic backoffice. Other incremental
backoffice improvements.
* Added the /fileedit page, which allows editing of text files
online. Requires explicit activation by a setup user.
* Translate built-in help text into HTML for display on web pages.
* On the /timeline webpage, the combination of query parameters
"p=CHECKIN" and "bt=ANCESTOR" draws all ancestors of CHECKIN going
back to ANCESTOR.
* Update the built-in SQLite so that the "fossil sql" command supports
new output modes ".mode box" and ".mode json".
* Add the "obscure()" SQL function to the "fossil sql" command.
* Added virtual tables "helptext" and "builtin" to the "fossil sql"
command, providing access to the dispatch table including all help
text, and the builtin data files, respectively.
* Delta compression is now applied to forum edits.
* The wiki editor has been modernized and is now Ajax-based.
- Package the fossil.1 manual page.
- fossil 2.11.1:
* Make the "fossil git export" command more restrictive about characters
that it allows in the tag names
- Add fossil-2.11-reproducible.patch to override build date (boo#1047218)
This update was imported from the openSUSE:Leap:15.2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP2:
zypper in -t patch openSUSE-2021-1070=1
Package List:
- openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64):
fossil-2.12.1-bp152.2.9.1
References:
https://www.suse.com/security/cve/CVE-2020-24614.html
https://bugzilla.suse.com/1047218
https://bugzilla.suse.com/1175760
1
0
openSUSE-SU-2021:1069-1: moderate: Security update for icinga2
by opensuse-security@opensuse.org 21 Jul '21
by opensuse-security@opensuse.org 21 Jul '21
21 Jul '21
openSUSE Security Update: Security update for icinga2
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:1069-1
Rating: moderate
References: #1180147
Cross-References: CVE-2020-29663
CVSS scores:
CVE-2020-29663 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2020-29663 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products:
openSUSE Backports SLE-15-SP3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for icinga2 fixes the following issues:
Update to 2.12.4
* Bugfixes
- Fix a crash when notification objects are deleted using the API #8782
- Fix crashes that might occur during downtime scheduling if host or
downtime objects are deleted using the API #8785
- Fix an issue where notifications may incorrectly be skipped after a
downtime ends #8775
- Don't send reminder notification if the notification is still
suppressed by a time period #8808
- Fix an issue where attempting to create a duplicate object using the
API might result in the original object being deleted #8787
- IDO: prioritize program status updates #8809
- Improve exceptions handling, including a fix for an uncaught
exception on Windows #8777
- Retry file rename operations on Windows to avoid intermittent
locking issues #8771
* Enhancements
- Support Boost 1.74 (Ubuntu 21.04, Fedora 34) #8792
Update to 2.12.3
* Security
- Fix that revoked certificates due for renewal will automatically be
renewed ignoring the CRL (Advisory / CVE-2020-29663 - fixes
boo#1180147 )
* Bugfixes
- Improve config sync locking - resolves high load issues on Windows
#8511
- Fix runtime config updates being ignored for objects without zone
#8549
- Use proper buffer size for OpenSSL error messages #8542
* Enhancements
- On checkable recovery: re-check children that have a problem #8506
Update to 2.12.2
* Bugfixes
- Fix a connection leak with misconfigured agents #8483
- Properly sync changes of config objects in global zones done via the
API #8474 #8470
- Prevent other clients from being disconnected when replaying the
cluster log takes very long #8496
- Avoid duplicate connections between endpoints #8465
- Ignore incoming config object updates for unknown zones #8461
- Check timestamps before removing files in config sync #8495
* Enhancements
- Include HTTP status codes in log #8467
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP3:
zypper in -t patch openSUSE-2021-1069=1
Package List:
- openSUSE Backports SLE-15-SP3 (aarch64 ppc64le x86_64):
icinga2-2.12.4-bp153.2.3.1
icinga2-bin-2.12.4-bp153.2.3.1
icinga2-common-2.12.4-bp153.2.3.1
icinga2-doc-2.12.4-bp153.2.3.1
icinga2-ido-mysql-2.12.4-bp153.2.3.1
icinga2-ido-pgsql-2.12.4-bp153.2.3.1
nano-icinga2-2.12.4-bp153.2.3.1
vim-icinga2-2.12.4-bp153.2.3.1
References:
https://www.suse.com/security/cve/CVE-2020-29663.html
https://bugzilla.suse.com/1180147
1
0
openSUSE-SU-2021:1068-1: important: Security update for nextcloud
by opensuse-security@opensuse.org 21 Jul '21
by opensuse-security@opensuse.org 21 Jul '21
21 Jul '21
openSUSE Security Update: Security update for nextcloud
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:1068-1
Rating: important
References: #1181445 #1181803 #1181804 #1188247 #1188248
#1188249 #1188250 #1188251 #1188252 #1188253
#1188254 #1188255 #1188256
Cross-References: CVE-2020-8293 CVE-2020-8294 CVE-2020-8295
CVE-2021-32678 CVE-2021-32679 CVE-2021-32680
CVE-2021-32688 CVE-2021-32703 CVE-2021-32705
CVE-2021-32725 CVE-2021-32726 CVE-2021-32734
CVE-2021-32741
CVSS scores:
CVE-2020-8293 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2020-8294 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2021-32680 (NVD) : 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE-2021-32688 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Leap 15.2
openSUSE Backports SLE-15-SP3
openSUSE Backports SLE-15-SP2
openSUSE Backports SLE-15-SP1
SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________
An update that fixes 13 vulnerabilities is now available.
Description:
This update for nextcloud fixes the following issues:
nextcloud was updated to 20.0.11:
- Fix boo#1188247 - CVE-2021-32678: OCS API response ratelimits are not
applied
- Fix boo#1188248 - CVE-2021-32679: filenames where not escaped by default
in controllers using DownloadResponse
- Fix boo#1188249 - CVE-2021-32680: share expiration date wasn't properly
logged
- Fix boo#1188250 - CVE-2021-32688: lacking permission check with
application specific tokens
- Fix boo#1188251 - CVE-2021-32703: lack of ratelimiting on the shareinfo
endpoint
- Fix boo#1188252 - CVE-2021-32705: lack of ratelimiting on the public DAV
endpoint
- Fix boo#1188253 - CVE-2021-32725: default share permissions were not
being respected for federated reshares of files and folders
- Fix boo#1188254 - CVE-2021-32726: webauthn tokens were not deleted after
a user has been deleted
- Fix boo#1188255 - CVE-2021-32734: possible full path disclosure on
shared files
- Fix boo#1188256 - CVE-2021-32741: lack of ratelimiting on the public
share link mount endpoint
- Bump handlebars from 4.7.6 to 4.7.7 (server#26900)
- Bump lodash from 4.17.20 to 4.17.21 (server#26909)
- Bump hosted-git-info from 2.8.8 to 2.8.9 (server#26920)
- Don't break OCC if an app is breaking in it's Application class
(server#26954)
- Add bruteforce protection to the shareinfo endpoint (server#26956)
- Ignore readonly flag for directories (server#26965)
- Throttle MountPublicLinkController when share is not found (server#26971)
- Respect default share permissions for federated reshares (server#27001)
- Harden apptoken check (server#27014)
- Use parent wrapper to properly handle moves on the same source/target
storage (server#27016)
- Fix error when using CORS with no auth credentials (server#27027)
- Fix return value of getStorageInfo when 'quota_include_external_storage'
is enabled (server#27108)
- Bump patch dependencies (server#27183)
- Use noreply@ as email address for share emails (server#27209)
- Bump p-queue from 6.6.1 to 6.6.2 (server#27226)
- Bump browserslist from 4.14.0 to 4.16.6 (server#27247)
- Bump webpack from 4.44.1 to 4.44.2 (server#27297)
- Properly use limit and offset for search in Jail wrapper (server#27308)
- Make user:report command scale (server#27319)
- Properly log expiration date removal in audit log (server#27325)
- Propagate throttling on OCS response (server#27337)
- Set umask before operations that create local files (server#27349)
- Escape filename in Content-Disposition (server#27360)
- Don't update statuses to offline again and again (server#27412)
- Header must contain a colon (server#27456)
- Activate constraint check for oracle / pqsql also for 20 (server#27523)
- Only allow removing existing shares that would not be allowed due to
reshare restrictions (server#27552)
- Bump ws from 7.3.1 to 7.5.0 (server#27570)
- Properly cleanup entries of WebAuthn on user deletion (server#27596)
- Throttle on public DAV endpoint (server#27617)
- Bump vue-loader from 15.9.3 to 15.9.7 (server#27639)
- Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (server#27651)
- Validate the theming color also on CLI (server#27680)
- Downstream encryption:fix-encrypted-version for repairing bad signature
errors (server#27728)
- Remove encodeURI code (files_pdfviewer#396)
- Only ask for permissions on HTTPS (notifications#998)
- Fix sorting if one of the file name is only composed with number
(photos#785)
- Backport 20 fix Photos not shown in large browser windows #630 (#686)
(photos#810)
- Update File.vue (photos#813)
- Update chart.js (serverinfo#309)
- Only return workspace property for top node in a propfind request
(text#1611)
- ViewerComponent: pass on autofocus to EditorWrapper (text#1647)
- Use text/plain as content type for fetching the document (text#1692)
- Log exceptions that happen on unknown exception and return generic
messages (text#1698)
- Add fixup (viewer#924)
- Fix: fullscreen for Firefox (viewer#929)
Update to 20.0.7
- Catch NotFoundException when querying quota (server#25315)
- CalDAV] Validate notified emails (server#25324)
- Fix/app fetcher php compat comparison (server#25347)
- Show the actual error on share requests (server#25352)
- Fix parameter provided as string not array (server#25366)
- The objectid is a string (server#25374)
- 20.0.7 final (server#25387)
- Properly handle SMB ACL blocking scanning a directory (server#25421)
- Don't break completely when creating the digest fail for one user
(activity#556)
- Only attempt to use a secure view if hide download is actually set
(files_pdfviewer#296)
- Fix opening PDF files with special characters in their name
(files_pdfviewer#298)
- Fix PDF viewer failing on Edge (not based on Chromium)
(files_pdfviewer#299)
- Cannot unfold plain text notifications (notifications#846)
- Remove EPUB mimetype (text#1391)
Update to 20.0.6
- Make sure to do priority app upgrades first (server#25077)
- Respect DB restrictions on number of arguments in statements and queries
(server#25120)
- Add a hint about the direction of priority (server#25143)
- Do not redirect to logout after login (server#25146)
- Fix comparison of PHP versions (server#25152)
- Add "composer.lock" for acceptance tests to git (server#25178)
- Update CRL due to revoked gravatar.crl (server#25190)
- Don't log keys on checkSignature (server#25193)
- Update 3rdparty after Archive_Tar (server#25199)
- Bump CA bundle (server#25219)
- Update handling of user credentials (server#25225)
- Fix encoding issue with OC.Notification.show (server#25244)
- Also use storage copy when dav copying directories (server#25261)
- Silence log message (server#25263)
- Extend ILDAPProvider to allow reading arbitrairy ldap attributes for
users (server#25276)
- Do not obtain userFolder of a federated user (server#25278)
- Bump pear/archive_tar from 1.4.11 to 1.4.12 (3rdparty#603)
- Add gitignore entry for .github folder of dependencies (3rdparty#604)
- Clear event array on getting them (activity#551)
Update to 20.0.5
- Don't log params of imagecreatefromstring (server#24546)
- Use storage copy implementation when doing dav copy (server#24590)
- Use in objectstore copy (server#24592)
- Add tel, note, org and title search (server#24697)
- Check php compatibility of app store app releases (server#24698)
- Fix #24682]: ensure federation cloud id is retruned if FN property not
found (server#24709)
- Do not include non-required scripts on the upgrade page (server#24714)
- LDAP: fix inGroup for memberUid type of group memberships (server#24716)
- Cancel user search requests to avoid duplicate results being added
(server#24728)
- Also unset the other possible unused paramters (server#24751)
- Enables the file name check also to match name of mountpoints
(server#24760)
- Fixes sharing to group ids with characters that are being url encoded
(server#24763)
- Limit getIncomplete query to one row (server#24791)
- Fix Argon2 descriptions (server#24792)
- Actually set the TTL on redis set (server#24798)
- Allow to force rename a conflicting calendar (server#24806)
- Fix IPv6 localhost regex (server#24823)
- Catch the error on heartbeat update (server#24826)
- Make oc_files_trash.auto_id a bigint (server#24853)
- Fix total upload size overwritten by next upload (server#24854)
- Avoid huge exception argument logging (server#24876)
- Make share results distinguishable if there are more than one with the
exact same display name (server#24878)
- Add migration for oc_share_external columns (server#24963)
- Don't throw a 500 when importing a broken ics reminder file
(server#24972)
- Fix unreliable ViewTest (server#24976)
- Update root.crl due to revocation of transmission.crt (server#24990)
- Set the JSCombiner cache if needed (server#24997)
- Fix column name to check prior to deleting (server#25009)
- Catch throwable instead of exception (server#25013)
- Set the user language when adding the footer (server#25019)
- Change defaultapp in config.sample.php to dashboard to improve docs and
align it to source code (server#25030)
- Fix clearing the label of a share (server#25035)
- Update psalm-baseline.xml (server#25066)
- Don't remove assignable column for now (server#25074)
- Add setup check to verify that the used DB version is still supported���
(server#25076)
- Correctly set the user for activity parsing when preparing a notifica���
(activity#542)
- Bump vue-virtual-grid from 2.2.1 to 2.3.0 (photos#597)
- Catch possible database exceptions when fetching document data
(text#1221)
- Make sure we have the proper PHP version installed before running
composer (text#1234)
- Revert removal of transformResponse (text#1235)
- Bump prosemirror-view from 1.16.1 to 1.16.5 (text#1255)
- Bump @babel/preset-env from 7.12.1 to 7.12.11 (text#1257)
- Bump babel-loader from 8.1.0 to 8.2.2 (text#1259)
- Bump eslint-plugin-standard from 4.0.2 to 4.1.0 (text#1261)
- Bump vue-loader from 15.9.5 to 15.9.6 (text#1263)
- Bump prosemirror-model from 1.12.0 to 1.13.1 (text#1265)
- Bump core-js from 3.7.0 to 3.8.1 (text#1266)
- Bump stylelint from 13.7.2 to 13.8.0 (text#1269)
- Bump @babel/plugin-transform-runtime from 7.12.1 to 7.12.10 (text#1271)
- Bump sass-loader from 10.0.5 to 10.1.0 (text#1273)
- Bump webpack-merge from 5.3.0 to 5.7.2 (text#1274)
- Bump @babel/core from 7.12.3 to 7.12.10 (text#1277)
- Bump cypress from 5.1.0 to 5.6.0 (text#1278)
- Bump @vue/test-utils from 1.1.1 to 1.1.2 (text#1279)
- Bump webpack-merge from 5.7.2 to 5.7.3 (text#1303)
- The apache subpackage must require the main package, otherwise it will
not be uninstalled when the main package is uninstalled.
Update to 20.0.4
- Avoid dashboard crash when accessibility app is not installed
(server#24636)
- Bump ini from 1.3.5 to 1.3.7 (server#24649)
- Handle owncloud migration to latest release (server#24653)
- Use string for storing a OCM remote id (server#24654)
- Fix MySQL database size calculation (serverinfo#262)
- Bump cypress-io/github-action@v2 (viewer#722)
- Fix] sidebar opening animation (viewer#723)
- Fix not.exist cypress and TESTING checks (viewer#725)
- Put apache configuration files in separate subpackage.
- Use apache-rpm-macros for SUSE.
- Change oc_* macros to nc_* macros.
- Insert macro apache_serverroot also in cron files.
Update to 20.0.3
* Check quota of subdirectories when uploading to them (server#24181)
* CircleId too short in some request (server#24196)
* Missing level in ScopedPsrLogger (server#24212)
* Fix nextcloud logo in email notifications misalignment (server#24228)
* Allow selecting multiple columns with SELECT DISTINCT (server#24230)
* Use file name instead of path in 'not allowed to share' message
(server#24231)
* Fix setting images through occ for theming (server#24232)
* Use regex when searching on single file shares (server#24239)
* Harden EncryptionLegacyCipher a bit (server#24249)
* Update ScanLegacyFormat.php (server#24258)
* Simple typo in comments (server#24259)
* Use correct year for generated birthdays events (server#24263)
* Delete files that exceed trashbin size immediately (server#24297)
* Update sabre/xml to fix XML parsing errors (server#24311)
* Only check path for being accessible when the storage is a object home
(server#24325)
* Avoid empty null default with value that will be inserted anyways
(server#24333)
* Fix contacts menu position and show uid as a tooltip (server#24342)
* Fix the config key on the sharing expire checkbox (server#24346)
* Set the display name of federated sharees from addressbook (server#24353)
* Catch storage not available in versions expire command (server#24367)
* Use proper bundles for files client and fileinfo (server#24377)
* Properly encode path when fetching inherited shares (server#24387)
* Formatting remote sharer should take protocol, path into account
(server#24391)
* Make sure we add new line between vcf groups exports (server#24443)
* Fix public calendars shared to circles (server#24446)
* Store scss variables under a different prefix for each theming config
version (server#24453)
* External storages: save group ids not display names in configuration
(server#24455)
* Use correct l10n source in files_sharing JS code (server#24462)
* Set frame-ancestors to none if none are filled (server#24477)
* Move the password fiels of chaging passwords to post (server#24478)
* Move the global password for files external to post (server#24479)
* Only attempt to move to trash if a file is not in appdata (server#24483)
* Fix loading mtime of new file in conflict dialog in firefox
(server#24491)
* Harden setup check for TLS version if host is not reachable
(server#24502)
* Fix file size computation on 32bit platforms (server#24509)
* Allow subscription to indicate that a userlimit is reached (server#24511)
* Set mountid for personal external storage mounts (server#24513)
* Only execute plain mimetype check for directories and do the fallback���
(server#24517)
* Fix vsprint parameter (server#24527)
* Replace abandoned log normalizer with our fork (server#24530)
* Add icon to user limit notification (server#24531)
* Also run repair steps when encryption is disabled but a legacy key is
present (server#24532)
* [3rdparty][security] Archive TAR to 1.4.11 (server#24534)
* Generate a new session id if the decrypting the session data fails
(server#24553)
* Revert "Do not read certificate bundle from data dir by default"
(server#24556)
* Dont use system composer for autoload checker (server#24557)
* Remember me is not an app_password (server#24563)
* Do not load nonexisting setup.js (server#24582)
* Update sabre/xml to fix XML parsing errors (3rdparty#529)
* Use composer v1 on CI (3rdparty#532)
* Bump pear/archive_tar from 1.4.9 to 1.4.11 (3rdparty#536)
* Replace abandoned log normalizer with our fork (3rdparty#543)
* Allow nullable values as subject params (activity#535)
* Don't log when unknown array is null (notifications#803)
* Feat/virtual grid (photos#550)
* Make sure we have a string to localecompare to (photos#583)
* Always get recommendations for dashboard if enabled (recommendations#336)
* Properly fetch oracle database information (serverinfo#258)
* Also register to urlChanged event to update RichWorkspace (text#1181)
* Move away from GET (text#1214)
Update to 20.0.2
* CVE-2020-8293: Fixed input validation which allowed users to store
unlimited data in workflow rules (boo#1181445).
* CVE-2020-8294: Fixed a missing link validation (boo#1181803).
* Inidicate preview availability in share api responses (server#23419)
* CalDavBackend: check if timerange is array before accessing
(server#23563)
* Some emojis are in CHAR_CATEGORY_GENERAL_OTHER_TYPES (server#23575)
* Also expire share type email (server#23583)
* Only use index of mount point when it is there (server#23611)
* Only retry fetching app store data once every 5 minutes in case it fails
(server#23633)
* Bring back the restore share button (server#23636)
* Fix updates of NULL appconfig values (server#23641)
* Fix sharing input placeholder for emails (server#23646)
* Use bigint for fileid in filecache_extended (server#23690)
* Enable theming background transparency (server#23699)
* Fix sharer flag on ldap:show-remnants when user owned more than a single
share (server#23702)
* Make sure the function signatures of the backgroundjob match
(server#23710)
* Check if array elements exist before using them (server#23713)
* Fix default quota display value in user row (server#23726)
* Use lib instead if core as l10n module in OC_Files (server#23727)
* Specify accept argument to avatar upload input field (server#23732)
* Save email as lower case (server#23733)
* Reset avatar cropper before showing (server#23736)
* Also run the SabreAuthInitEvent for the main server (server#23745)
* Type the \OCP\IUserManager::callForAllUsers closure with Psalm
(server#23749)
* Type the \OCP\AppFramework\Services\IInitialState::provideLazyInitial���
(server#23751)
* Don't overwrite the event if we use it later (server#23753)
* Inform the user when flow config data exceeds thresholds (server#23759)
* Type the \OCP\IUserManager::callForSeenUsers closure with Psalm
(server#23763)
* Catch errors when closing file conflict dialog (server#23774)
* Document the backend registered events of LDAP (server#23779)
* Fetch the logger and system config once for all query builder instances
(server#23787)
* Type the event dispatcher listener callables with Psalm (server#23789)
* Only run phpunit when "php" changed (server#23794)
* Remove bold font-weight and lower font-size for empty search box
(server#23829)
* No need to check if there is an avatar available, because it is gener���
(server#23846)
* Ensure filepicker list is empty before populating (server#23850)
* UserStatus: clear status message if message is null (server#23858)
* Fix grid view toggle in tags view (server#23874)
* Restrict query when searching for versions of trashbin files
(server#23884)
* Fix potentially passing null to events where IUser is expected
(server#23894)
* Make user status styles scoped (server#23899)
* Move help to separate stylesheet (server#23900)
* Add default font size (server#23902)
* Do not emit UserCreatedEvent twice (server#23917)
* Bearer must be in the start of the auth header (server#23924)
* Fix casting of integer and boolean on Oracle (server#23935)
* Skip already loaded apps in loadApps (server#23948)
* Fix repair mimetype step to not leave stray cursors (server#23950)
* Improve query type detection (server#23951)
* Fix iLike() falsely turning escaped % and _ into wildcards (server#23954)
* Replace some usages of OC_DB in OC\Share\* with query builder
(server#23955)
* Use query builder instead of OC_DB in trashbin (server#23971)
* Fix greatest/least order for oracle (server#23975)
* Fix link share label placeholder not showing (server#23992)
* Unlock when promoting to exclusive lock fails (server#23995)
* Make sure root storage is valid before checking its size (server#23996)
* Use query builder instead of OC_DB in OC\Files\* (server#23998)
* Shortcut to avoid file system setup when generating the logo URL
(server#24001)
* Remove old legacy scripts references (server#24004)
* Fix js search in undefined ocs response (server#24012)
* Don't leave cursors open (server#24033)
* Fix sharing tab state not matching resharing admin settings
(server#24044)
* Run unit tests against oracle (server#24049)
* Use png icons in caldav reminder emails (server#24050)
* Manually iterate over calendardata when oracle is used (server#24058)
* Make is_user_defined nullable so we can store false on oracle
(server#24079)
* Fix default internal expiration date enforce (server#24081)
* Register new command db:add-missing-primary-keys (server#24106)
* Convert the card resource to a string if necessary (server#24114)
* Don't throw on SHOW VERSION query (server#24147)
* Bump dompurify to 2.2.2 (server#24153)
* Set up FS before querying storage info in settings (server#24156)
* Fix default internal expiration date (server#24159)
* CircleId too short in some request (server#24178)
* Revert "circleId too short in some request" (server#24183)
* Missing level in ScopedPsrLogger (server#24212)
* Fix activity spinner on empty activity (activity#523)
* Add OCI github action (activity#528)
* Disable download button by default (files_pdfviewer#257)
* Feat/dependabot ga/stable20 (firstrunwizard#442)
* Fix loading notifications without a message on oracle (notifications#796)
* Do not setup appdata in constructor to avoid errors causing the whole
instance to stop working (text#1105)
* Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (text#1125)
* Bump sass-loader from 10.0.1 to 10.0.5 (text#1134)
* Bump webpack from 4.44.1 to 4.44.2 (text#1140)
* Bump dependencies to version in range (text#1164)
* Validate link on click (text#1166)
* Add migration to fix oracle issues with the database schema (text#1177)
* Bump cypress from 4.12.1 to 5.1.0 (text#1179)
* Fix URL escaping of shared files (viewer#681)
* Fix component click outside and cleanup structure (viewer#684)
Update to 20.0.1
No changelog from upstream at this time.
Update to 20.0.0
* Changes The three biggest features we introduce with Nextcloud 20 are:
- Our new dashboard provides a great starting point for the day with
over a dozen widgets ranging from Twitter and Github to Moodle and
Zammad already available
- Search was unified, bringing search results of Nextcloud apps as well
as external services like Gitlab, Jira and Discourse in one place
- Talk introduced bridging to other platforms including MS Teams, Slack,
IRC, Matrix and a dozen others
* Some other improvements we want to highlight include:
- Notifications and Activities were brought together, making sure you
won���t miss anything important
- We added a ���status��� setting so you can communicate to other
users what you are up to
- Talk also brings dashboard and search integration, emoji picker,
upload view, camera and microphone settings, mute and more
- Calendar integrates in dashboard and search, introduced a list view
and design improvements
- Mail introduces threaded view, mailbox management and more
- Deck integrates with dashboard and search, introduces Calendar
integration, modal view for card editing and series of smaller
improvements
- Flow adds push notification and webhooks so other web apps can
easily integrate with Nextcloud
- Text introduced direct linking to files in Nextcloud
- Files lets you add a description to public link shares
+ Read the full announcement on our blog
- NC-SA-2020-037
- CVE-2020-8295: Fixed Denial of service attack when resetting the
password for a user(boo#1181804)
- Update to 20.0.11
- Fix boo#1188247 - CVE-2021-32678: OCS API response ratelimits are not
applied
- Fix boo#1188248 - CVE-2021-32679: filenames where not escaped by default
in controllers using DownloadResponse
- Fix boo#1188249 - CVE-2021-32680: share expiration date wasn't properly
logged
- Fix boo#1188250 - CVE-2021-32688: lacking permission check with
application specific tokens
- Fix boo#1188251 - CVE-2021-32703: lack of ratelimiting on the shareinfo
endpoint
- Fix boo#1188252 - CVE-2021-32705: lack of ratelimiting on the public DAV
endpoint
- Fix boo#1188253 - CVE-2021-32725: default share permissions were not
being respected for federated reshares of files and folders
- Fix boo#1188254 - CVE-2021-32726: webauthn tokens were not deleted after
a user has been deleted
- Fix boo#1188255 - CVE-2021-32734: possible full path disclosure on
shared files
- Fix boo#1188256 - CVE-2021-32741: lack of ratelimiting on the public
share link mount endpoint
- Bump handlebars from 4.7.6 to 4.7.7 (server#26900)
- Bump lodash from 4.17.20 to 4.17.21 (server#26909)
- Bump hosted-git-info from 2.8.8 to 2.8.9 (server#26920)
- Don't break OCC if an app is breaking in it's Application class
(server#26954)
- Add bruteforce protection to the shareinfo endpoint (server#26956)
- Ignore readonly flag for directories (server#26965)
- Throttle MountPublicLinkController when share is not found (server#26971)
- Respect default share permissions for federated reshares (server#27001)
- Harden apptoken check (server#27014)
- Use parent wrapper to properly handle moves on the same source/target
storage (server#27016)
- Fix error when using CORS with no auth credentials (server#27027)
- Fix return value of getStorageInfo when 'quota_include_external_storage'
is enabled (server#27108)
- Bump patch dependencies (server#27183)
- Use noreply@ as email address for share emails (server#27209)
- Bump p-queue from 6.6.1 to 6.6.2 (server#27226)
- Bump browserslist from 4.14.0 to 4.16.6 (server#27247)
- Bump webpack from 4.44.1 to 4.44.2 (server#27297)
- Properly use limit and offset for search in Jail wrapper (server#27308)
- Make user:report command scale (server#27319)
- Properly log expiration date removal in audit log (server#27325)
- Propagate throttling on OCS response (server#27337)
- Set umask before operations that create local files (server#27349)
- Escape filename in Content-Disposition (server#27360)
- Don't update statuses to offline again and again (server#27412)
- Header must contain a colon (server#27456)
- Activate constraint check for oracle / pqsql also for 20 (server#27523)
- Only allow removing existing shares that would not be allowed due to
reshare restrictions (server#27552)
- Bump ws from 7.3.1 to 7.5.0 (server#27570)
- Properly cleanup entries of WebAuthn on user deletion (server#27596)
- Throttle on public DAV endpoint (server#27617)
- Bump vue-loader from 15.9.3 to 15.9.7 (server#27639)
- Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (server#27651)
- Validate the theming color also on CLI (server#27680)
- Downstream encryption:fix-encrypted-version for repairing bad signature
errors (server#27728)
- Remove encodeURI code (files_pdfviewer#396)
- Only ask for permissions on HTTPS (notifications#998)
- Fix sorting if one of the file name is only composed with number
(photos#785)
- Backport 20 fix Photos not shown in large browser windows #630 (#686)
(photos#810)
- Update File.vue (photos#813)
- Update chart.js (serverinfo#309)
- Only return workspace property for top node in a propfind request
(text#1611)
- ViewerComponent: pass on autofocus to EditorWrapper (text#1647)
- Use text/plain as content type for fetching the document (text#1692)
- Log exceptions that happen on unknown exception and return generic
messages (text#1698)
- Add fixup (viewer#924)
- Fix: fullscreen for Firefox (viewer#929)
Update to 20.0.7
- Catch NotFoundException when querying quota (server#25315)
- CalDAV] Validate notified emails (server#25324)
- Fix/app fetcher php compat comparison (server#25347)
- Show the actual error on share requests (server#25352)
- Fix parameter provided as string not array (server#25366)
- The objectid is a string (server#25374)
- 20.0.7 final (server#25387)
- Properly handle SMB ACL blocking scanning a directory (server#25421)
- Don't break completely when creating the digest fail for one user
(activity#556)
- Only attempt to use a secure view if hide download is actually set
(files_pdfviewer#296)
- Fix opening PDF files with special characters in their name
(files_pdfviewer#298)
- Fix PDF viewer failing on Edge (not based on Chromium)
(files_pdfviewer#299)
- Cannot unfold plain text notifications (notifications#846)
- Remove EPUB mimetype (text#1391)
Update to 20.0.6
- Make sure to do priority app upgrades first (server#25077)
- Respect DB restrictions on number of arguments in statements and queries
(server#25120)
- Add a hint about the direction of priority (server#25143)
- Do not redirect to logout after login (server#25146)
- Fix comparison of PHP versions (server#25152)
- Add "composer.lock" for acceptance tests to git (server#25178)
- Update CRL due to revoked gravatar.crl (server#25190)
- Don't log keys on checkSignature (server#25193)
- Update 3rdparty after Archive_Tar (server#25199)
- Bump CA bundle (server#25219)
- Update handling of user credentials (server#25225)
- Fix encoding issue with OC.Notification.show (server#25244)
- Also use storage copy when dav copying directories (server#25261)
- Silence log message (server#25263)
- Extend ILDAPProvider to allow reading arbitrairy ldap attributes for
users (server#25276)
- Do not obtain userFolder of a federated user (server#25278)
- Bump pear/archive_tar from 1.4.11 to 1.4.12 (3rdparty#603)
- Add gitignore entry for .github folder of dependencies (3rdparty#604)
- Clear event array on getting them (activity#551)
Update to 20.0.5
- Don't log params of imagecreatefromstring (server#24546)
- Use storage copy implementation when doing dav copy (server#24590)
- Use in objectstore copy (server#24592)
- Add tel, note, org and title search (server#24697)
- Check php compatibility of app store app releases (server#24698)
- Fix #24682]: ensure federation cloud id is retruned if FN property not
found (server#24709)
- Do not include non-required scripts on the upgrade page (server#24714)
- LDAP: fix inGroup for memberUid type of group memberships (server#24716)
- Cancel user search requests to avoid duplicate results being added
(server#24728)
- Also unset the other possible unused paramters (server#24751)
- Enables the file name check also to match name of mountpoints
(server#24760)
- Fixes sharing to group ids with characters that are being url encoded
(server#24763)
- Limit getIncomplete query to one row (server#24791)
- Fix Argon2 descriptions (server#24792)
- Actually set the TTL on redis set (server#24798)
- Allow to force rename a conflicting calendar (server#24806)
- Fix IPv6 localhost regex (server#24823)
- Catch the error on heartbeat update (server#24826)
- Make oc_files_trash.auto_id a bigint (server#24853)
- Fix total upload size overwritten by next upload (server#24854)
- Avoid huge exception argument logging (server#24876)
- Make share results distinguishable if there are more than one with the
exact same display name (server#24878)
- Add migration for oc_share_external columns (server#24963)
- Don't throw a 500 when importing a broken ics reminder file
(server#24972)
- Fix unreliable ViewTest (server#24976)
- Update root.crl due to revocation of transmission.crt (server#24990)
- Set the JSCombiner cache if needed (server#24997)
- Fix column name to check prior to deleting (server#25009)
- Catch throwable instead of exception (server#25013)
- Set the user language when adding the footer (server#25019)
- Change defaultapp in config.sample.php to dashboard to improve docs and
align it to source code (server#25030)
- Fix clearing the label of a share (server#25035)
- Update psalm-baseline.xml (server#25066)
- Don't remove assignable column for now (server#25074)
- Add setup check to verify that the used DB version is still supported���
(server#25076)
- Correctly set the user for activity parsing when preparing a notifica���
(activity#542)
- Bump vue-virtual-grid from 2.2.1 to 2.3.0 (photos#597)
- Catch possible database exceptions when fetching document data
(text#1221)
- Make sure we have the proper PHP version installed before running
composer (text#1234)
- Revert removal of transformResponse (text#1235)
- Bump prosemirror-view from 1.16.1 to 1.16.5 (text#1255)
- Bump @babel/preset-env from 7.12.1 to 7.12.11 (text#1257)
- Bump babel-loader from 8.1.0 to 8.2.2 (text#1259)
- Bump eslint-plugin-standard from 4.0.2 to 4.1.0 (text#1261)
- Bump vue-loader from 15.9.5 to 15.9.6 (text#1263)
- Bump prosemirror-model from 1.12.0 to 1.13.1 (text#1265)
- Bump core-js from 3.7.0 to 3.8.1 (text#1266)
- Bump stylelint from 13.7.2 to 13.8.0 (text#1269)
- Bump @babel/plugin-transform-runtime from 7.12.1 to 7.12.10 (text#1271)
- Bump sass-loader from 10.0.5 to 10.1.0 (text#1273)
- Bump webpack-merge from 5.3.0 to 5.7.2 (text#1274)
- Bump @babel/core from 7.12.3 to 7.12.10 (text#1277)
- Bump cypress from 5.1.0 to 5.6.0 (text#1278)
- Bump @vue/test-utils from 1.1.1 to 1.1.2 (text#1279)
- Bump webpack-merge from 5.7.2 to 5.7.3 (text#1303)
- The apache subpackage must require the main package, otherwise it will
not be uninstalled when the main package is uninstalled.
Update to 20.0.4
- Avoid dashboard crash when accessibility app is not installed
(server#24636)
- Bump ini from 1.3.5 to 1.3.7 (server#24649)
- Handle owncloud migration to latest release (server#24653)
- Use string for storing a OCM remote id (server#24654)
- Fix MySQL database size calculation (serverinfo#262)
- Bump cypress-io/github-action@v2 (viewer#722)
- Fix] sidebar opening animation (viewer#723)
- Fix not.exist cypress and TESTING checks (viewer#725)
- Put apache configuration files in separate subpackage.
- Use apache-rpm-macros for SUSE.
- Change oc_* macros to nc_* macros.
- Insert macro apache_serverroot also in cron files.
Update to 20.0.3
* Check quota of subdirectories when uploading to them (server#24181)
* CircleId too short in some request (server#24196)
* Missing level in ScopedPsrLogger (server#24212)
* Fix nextcloud logo in email notifications misalignment (server#24228)
* Allow selecting multiple columns with SELECT DISTINCT (server#24230)
* Use file name instead of path in 'not allowed to share' message
(server#24231)
* Fix setting images through occ for theming (server#24232)
* Use regex when searching on single file shares (server#24239)
* Harden EncryptionLegacyCipher a bit (server#24249)
* Update ScanLegacyFormat.php (server#24258)
* Simple typo in comments (server#24259)
* Use correct year for generated birthdays events (server#24263)
* Delete files that exceed trashbin size immediately (server#24297)
* Update sabre/xml to fix XML parsing errors (server#24311)
* Only check path for being accessible when the storage is a object home
(server#24325)
* Avoid empty null default with value that will be inserted anyways
(server#24333)
* Fix contacts menu position and show uid as a tooltip (server#24342)
* Fix the config key on the sharing expire checkbox (server#24346)
* Set the display name of federated sharees from addressbook (server#24353)
* Catch storage not available in versions expire command (server#24367)
* Use proper bundles for files client and fileinfo (server#24377)
* Properly encode path when fetching inherited shares (server#24387)
* Formatting remote sharer should take protocol, path into account
(server#24391)
* Make sure we add new line between vcf groups exports (server#24443)
* Fix public calendars shared to circles (server#24446)
* Store scss variables under a different prefix for each theming config
version (server#24453)
* External storages: save group ids not display names in configuration
(server#24455)
* Use correct l10n source in files_sharing JS code (server#24462)
* Set frame-ancestors to none if none are filled (server#24477)
* Move the password fiels of chaging passwords to post (server#24478)
* Move the global password for files external to post (server#24479)
* Only attempt to move to trash if a file is not in appdata (server#24483)
* Fix loading mtime of new file in conflict dialog in firefox
(server#24491)
* Harden setup check for TLS version if host is not reachable
(server#24502)
* Fix file size computation on 32bit platforms (server#24509)
* Allow subscription to indicate that a userlimit is reached (server#24511)
* Set mountid for personal external storage mounts (server#24513)
* Only execute plain mimetype check for directories and do the fallback���
(server#24517)
* Fix vsprint parameter (server#24527)
* Replace abandoned log normalizer with our fork (server#24530)
* Add icon to user limit notification (server#24531)
* Also run repair steps when encryption is disabled but a legacy key is
present (server#24532)
* [3rdparty][security] Archive TAR to 1.4.11 (server#24534)
* Generate a new session id if the decrypting the session data fails
(server#24553)
* Revert "Do not read certificate bundle from data dir by default"
(server#24556)
* Dont use system composer for autoload checker (server#24557)
* Remember me is not an app_password (server#24563)
* Do not load nonexisting setup.js (server#24582)
* Update sabre/xml to fix XML parsing errors (3rdparty#529)
* Use composer v1 on CI (3rdparty#532)
* Bump pear/archive_tar from 1.4.9 to 1.4.11 (3rdparty#536)
* Replace abandoned log normalizer with our fork (3rdparty#543)
* Allow nullable values as subject params (activity#535)
* Don't log when unknown array is null (notifications#803)
* Feat/virtual grid (photos#550)
* Make sure we have a string to localecompare to (photos#583)
* Always get recommendations for dashboard if enabled (recommendations#336)
* Properly fetch oracle database information (serverinfo#258)
* Also register to urlChanged event to update RichWorkspace (text#1181)
* Move away from GET (text#1214)
Update to 20.0.2
* CVE-2020-8293: Fixed input validation which allowed users to store
unlimited data in workflow rules (boo#1181445).
* CVE-2020-8294: Fixed a missing link validation (boo#1181803).
* Inidicate preview availability in share api responses (server#23419)
* CalDavBackend: check if timerange is array before accessing
(server#23563)
* Some emojis are in CHAR_CATEGORY_GENERAL_OTHER_TYPES (server#23575)
* Also expire share type email (server#23583)
* Only use index of mount point when it is there (server#23611)
* Only retry fetching app store data once every 5 minutes in case it fails
(server#23633)
* Bring back the restore share button (server#23636)
* Fix updates of NULL appconfig values (server#23641)
* Fix sharing input placeholder for emails (server#23646)
* Use bigint for fileid in filecache_extended (server#23690)
* Enable theming background transparency (server#23699)
* Fix sharer flag on ldap:show-remnants when user owned more than a single
share (server#23702)
* Make sure the function signatures of the backgroundjob match
(server#23710)
* Check if array elements exist before using them (server#23713)
* Fix default quota display value in user row (server#23726)
* Use lib instead if core as l10n module in OC_Files (server#23727)
* Specify accept argument to avatar upload input field (server#23732)
* Save email as lower case (server#23733)
* Reset avatar cropper before showing (server#23736)
* Also run the SabreAuthInitEvent for the main server (server#23745)
* Type the \OCP\IUserManager::callForAllUsers closure with Psalm
(server#23749)
* Type the \OCP\AppFramework\Services\IInitialState::provideLazyInitial���
(server#23751)
* Don't overwrite the event if we use it later (server#23753)
* Inform the user when flow config data exceeds thresholds (server#23759)
* Type the \OCP\IUserManager::callForSeenUsers closure with Psalm
(server#23763)
* Catch errors when closing file conflict dialog (server#23774)
* Document the backend registered events of LDAP (server#23779)
* Fetch the logger and system config once for all query builder instances
(server#23787)
* Type the event dispatcher listener callables with Psalm (server#23789)
* Only run phpunit when "php" changed (server#23794)
* Remove bold font-weight and lower font-size for empty search box
(server#23829)
* No need to check if there is an avatar available, because it is gener���
(server#23846)
* Ensure filepicker list is empty before populating (server#23850)
* UserStatus: clear status message if message is null (server#23858)
* Fix grid view toggle in tags view (server#23874)
* Restrict query when searching for versions of trashbin files
(server#23884)
* Fix potentially passing null to events where IUser is expected
(server#23894)
* Make user status styles scoped (server#23899)
* Move help to separate stylesheet (server#23900)
* Add default font size (server#23902)
* Do not emit UserCreatedEvent twice (server#23917)
* Bearer must be in the start of the auth header (server#23924)
* Fix casting of integer and boolean on Oracle (server#23935)
* Skip already loaded apps in loadApps (server#23948)
* Fix repair mimetype step to not leave stray cursors (server#23950)
* Improve query type detection (server#23951)
* Fix iLike() falsely turning escaped % and _ into wildcards (server#23954)
* Replace some usages of OC_DB in OC\Share\* with query builder
(server#23955)
* Use query builder instead of OC_DB in trashbin (server#23971)
* Fix greatest/least order for oracle (server#23975)
* Fix link share label placeholder not showing (server#23992)
* Unlock when promoting to exclusive lock fails (server#23995)
* Make sure root storage is valid before checking its size (server#23996)
* Use query builder instead of OC_DB in OC\Files\* (server#23998)
* Shortcut to avoid file system setup when generating the logo URL
(server#24001)
* Remove old legacy scripts references (server#24004)
* Fix js search in undefined ocs response (server#24012)
* Don't leave cursors open (server#24033)
* Fix sharing tab state not matching resharing admin settings
(server#24044)
* Run unit tests against oracle (server#24049)
* Use png icons in caldav reminder emails (server#24050)
* Manually iterate over calendardata when oracle is used (server#24058)
* Make is_user_defined nullable so we can store false on oracle
(server#24079)
* Fix default internal expiration date enforce (server#24081)
* Register new command db:add-missing-primary-keys (server#24106)
* Convert the card resource to a string if necessary (server#24114)
* Don't throw on SHOW VERSION query (server#24147)
* Bump dompurify to 2.2.2 (server#24153)
* Set up FS before querying storage info in settings (server#24156)
* Fix default internal expiration date (server#24159)
* CircleId too short in some request (server#24178)
* Revert "circleId too short in some request" (server#24183)
* Missing level in ScopedPsrLogger (server#24212)
* Fix activity spinner on empty activity (activity#523)
* Add OCI github action (activity#528)
* Disable download button by default (files_pdfviewer#257)
* Feat/dependabot ga/stable20 (firstrunwizard#442)
* Fix loading notifications without a message on oracle (notifications#796)
* Do not setup appdata in constructor to avoid errors causing the whole
instance to stop working (text#1105)
* Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (text#1125)
* Bump sass-loader from 10.0.1 to 10.0.5 (text#1134)
* Bump webpack from 4.44.1 to 4.44.2 (text#1140)
* Bump dependencies to version in range (text#1164)
* Validate link on click (text#1166)
* Add migration to fix oracle issues with the database schema (text#1177)
* Bump cypress from 4.12.1 to 5.1.0 (text#1179)
* Fix URL escaping of shared files (viewer#681)
* Fix component click outside and cleanup structure (viewer#684)
Update to 20.0.1
No changelog from upstream at this time.
Update to 20.0.0
* Changes The three biggest features we introduce with Nextcloud 20 are:
- Our new dashboard provides a great starting point for the day with
over a dozen widgets ranging from Twitter and Github to Moodle and
Zammad already available
- Search was unified, bringing search results of Nextcloud apps as well
as external services like Gitlab, Jira and Discourse in one place
- Talk introduced bridging to other platforms including MS Teams, Slack,
IRC, Matrix and a dozen others
* Some other improvements we want to highlight include:
- Notifications and Activities were brought together, making sure you
won���t miss anything important
- We added a ���status��� setting so you can communicate to other
users what you are up to
- Talk also brings dashboard and search integration, emoji picker,
upload view, camera and microphone settings, mute and more
- Calendar integrates in dashboard and search, introduced a list view
and design improvements
- Mail introduces threaded view, mailbox management and more
- Deck integrates with dashboard and search, introduces Calendar
integration, modal view for card editing and series of smaller
improvements
- Flow adds push notification and webhooks so other web apps can
easily integrate with Nextcloud
- Text introduced direct linking to files in Nextcloud
- Files lets you add a description to public link shares
+ Read the full announcement on our blog
- NC-SA-2020-037
- CVE-2020-8295: Fixed Denial of service attack when resetting the
password for a user(boo#1181804)
- Update to 20.0.11
- Fix boo#1188247 - CVE-2021-32678: OCS API response ratelimits are not
applied
- Fix boo#1188248 - CVE-2021-32679: filenames where not escaped by default
in controllers using DownloadResponse
- Fix boo#1188249 - CVE-2021-32680: share expiration date wasn't properly
logged
- Fix boo#1188250 - CVE-2021-32688: lacking permission check with
application specific tokens
- Fix boo#1188251 - CVE-2021-32703: lack of ratelimiting on the shareinfo
endpoint
- Fix boo#1188252 - CVE-2021-32705: lack of ratelimiting on the public DAV
endpoint
- Fix boo#1188253 - CVE-2021-32725: default share permissions were not
being respected for federated reshares of files and folders
- Fix boo#1188254 - CVE-2021-32726: webauthn tokens were not deleted after
a user has been deleted
- Fix boo#1188255 - CVE-2021-32734: possible full path disclosure on
shared files
- Fix boo#1188256 - CVE-2021-32741: lack of ratelimiting on the public
share link mount endpoint
- Bump handlebars from 4.7.6 to 4.7.7 (server#26900)
- Bump lodash from 4.17.20 to 4.17.21 (server#26909)
- Bump hosted-git-info from 2.8.8 to 2.8.9 (server#26920)
- Don't break OCC if an app is breaking in it's Application class
(server#26954)
- Add bruteforce protection to the shareinfo endpoint (server#26956)
- Ignore readonly flag for directories (server#26965)
- Throttle MountPublicLinkController when share is not found (server#26971)
- Respect default share permissions for federated reshares (server#27001)
- Harden apptoken check (server#27014)
- Use parent wrapper to properly handle moves on the same source/target
storage (server#27016)
- Fix error when using CORS with no auth credentials (server#27027)
- Fix return value of getStorageInfo when 'quota_include_external_storage'
is enabled (server#27108)
- Bump patch dependencies (server#27183)
- Use noreply@ as email address for share emails (server#27209)
- Bump p-queue from 6.6.1 to 6.6.2 (server#27226)
- Bump browserslist from 4.14.0 to 4.16.6 (server#27247)
- Bump webpack from 4.44.1 to 4.44.2 (server#27297)
- Properly use limit and offset for search in Jail wrapper (server#27308)
- Make user:report command scale (server#27319)
- Properly log expiration date removal in audit log (server#27325)
- Propagate throttling on OCS response (server#27337)
- Set umask before operations that create local files (server#27349)
- Escape filename in Content-Disposition (server#27360)
- Don't update statuses to offline again and again (server#27412)
- Header must contain a colon (server#27456)
- Activate constraint check for oracle / pqsql also for 20 (server#27523)
- Only allow removing existing shares that would not be allowed due to
reshare restrictions (server#27552)
- Bump ws from 7.3.1 to 7.5.0 (server#27570)
- Properly cleanup entries of WebAuthn on user deletion (server#27596)
- Throttle on public DAV endpoint (server#27617)
- Bump vue-loader from 15.9.3 to 15.9.7 (server#27639)
- Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (server#27651)
- Validate the theming color also on CLI (server#27680)
- Downstream encryption:fix-encrypted-version for repairing bad signature
errors (server#27728)
- Remove encodeURI code (files_pdfviewer#396)
- Only ask for permissions on HTTPS (notifications#998)
- Fix sorting if one of the file name is only composed with number
(photos#785)
- Backport 20 fix Photos not shown in large browser windows #630 (#686)
(photos#810)
- Update File.vue (photos#813)
- Update chart.js (serverinfo#309)
- Only return workspace property for top node in a propfind request
(text#1611)
- ViewerComponent: pass on autofocus to EditorWrapper (text#1647)
- Use text/plain as content type for fetching the document (text#1692)
- Log exceptions that happen on unknown exception and return generic
messages (text#1698)
- Add fixup (viewer#924)
- Fix: fullscreen for Firefox (viewer#929)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-1068=1
- openSUSE Backports SLE-15-SP3:
zypper in -t patch openSUSE-2021-1068=1
- openSUSE Backports SLE-15-SP2:
zypper in -t patch openSUSE-2021-1068=1
- openSUSE Backports SLE-15-SP1:
zypper in -t patch openSUSE-2021-1068=1
- SUSE Package Hub for SUSE Linux Enterprise 12:
zypper in -t patch openSUSE-2021-1068=1
Package List:
- openSUSE Leap 15.2 (noarch):
nextcloud-20.0.11-lp152.3.9.1
nextcloud-apache-20.0.11-lp152.3.9.1
- openSUSE Backports SLE-15-SP3 (noarch):
nextcloud-20.0.11-bp153.2.3.1
nextcloud-apache-20.0.11-bp153.2.3.1
- openSUSE Backports SLE-15-SP2 (noarch):
nextcloud-20.0.11-bp152.2.9.1
nextcloud-apache-20.0.11-bp152.2.9.1
- openSUSE Backports SLE-15-SP1 (noarch):
nextcloud-20.0.11-bp151.3.15.1
nextcloud-apache-20.0.11-bp151.3.15.1
- SUSE Package Hub for SUSE Linux Enterprise 12 (noarch):
nextcloud-20.0.11-28.1
nextcloud-apache-20.0.11-28.1
References:
https://www.suse.com/security/cve/CVE-2020-8293.html
https://www.suse.com/security/cve/CVE-2020-8294.html
https://www.suse.com/security/cve/CVE-2020-8295.html
https://www.suse.com/security/cve/CVE-2021-32678.html
https://www.suse.com/security/cve/CVE-2021-32679.html
https://www.suse.com/security/cve/CVE-2021-32680.html
https://www.suse.com/security/cve/CVE-2021-32688.html
https://www.suse.com/security/cve/CVE-2021-32703.html
https://www.suse.com/security/cve/CVE-2021-32705.html
https://www.suse.com/security/cve/CVE-2021-32725.html
https://www.suse.com/security/cve/CVE-2021-32726.html
https://www.suse.com/security/cve/CVE-2021-32734.html
https://www.suse.com/security/cve/CVE-2021-32741.html
https://bugzilla.suse.com/1181445
https://bugzilla.suse.com/1181803
https://bugzilla.suse.com/1181804
https://bugzilla.suse.com/1188247
https://bugzilla.suse.com/1188248
https://bugzilla.suse.com/1188249
https://bugzilla.suse.com/1188250
https://bugzilla.suse.com/1188251
https://bugzilla.suse.com/1188252
https://bugzilla.suse.com/1188253
https://bugzilla.suse.com/1188254
https://bugzilla.suse.com/1188255
https://bugzilla.suse.com/1188256
1
0
openSUSE-SU-2021:1068-1: important: Security update for nextcloud
by opensuse-security@opensuse.org 21 Jul '21
by opensuse-security@opensuse.org 21 Jul '21
21 Jul '21
openSUSE Security Update: Security update for nextcloud
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:1068-1
Rating: important
References: #1181445 #1181803 #1181804 #1188247 #1188248
#1188249 #1188250 #1188251 #1188252 #1188253
#1188254 #1188255 #1188256
Cross-References: CVE-2020-8293 CVE-2020-8294 CVE-2020-8295
CVE-2021-32678 CVE-2021-32679 CVE-2021-32680
CVE-2021-32688 CVE-2021-32703 CVE-2021-32705
CVE-2021-32725 CVE-2021-32726 CVE-2021-32734
CVE-2021-32741
CVSS scores:
CVE-2020-8293 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2020-8294 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2021-32680 (NVD) : 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE-2021-32688 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Leap 15.2
openSUSE Backports SLE-15-SP3
openSUSE Backports SLE-15-SP2
openSUSE Backports SLE-15-SP1
______________________________________________________________________________
An update that fixes 13 vulnerabilities is now available.
Description:
This update for nextcloud fixes the following issues:
nextcloud was updated to 20.0.11:
- Fix boo#1188247 - CVE-2021-32678: OCS API response ratelimits are not
applied
- Fix boo#1188248 - CVE-2021-32679: filenames where not escaped by default
in controllers using DownloadResponse
- Fix boo#1188249 - CVE-2021-32680: share expiration date wasn't properly
logged
- Fix boo#1188250 - CVE-2021-32688: lacking permission check with
application specific tokens
- Fix boo#1188251 - CVE-2021-32703: lack of ratelimiting on the shareinfo
endpoint
- Fix boo#1188252 - CVE-2021-32705: lack of ratelimiting on the public DAV
endpoint
- Fix boo#1188253 - CVE-2021-32725: default share permissions were not
being respected for federated reshares of files and folders
- Fix boo#1188254 - CVE-2021-32726: webauthn tokens were not deleted after
a user has been deleted
- Fix boo#1188255 - CVE-2021-32734: possible full path disclosure on
shared files
- Fix boo#1188256 - CVE-2021-32741: lack of ratelimiting on the public
share link mount endpoint
- Bump handlebars from 4.7.6 to 4.7.7 (server#26900)
- Bump lodash from 4.17.20 to 4.17.21 (server#26909)
- Bump hosted-git-info from 2.8.8 to 2.8.9 (server#26920)
- Don't break OCC if an app is breaking in it's Application class
(server#26954)
- Add bruteforce protection to the shareinfo endpoint (server#26956)
- Ignore readonly flag for directories (server#26965)
- Throttle MountPublicLinkController when share is not found (server#26971)
- Respect default share permissions for federated reshares (server#27001)
- Harden apptoken check (server#27014)
- Use parent wrapper to properly handle moves on the same source/target
storage (server#27016)
- Fix error when using CORS with no auth credentials (server#27027)
- Fix return value of getStorageInfo when 'quota_include_external_storage'
is enabled (server#27108)
- Bump patch dependencies (server#27183)
- Use noreply@ as email address for share emails (server#27209)
- Bump p-queue from 6.6.1 to 6.6.2 (server#27226)
- Bump browserslist from 4.14.0 to 4.16.6 (server#27247)
- Bump webpack from 4.44.1 to 4.44.2 (server#27297)
- Properly use limit and offset for search in Jail wrapper (server#27308)
- Make user:report command scale (server#27319)
- Properly log expiration date removal in audit log (server#27325)
- Propagate throttling on OCS response (server#27337)
- Set umask before operations that create local files (server#27349)
- Escape filename in Content-Disposition (server#27360)
- Don't update statuses to offline again and again (server#27412)
- Header must contain a colon (server#27456)
- Activate constraint check for oracle / pqsql also for 20 (server#27523)
- Only allow removing existing shares that would not be allowed due to
reshare restrictions (server#27552)
- Bump ws from 7.3.1 to 7.5.0 (server#27570)
- Properly cleanup entries of WebAuthn on user deletion (server#27596)
- Throttle on public DAV endpoint (server#27617)
- Bump vue-loader from 15.9.3 to 15.9.7 (server#27639)
- Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (server#27651)
- Validate the theming color also on CLI (server#27680)
- Downstream encryption:fix-encrypted-version for repairing bad signature
errors (server#27728)
- Remove encodeURI code (files_pdfviewer#396)
- Only ask for permissions on HTTPS (notifications#998)
- Fix sorting if one of the file name is only composed with number
(photos#785)
- Backport 20 fix Photos not shown in large browser windows #630 (#686)
(photos#810)
- Update File.vue (photos#813)
- Update chart.js (serverinfo#309)
- Only return workspace property for top node in a propfind request
(text#1611)
- ViewerComponent: pass on autofocus to EditorWrapper (text#1647)
- Use text/plain as content type for fetching the document (text#1692)
- Log exceptions that happen on unknown exception and return generic
messages (text#1698)
- Add fixup (viewer#924)
- Fix: fullscreen for Firefox (viewer#929)
Update to 20.0.7
- Catch NotFoundException when querying quota (server#25315)
- CalDAV] Validate notified emails (server#25324)
- Fix/app fetcher php compat comparison (server#25347)
- Show the actual error on share requests (server#25352)
- Fix parameter provided as string not array (server#25366)
- The objectid is a string (server#25374)
- 20.0.7 final (server#25387)
- Properly handle SMB ACL blocking scanning a directory (server#25421)
- Don't break completely when creating the digest fail for one user
(activity#556)
- Only attempt to use a secure view if hide download is actually set
(files_pdfviewer#296)
- Fix opening PDF files with special characters in their name
(files_pdfviewer#298)
- Fix PDF viewer failing on Edge (not based on Chromium)
(files_pdfviewer#299)
- Cannot unfold plain text notifications (notifications#846)
- Remove EPUB mimetype (text#1391)
Update to 20.0.6
- Make sure to do priority app upgrades first (server#25077)
- Respect DB restrictions on number of arguments in statements and queries
(server#25120)
- Add a hint about the direction of priority (server#25143)
- Do not redirect to logout after login (server#25146)
- Fix comparison of PHP versions (server#25152)
- Add "composer.lock" for acceptance tests to git (server#25178)
- Update CRL due to revoked gravatar.crl (server#25190)
- Don't log keys on checkSignature (server#25193)
- Update 3rdparty after Archive_Tar (server#25199)
- Bump CA bundle (server#25219)
- Update handling of user credentials (server#25225)
- Fix encoding issue with OC.Notification.show (server#25244)
- Also use storage copy when dav copying directories (server#25261)
- Silence log message (server#25263)
- Extend ILDAPProvider to allow reading arbitrairy ldap attributes for
users (server#25276)
- Do not obtain userFolder of a federated user (server#25278)
- Bump pear/archive_tar from 1.4.11 to 1.4.12 (3rdparty#603)
- Add gitignore entry for .github folder of dependencies (3rdparty#604)
- Clear event array on getting them (activity#551)
Update to 20.0.5
- Don't log params of imagecreatefromstring (server#24546)
- Use storage copy implementation when doing dav copy (server#24590)
- Use in objectstore copy (server#24592)
- Add tel, note, org and title search (server#24697)
- Check php compatibility of app store app releases (server#24698)
- Fix #24682]: ensure federation cloud id is retruned if FN property not
found (server#24709)
- Do not include non-required scripts on the upgrade page (server#24714)
- LDAP: fix inGroup for memberUid type of group memberships (server#24716)
- Cancel user search requests to avoid duplicate results being added
(server#24728)
- Also unset the other possible unused paramters (server#24751)
- Enables the file name check also to match name of mountpoints
(server#24760)
- Fixes sharing to group ids with characters that are being url encoded
(server#24763)
- Limit getIncomplete query to one row (server#24791)
- Fix Argon2 descriptions (server#24792)
- Actually set the TTL on redis set (server#24798)
- Allow to force rename a conflicting calendar (server#24806)
- Fix IPv6 localhost regex (server#24823)
- Catch the error on heartbeat update (server#24826)
- Make oc_files_trash.auto_id a bigint (server#24853)
- Fix total upload size overwritten by next upload (server#24854)
- Avoid huge exception argument logging (server#24876)
- Make share results distinguishable if there are more than one with the
exact same display name (server#24878)
- Add migration for oc_share_external columns (server#24963)
- Don't throw a 500 when importing a broken ics reminder file
(server#24972)
- Fix unreliable ViewTest (server#24976)
- Update root.crl due to revocation of transmission.crt (server#24990)
- Set the JSCombiner cache if needed (server#24997)
- Fix column name to check prior to deleting (server#25009)
- Catch throwable instead of exception (server#25013)
- Set the user language when adding the footer (server#25019)
- Change defaultapp in config.sample.php to dashboard to improve docs and
align it to source code (server#25030)
- Fix clearing the label of a share (server#25035)
- Update psalm-baseline.xml (server#25066)
- Don't remove assignable column for now (server#25074)
- Add setup check to verify that the used DB version is still supported���
(server#25076)
- Correctly set the user for activity parsing when preparing a notifica���
(activity#542)
- Bump vue-virtual-grid from 2.2.1 to 2.3.0 (photos#597)
- Catch possible database exceptions when fetching document data
(text#1221)
- Make sure we have the proper PHP version installed before running
composer (text#1234)
- Revert removal of transformResponse (text#1235)
- Bump prosemirror-view from 1.16.1 to 1.16.5 (text#1255)
- Bump @babel/preset-env from 7.12.1 to 7.12.11 (text#1257)
- Bump babel-loader from 8.1.0 to 8.2.2 (text#1259)
- Bump eslint-plugin-standard from 4.0.2 to 4.1.0 (text#1261)
- Bump vue-loader from 15.9.5 to 15.9.6 (text#1263)
- Bump prosemirror-model from 1.12.0 to 1.13.1 (text#1265)
- Bump core-js from 3.7.0 to 3.8.1 (text#1266)
- Bump stylelint from 13.7.2 to 13.8.0 (text#1269)
- Bump @babel/plugin-transform-runtime from 7.12.1 to 7.12.10 (text#1271)
- Bump sass-loader from 10.0.5 to 10.1.0 (text#1273)
- Bump webpack-merge from 5.3.0 to 5.7.2 (text#1274)
- Bump @babel/core from 7.12.3 to 7.12.10 (text#1277)
- Bump cypress from 5.1.0 to 5.6.0 (text#1278)
- Bump @vue/test-utils from 1.1.1 to 1.1.2 (text#1279)
- Bump webpack-merge from 5.7.2 to 5.7.3 (text#1303)
- The apache subpackage must require the main package, otherwise it will
not be uninstalled when the main package is uninstalled.
Update to 20.0.4
- Avoid dashboard crash when accessibility app is not installed
(server#24636)
- Bump ini from 1.3.5 to 1.3.7 (server#24649)
- Handle owncloud migration to latest release (server#24653)
- Use string for storing a OCM remote id (server#24654)
- Fix MySQL database size calculation (serverinfo#262)
- Bump cypress-io/github-action@v2 (viewer#722)
- Fix] sidebar opening animation (viewer#723)
- Fix not.exist cypress and TESTING checks (viewer#725)
- Put apache configuration files in separate subpackage.
- Use apache-rpm-macros for SUSE.
- Change oc_* macros to nc_* macros.
- Insert macro apache_serverroot also in cron files.
Update to 20.0.3
* Check quota of subdirectories when uploading to them (server#24181)
* CircleId too short in some request (server#24196)
* Missing level in ScopedPsrLogger (server#24212)
* Fix nextcloud logo in email notifications misalignment (server#24228)
* Allow selecting multiple columns with SELECT DISTINCT (server#24230)
* Use file name instead of path in 'not allowed to share' message
(server#24231)
* Fix setting images through occ for theming (server#24232)
* Use regex when searching on single file shares (server#24239)
* Harden EncryptionLegacyCipher a bit (server#24249)
* Update ScanLegacyFormat.php (server#24258)
* Simple typo in comments (server#24259)
* Use correct year for generated birthdays events (server#24263)
* Delete files that exceed trashbin size immediately (server#24297)
* Update sabre/xml to fix XML parsing errors (server#24311)
* Only check path for being accessible when the storage is a object home
(server#24325)
* Avoid empty null default with value that will be inserted anyways
(server#24333)
* Fix contacts menu position and show uid as a tooltip (server#24342)
* Fix the config key on the sharing expire checkbox (server#24346)
* Set the display name of federated sharees from addressbook (server#24353)
* Catch storage not available in versions expire command (server#24367)
* Use proper bundles for files client and fileinfo (server#24377)
* Properly encode path when fetching inherited shares (server#24387)
* Formatting remote sharer should take protocol, path into account
(server#24391)
* Make sure we add new line between vcf groups exports (server#24443)
* Fix public calendars shared to circles (server#24446)
* Store scss variables under a different prefix for each theming config
version (server#24453)
* External storages: save group ids not display names in configuration
(server#24455)
* Use correct l10n source in files_sharing JS code (server#24462)
* Set frame-ancestors to none if none are filled (server#24477)
* Move the password fiels of chaging passwords to post (server#24478)
* Move the global password for files external to post (server#24479)
* Only attempt to move to trash if a file is not in appdata (server#24483)
* Fix loading mtime of new file in conflict dialog in firefox
(server#24491)
* Harden setup check for TLS version if host is not reachable
(server#24502)
* Fix file size computation on 32bit platforms (server#24509)
* Allow subscription to indicate that a userlimit is reached (server#24511)
* Set mountid for personal external storage mounts (server#24513)
* Only execute plain mimetype check for directories and do the fallback���
(server#24517)
* Fix vsprint parameter (server#24527)
* Replace abandoned log normalizer with our fork (server#24530)
* Add icon to user limit notification (server#24531)
* Also run repair steps when encryption is disabled but a legacy key is
present (server#24532)
* [3rdparty][security] Archive TAR to 1.4.11 (server#24534)
* Generate a new session id if the decrypting the session data fails
(server#24553)
* Revert "Do not read certificate bundle from data dir by default"
(server#24556)
* Dont use system composer for autoload checker (server#24557)
* Remember me is not an app_password (server#24563)
* Do not load nonexisting setup.js (server#24582)
* Update sabre/xml to fix XML parsing errors (3rdparty#529)
* Use composer v1 on CI (3rdparty#532)
* Bump pear/archive_tar from 1.4.9 to 1.4.11 (3rdparty#536)
* Replace abandoned log normalizer with our fork (3rdparty#543)
* Allow nullable values as subject params (activity#535)
* Don't log when unknown array is null (notifications#803)
* Feat/virtual grid (photos#550)
* Make sure we have a string to localecompare to (photos#583)
* Always get recommendations for dashboard if enabled (recommendations#336)
* Properly fetch oracle database information (serverinfo#258)
* Also register to urlChanged event to update RichWorkspace (text#1181)
* Move away from GET (text#1214)
Update to 20.0.2
* CVE-2020-8293: Fixed input validation which allowed users to store
unlimited data in workflow rules (boo#1181445).
* CVE-2020-8294: Fixed a missing link validation (boo#1181803).
* Inidicate preview availability in share api responses (server#23419)
* CalDavBackend: check if timerange is array before accessing
(server#23563)
* Some emojis are in CHAR_CATEGORY_GENERAL_OTHER_TYPES (server#23575)
* Also expire share type email (server#23583)
* Only use index of mount point when it is there (server#23611)
* Only retry fetching app store data once every 5 minutes in case it fails
(server#23633)
* Bring back the restore share button (server#23636)
* Fix updates of NULL appconfig values (server#23641)
* Fix sharing input placeholder for emails (server#23646)
* Use bigint for fileid in filecache_extended (server#23690)
* Enable theming background transparency (server#23699)
* Fix sharer flag on ldap:show-remnants when user owned more than a single
share (server#23702)
* Make sure the function signatures of the backgroundjob match
(server#23710)
* Check if array elements exist before using them (server#23713)
* Fix default quota display value in user row (server#23726)
* Use lib instead if core as l10n module in OC_Files (server#23727)
* Specify accept argument to avatar upload input field (server#23732)
* Save email as lower case (server#23733)
* Reset avatar cropper before showing (server#23736)
* Also run the SabreAuthInitEvent for the main server (server#23745)
* Type the \OCP\IUserManager::callForAllUsers closure with Psalm
(server#23749)
* Type the \OCP\AppFramework\Services\IInitialState::provideLazyInitial���
(server#23751)
* Don't overwrite the event if we use it later (server#23753)
* Inform the user when flow config data exceeds thresholds (server#23759)
* Type the \OCP\IUserManager::callForSeenUsers closure with Psalm
(server#23763)
* Catch errors when closing file conflict dialog (server#23774)
* Document the backend registered events of LDAP (server#23779)
* Fetch the logger and system config once for all query builder instances
(server#23787)
* Type the event dispatcher listener callables with Psalm (server#23789)
* Only run phpunit when "php" changed (server#23794)
* Remove bold font-weight and lower font-size for empty search box
(server#23829)
* No need to check if there is an avatar available, because it is gener���
(server#23846)
* Ensure filepicker list is empty before populating (server#23850)
* UserStatus: clear status message if message is null (server#23858)
* Fix grid view toggle in tags view (server#23874)
* Restrict query when searching for versions of trashbin files
(server#23884)
* Fix potentially passing null to events where IUser is expected
(server#23894)
* Make user status styles scoped (server#23899)
* Move help to separate stylesheet (server#23900)
* Add default font size (server#23902)
* Do not emit UserCreatedEvent twice (server#23917)
* Bearer must be in the start of the auth header (server#23924)
* Fix casting of integer and boolean on Oracle (server#23935)
* Skip already loaded apps in loadApps (server#23948)
* Fix repair mimetype step to not leave stray cursors (server#23950)
* Improve query type detection (server#23951)
* Fix iLike() falsely turning escaped % and _ into wildcards (server#23954)
* Replace some usages of OC_DB in OC\Share\* with query builder
(server#23955)
* Use query builder instead of OC_DB in trashbin (server#23971)
* Fix greatest/least order for oracle (server#23975)
* Fix link share label placeholder not showing (server#23992)
* Unlock when promoting to exclusive lock fails (server#23995)
* Make sure root storage is valid before checking its size (server#23996)
* Use query builder instead of OC_DB in OC\Files\* (server#23998)
* Shortcut to avoid file system setup when generating the logo URL
(server#24001)
* Remove old legacy scripts references (server#24004)
* Fix js search in undefined ocs response (server#24012)
* Don't leave cursors open (server#24033)
* Fix sharing tab state not matching resharing admin settings
(server#24044)
* Run unit tests against oracle (server#24049)
* Use png icons in caldav reminder emails (server#24050)
* Manually iterate over calendardata when oracle is used (server#24058)
* Make is_user_defined nullable so we can store false on oracle
(server#24079)
* Fix default internal expiration date enforce (server#24081)
* Register new command db:add-missing-primary-keys (server#24106)
* Convert the card resource to a string if necessary (server#24114)
* Don't throw on SHOW VERSION query (server#24147)
* Bump dompurify to 2.2.2 (server#24153)
* Set up FS before querying storage info in settings (server#24156)
* Fix default internal expiration date (server#24159)
* CircleId too short in some request (server#24178)
* Revert "circleId too short in some request" (server#24183)
* Missing level in ScopedPsrLogger (server#24212)
* Fix activity spinner on empty activity (activity#523)
* Add OCI github action (activity#528)
* Disable download button by default (files_pdfviewer#257)
* Feat/dependabot ga/stable20 (firstrunwizard#442)
* Fix loading notifications without a message on oracle (notifications#796)
* Do not setup appdata in constructor to avoid errors causing the whole
instance to stop working (text#1105)
* Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (text#1125)
* Bump sass-loader from 10.0.1 to 10.0.5 (text#1134)
* Bump webpack from 4.44.1 to 4.44.2 (text#1140)
* Bump dependencies to version in range (text#1164)
* Validate link on click (text#1166)
* Add migration to fix oracle issues with the database schema (text#1177)
* Bump cypress from 4.12.1 to 5.1.0 (text#1179)
* Fix URL escaping of shared files (viewer#681)
* Fix component click outside and cleanup structure (viewer#684)
Update to 20.0.1
No changelog from upstream at this time.
Update to 20.0.0
* Changes The three biggest features we introduce with Nextcloud 20 are:
- Our new dashboard provides a great starting point for the day with
over a dozen widgets ranging from Twitter and Github to Moodle and
Zammad already available
- Search was unified, bringing search results of Nextcloud apps as well
as external services like Gitlab, Jira and Discourse in one place
- Talk introduced bridging to other platforms including MS Teams, Slack,
IRC, Matrix and a dozen others
* Some other improvements we want to highlight include:
- Notifications and Activities were brought together, making sure you
won���t miss anything important
- We added a ���status��� setting so you can communicate to other
users what you are up to
- Talk also brings dashboard and search integration, emoji picker,
upload view, camera and microphone settings, mute and more
- Calendar integrates in dashboard and search, introduced a list view
and design improvements
- Mail introduces threaded view, mailbox management and more
- Deck integrates with dashboard and search, introduces Calendar
integration, modal view for card editing and series of smaller
improvements
- Flow adds push notification and webhooks so other web apps can
easily integrate with Nextcloud
- Text introduced direct linking to files in Nextcloud
- Files lets you add a description to public link shares
+ Read the full announcement on our blog
- NC-SA-2020-037
- CVE-2020-8295: Fixed Denial of service attack when resetting the
password for a user(boo#1181804)
- Update to 20.0.11
- Fix boo#1188247 - CVE-2021-32678: OCS API response ratelimits are not
applied
- Fix boo#1188248 - CVE-2021-32679: filenames where not escaped by default
in controllers using DownloadResponse
- Fix boo#1188249 - CVE-2021-32680: share expiration date wasn't properly
logged
- Fix boo#1188250 - CVE-2021-32688: lacking permission check with
application specific tokens
- Fix boo#1188251 - CVE-2021-32703: lack of ratelimiting on the shareinfo
endpoint
- Fix boo#1188252 - CVE-2021-32705: lack of ratelimiting on the public DAV
endpoint
- Fix boo#1188253 - CVE-2021-32725: default share permissions were not
being respected for federated reshares of files and folders
- Fix boo#1188254 - CVE-2021-32726: webauthn tokens were not deleted after
a user has been deleted
- Fix boo#1188255 - CVE-2021-32734: possible full path disclosure on
shared files
- Fix boo#1188256 - CVE-2021-32741: lack of ratelimiting on the public
share link mount endpoint
- Bump handlebars from 4.7.6 to 4.7.7 (server#26900)
- Bump lodash from 4.17.20 to 4.17.21 (server#26909)
- Bump hosted-git-info from 2.8.8 to 2.8.9 (server#26920)
- Don't break OCC if an app is breaking in it's Application class
(server#26954)
- Add bruteforce protection to the shareinfo endpoint (server#26956)
- Ignore readonly flag for directories (server#26965)
- Throttle MountPublicLinkController when share is not found (server#26971)
- Respect default share permissions for federated reshares (server#27001)
- Harden apptoken check (server#27014)
- Use parent wrapper to properly handle moves on the same source/target
storage (server#27016)
- Fix error when using CORS with no auth credentials (server#27027)
- Fix return value of getStorageInfo when 'quota_include_external_storage'
is enabled (server#27108)
- Bump patch dependencies (server#27183)
- Use noreply@ as email address for share emails (server#27209)
- Bump p-queue from 6.6.1 to 6.6.2 (server#27226)
- Bump browserslist from 4.14.0 to 4.16.6 (server#27247)
- Bump webpack from 4.44.1 to 4.44.2 (server#27297)
- Properly use limit and offset for search in Jail wrapper (server#27308)
- Make user:report command scale (server#27319)
- Properly log expiration date removal in audit log (server#27325)
- Propagate throttling on OCS response (server#27337)
- Set umask before operations that create local files (server#27349)
- Escape filename in Content-Disposition (server#27360)
- Don't update statuses to offline again and again (server#27412)
- Header must contain a colon (server#27456)
- Activate constraint check for oracle / pqsql also for 20 (server#27523)
- Only allow removing existing shares that would not be allowed due to
reshare restrictions (server#27552)
- Bump ws from 7.3.1 to 7.5.0 (server#27570)
- Properly cleanup entries of WebAuthn on user deletion (server#27596)
- Throttle on public DAV endpoint (server#27617)
- Bump vue-loader from 15.9.3 to 15.9.7 (server#27639)
- Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (server#27651)
- Validate the theming color also on CLI (server#27680)
- Downstream encryption:fix-encrypted-version for repairing bad signature
errors (server#27728)
- Remove encodeURI code (files_pdfviewer#396)
- Only ask for permissions on HTTPS (notifications#998)
- Fix sorting if one of the file name is only composed with number
(photos#785)
- Backport 20 fix Photos not shown in large browser windows #630 (#686)
(photos#810)
- Update File.vue (photos#813)
- Update chart.js (serverinfo#309)
- Only return workspace property for top node in a propfind request
(text#1611)
- ViewerComponent: pass on autofocus to EditorWrapper (text#1647)
- Use text/plain as content type for fetching the document (text#1692)
- Log exceptions that happen on unknown exception and return generic
messages (text#1698)
- Add fixup (viewer#924)
- Fix: fullscreen for Firefox (viewer#929)
Update to 20.0.7
- Catch NotFoundException when querying quota (server#25315)
- CalDAV] Validate notified emails (server#25324)
- Fix/app fetcher php compat comparison (server#25347)
- Show the actual error on share requests (server#25352)
- Fix parameter provided as string not array (server#25366)
- The objectid is a string (server#25374)
- 20.0.7 final (server#25387)
- Properly handle SMB ACL blocking scanning a directory (server#25421)
- Don't break completely when creating the digest fail for one user
(activity#556)
- Only attempt to use a secure view if hide download is actually set
(files_pdfviewer#296)
- Fix opening PDF files with special characters in their name
(files_pdfviewer#298)
- Fix PDF viewer failing on Edge (not based on Chromium)
(files_pdfviewer#299)
- Cannot unfold plain text notifications (notifications#846)
- Remove EPUB mimetype (text#1391)
Update to 20.0.6
- Make sure to do priority app upgrades first (server#25077)
- Respect DB restrictions on number of arguments in statements and queries
(server#25120)
- Add a hint about the direction of priority (server#25143)
- Do not redirect to logout after login (server#25146)
- Fix comparison of PHP versions (server#25152)
- Add "composer.lock" for acceptance tests to git (server#25178)
- Update CRL due to revoked gravatar.crl (server#25190)
- Don't log keys on checkSignature (server#25193)
- Update 3rdparty after Archive_Tar (server#25199)
- Bump CA bundle (server#25219)
- Update handling of user credentials (server#25225)
- Fix encoding issue with OC.Notification.show (server#25244)
- Also use storage copy when dav copying directories (server#25261)
- Silence log message (server#25263)
- Extend ILDAPProvider to allow reading arbitrairy ldap attributes for
users (server#25276)
- Do not obtain userFolder of a federated user (server#25278)
- Bump pear/archive_tar from 1.4.11 to 1.4.12 (3rdparty#603)
- Add gitignore entry for .github folder of dependencies (3rdparty#604)
- Clear event array on getting them (activity#551)
Update to 20.0.5
- Don't log params of imagecreatefromstring (server#24546)
- Use storage copy implementation when doing dav copy (server#24590)
- Use in objectstore copy (server#24592)
- Add tel, note, org and title search (server#24697)
- Check php compatibility of app store app releases (server#24698)
- Fix #24682]: ensure federation cloud id is retruned if FN property not
found (server#24709)
- Do not include non-required scripts on the upgrade page (server#24714)
- LDAP: fix inGroup for memberUid type of group memberships (server#24716)
- Cancel user search requests to avoid duplicate results being added
(server#24728)
- Also unset the other possible unused paramters (server#24751)
- Enables the file name check also to match name of mountpoints
(server#24760)
- Fixes sharing to group ids with characters that are being url encoded
(server#24763)
- Limit getIncomplete query to one row (server#24791)
- Fix Argon2 descriptions (server#24792)
- Actually set the TTL on redis set (server#24798)
- Allow to force rename a conflicting calendar (server#24806)
- Fix IPv6 localhost regex (server#24823)
- Catch the error on heartbeat update (server#24826)
- Make oc_files_trash.auto_id a bigint (server#24853)
- Fix total upload size overwritten by next upload (server#24854)
- Avoid huge exception argument logging (server#24876)
- Make share results distinguishable if there are more than one with the
exact same display name (server#24878)
- Add migration for oc_share_external columns (server#24963)
- Don't throw a 500 when importing a broken ics reminder file
(server#24972)
- Fix unreliable ViewTest (server#24976)
- Update root.crl due to revocation of transmission.crt (server#24990)
- Set the JSCombiner cache if needed (server#24997)
- Fix column name to check prior to deleting (server#25009)
- Catch throwable instead of exception (server#25013)
- Set the user language when adding the footer (server#25019)
- Change defaultapp in config.sample.php to dashboard to improve docs and
align it to source code (server#25030)
- Fix clearing the label of a share (server#25035)
- Update psalm-baseline.xml (server#25066)
- Don't remove assignable column for now (server#25074)
- Add setup check to verify that the used DB version is still supported���
(server#25076)
- Correctly set the user for activity parsing when preparing a notifica���
(activity#542)
- Bump vue-virtual-grid from 2.2.1 to 2.3.0 (photos#597)
- Catch possible database exceptions when fetching document data
(text#1221)
- Make sure we have the proper PHP version installed before running
composer (text#1234)
- Revert removal of transformResponse (text#1235)
- Bump prosemirror-view from 1.16.1 to 1.16.5 (text#1255)
- Bump @babel/preset-env from 7.12.1 to 7.12.11 (text#1257)
- Bump babel-loader from 8.1.0 to 8.2.2 (text#1259)
- Bump eslint-plugin-standard from 4.0.2 to 4.1.0 (text#1261)
- Bump vue-loader from 15.9.5 to 15.9.6 (text#1263)
- Bump prosemirror-model from 1.12.0 to 1.13.1 (text#1265)
- Bump core-js from 3.7.0 to 3.8.1 (text#1266)
- Bump stylelint from 13.7.2 to 13.8.0 (text#1269)
- Bump @babel/plugin-transform-runtime from 7.12.1 to 7.12.10 (text#1271)
- Bump sass-loader from 10.0.5 to 10.1.0 (text#1273)
- Bump webpack-merge from 5.3.0 to 5.7.2 (text#1274)
- Bump @babel/core from 7.12.3 to 7.12.10 (text#1277)
- Bump cypress from 5.1.0 to 5.6.0 (text#1278)
- Bump @vue/test-utils from 1.1.1 to 1.1.2 (text#1279)
- Bump webpack-merge from 5.7.2 to 5.7.3 (text#1303)
- The apache subpackage must require the main package, otherwise it will
not be uninstalled when the main package is uninstalled.
Update to 20.0.4
- Avoid dashboard crash when accessibility app is not installed
(server#24636)
- Bump ini from 1.3.5 to 1.3.7 (server#24649)
- Handle owncloud migration to latest release (server#24653)
- Use string for storing a OCM remote id (server#24654)
- Fix MySQL database size calculation (serverinfo#262)
- Bump cypress-io/github-action@v2 (viewer#722)
- Fix] sidebar opening animation (viewer#723)
- Fix not.exist cypress and TESTING checks (viewer#725)
- Put apache configuration files in separate subpackage.
- Use apache-rpm-macros for SUSE.
- Change oc_* macros to nc_* macros.
- Insert macro apache_serverroot also in cron files.
Update to 20.0.3
* Check quota of subdirectories when uploading to them (server#24181)
* CircleId too short in some request (server#24196)
* Missing level in ScopedPsrLogger (server#24212)
* Fix nextcloud logo in email notifications misalignment (server#24228)
* Allow selecting multiple columns with SELECT DISTINCT (server#24230)
* Use file name instead of path in 'not allowed to share' message
(server#24231)
* Fix setting images through occ for theming (server#24232)
* Use regex when searching on single file shares (server#24239)
* Harden EncryptionLegacyCipher a bit (server#24249)
* Update ScanLegacyFormat.php (server#24258)
* Simple typo in comments (server#24259)
* Use correct year for generated birthdays events (server#24263)
* Delete files that exceed trashbin size immediately (server#24297)
* Update sabre/xml to fix XML parsing errors (server#24311)
* Only check path for being accessible when the storage is a object home
(server#24325)
* Avoid empty null default with value that will be inserted anyways
(server#24333)
* Fix contacts menu position and show uid as a tooltip (server#24342)
* Fix the config key on the sharing expire checkbox (server#24346)
* Set the display name of federated sharees from addressbook (server#24353)
* Catch storage not available in versions expire command (server#24367)
* Use proper bundles for files client and fileinfo (server#24377)
* Properly encode path when fetching inherited shares (server#24387)
* Formatting remote sharer should take protocol, path into account
(server#24391)
* Make sure we add new line between vcf groups exports (server#24443)
* Fix public calendars shared to circles (server#24446)
* Store scss variables under a different prefix for each theming config
version (server#24453)
* External storages: save group ids not display names in configuration
(server#24455)
* Use correct l10n source in files_sharing JS code (server#24462)
* Set frame-ancestors to none if none are filled (server#24477)
* Move the password fiels of chaging passwords to post (server#24478)
* Move the global password for files external to post (server#24479)
* Only attempt to move to trash if a file is not in appdata (server#24483)
* Fix loading mtime of new file in conflict dialog in firefox
(server#24491)
* Harden setup check for TLS version if host is not reachable
(server#24502)
* Fix file size computation on 32bit platforms (server#24509)
* Allow subscription to indicate that a userlimit is reached (server#24511)
* Set mountid for personal external storage mounts (server#24513)
* Only execute plain mimetype check for directories and do the fallback���
(server#24517)
* Fix vsprint parameter (server#24527)
* Replace abandoned log normalizer with our fork (server#24530)
* Add icon to user limit notification (server#24531)
* Also run repair steps when encryption is disabled but a legacy key is
present (server#24532)
* [3rdparty][security] Archive TAR to 1.4.11 (server#24534)
* Generate a new session id if the decrypting the session data fails
(server#24553)
* Revert "Do not read certificate bundle from data dir by default"
(server#24556)
* Dont use system composer for autoload checker (server#24557)
* Remember me is not an app_password (server#24563)
* Do not load nonexisting setup.js (server#24582)
* Update sabre/xml to fix XML parsing errors (3rdparty#529)
* Use composer v1 on CI (3rdparty#532)
* Bump pear/archive_tar from 1.4.9 to 1.4.11 (3rdparty#536)
* Replace abandoned log normalizer with our fork (3rdparty#543)
* Allow nullable values as subject params (activity#535)
* Don't log when unknown array is null (notifications#803)
* Feat/virtual grid (photos#550)
* Make sure we have a string to localecompare to (photos#583)
* Always get recommendations for dashboard if enabled (recommendations#336)
* Properly fetch oracle database information (serverinfo#258)
* Also register to urlChanged event to update RichWorkspace (text#1181)
* Move away from GET (text#1214)
Update to 20.0.2
* CVE-2020-8293: Fixed input validation which allowed users to store
unlimited data in workflow rules (boo#1181445).
* CVE-2020-8294: Fixed a missing link validation (boo#1181803).
* Inidicate preview availability in share api responses (server#23419)
* CalDavBackend: check if timerange is array before accessing
(server#23563)
* Some emojis are in CHAR_CATEGORY_GENERAL_OTHER_TYPES (server#23575)
* Also expire share type email (server#23583)
* Only use index of mount point when it is there (server#23611)
* Only retry fetching app store data once every 5 minutes in case it fails
(server#23633)
* Bring back the restore share button (server#23636)
* Fix updates of NULL appconfig values (server#23641)
* Fix sharing input placeholder for emails (server#23646)
* Use bigint for fileid in filecache_extended (server#23690)
* Enable theming background transparency (server#23699)
* Fix sharer flag on ldap:show-remnants when user owned more than a single
share (server#23702)
* Make sure the function signatures of the backgroundjob match
(server#23710)
* Check if array elements exist before using them (server#23713)
* Fix default quota display value in user row (server#23726)
* Use lib instead if core as l10n module in OC_Files (server#23727)
* Specify accept argument to avatar upload input field (server#23732)
* Save email as lower case (server#23733)
* Reset avatar cropper before showing (server#23736)
* Also run the SabreAuthInitEvent for the main server (server#23745)
* Type the \OCP\IUserManager::callForAllUsers closure with Psalm
(server#23749)
* Type the \OCP\AppFramework\Services\IInitialState::provideLazyInitial���
(server#23751)
* Don't overwrite the event if we use it later (server#23753)
* Inform the user when flow config data exceeds thresholds (server#23759)
* Type the \OCP\IUserManager::callForSeenUsers closure with Psalm
(server#23763)
* Catch errors when closing file conflict dialog (server#23774)
* Document the backend registered events of LDAP (server#23779)
* Fetch the logger and system config once for all query builder instances
(server#23787)
* Type the event dispatcher listener callables with Psalm (server#23789)
* Only run phpunit when "php" changed (server#23794)
* Remove bold font-weight and lower font-size for empty search box
(server#23829)
* No need to check if there is an avatar available, because it is gener���
(server#23846)
* Ensure filepicker list is empty before populating (server#23850)
* UserStatus: clear status message if message is null (server#23858)
* Fix grid view toggle in tags view (server#23874)
* Restrict query when searching for versions of trashbin files
(server#23884)
* Fix potentially passing null to events where IUser is expected
(server#23894)
* Make user status styles scoped (server#23899)
* Move help to separate stylesheet (server#23900)
* Add default font size (server#23902)
* Do not emit UserCreatedEvent twice (server#23917)
* Bearer must be in the start of the auth header (server#23924)
* Fix casting of integer and boolean on Oracle (server#23935)
* Skip already loaded apps in loadApps (server#23948)
* Fix repair mimetype step to not leave stray cursors (server#23950)
* Improve query type detection (server#23951)
* Fix iLike() falsely turning escaped % and _ into wildcards (server#23954)
* Replace some usages of OC_DB in OC\Share\* with query builder
(server#23955)
* Use query builder instead of OC_DB in trashbin (server#23971)
* Fix greatest/least order for oracle (server#23975)
* Fix link share label placeholder not showing (server#23992)
* Unlock when promoting to exclusive lock fails (server#23995)
* Make sure root storage is valid before checking its size (server#23996)
* Use query builder instead of OC_DB in OC\Files\* (server#23998)
* Shortcut to avoid file system setup when generating the logo URL
(server#24001)
* Remove old legacy scripts references (server#24004)
* Fix js search in undefined ocs response (server#24012)
* Don't leave cursors open (server#24033)
* Fix sharing tab state not matching resharing admin settings
(server#24044)
* Run unit tests against oracle (server#24049)
* Use png icons in caldav reminder emails (server#24050)
* Manually iterate over calendardata when oracle is used (server#24058)
* Make is_user_defined nullable so we can store false on oracle
(server#24079)
* Fix default internal expiration date enforce (server#24081)
* Register new command db:add-missing-primary-keys (server#24106)
* Convert the card resource to a string if necessary (server#24114)
* Don't throw on SHOW VERSION query (server#24147)
* Bump dompurify to 2.2.2 (server#24153)
* Set up FS before querying storage info in settings (server#24156)
* Fix default internal expiration date (server#24159)
* CircleId too short in some request (server#24178)
* Revert "circleId too short in some request" (server#24183)
* Missing level in ScopedPsrLogger (server#24212)
* Fix activity spinner on empty activity (activity#523)
* Add OCI github action (activity#528)
* Disable download button by default (files_pdfviewer#257)
* Feat/dependabot ga/stable20 (firstrunwizard#442)
* Fix loading notifications without a message on oracle (notifications#796)
* Do not setup appdata in constructor to avoid errors causing the whole
instance to stop working (text#1105)
* Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (text#1125)
* Bump sass-loader from 10.0.1 to 10.0.5 (text#1134)
* Bump webpack from 4.44.1 to 4.44.2 (text#1140)
* Bump dependencies to version in range (text#1164)
* Validate link on click (text#1166)
* Add migration to fix oracle issues with the database schema (text#1177)
* Bump cypress from 4.12.1 to 5.1.0 (text#1179)
* Fix URL escaping of shared files (viewer#681)
* Fix component click outside and cleanup structure (viewer#684)
Update to 20.0.1
No changelog from upstream at this time.
Update to 20.0.0
* Changes The three biggest features we introduce with Nextcloud 20 are:
- Our new dashboard provides a great starting point for the day with
over a dozen widgets ranging from Twitter and Github to Moodle and
Zammad already available
- Search was unified, bringing search results of Nextcloud apps as well
as external services like Gitlab, Jira and Discourse in one place
- Talk introduced bridging to other platforms including MS Teams, Slack,
IRC, Matrix and a dozen others
* Some other improvements we want to highlight include:
- Notifications and Activities were brought together, making sure you
won���t miss anything important
- We added a ���status��� setting so you can communicate to other
users what you are up to
- Talk also brings dashboard and search integration, emoji picker,
upload view, camera and microphone settings, mute and more
- Calendar integrates in dashboard and search, introduced a list view
and design improvements
- Mail introduces threaded view, mailbox management and more
- Deck integrates with dashboard and search, introduces Calendar
integration, modal view for card editing and series of smaller
improvements
- Flow adds push notification and webhooks so other web apps can
easily integrate with Nextcloud
- Text introduced direct linking to files in Nextcloud
- Files lets you add a description to public link shares
+ Read the full announcement on our blog
- NC-SA-2020-037
- CVE-2020-8295: Fixed Denial of service attack when resetting the
password for a user(boo#1181804)
- Update to 20.0.11
- Fix boo#1188247 - CVE-2021-32678: OCS API response ratelimits are not
applied
- Fix boo#1188248 - CVE-2021-32679: filenames where not escaped by default
in controllers using DownloadResponse
- Fix boo#1188249 - CVE-2021-32680: share expiration date wasn't properly
logged
- Fix boo#1188250 - CVE-2021-32688: lacking permission check with
application specific tokens
- Fix boo#1188251 - CVE-2021-32703: lack of ratelimiting on the shareinfo
endpoint
- Fix boo#1188252 - CVE-2021-32705: lack of ratelimiting on the public DAV
endpoint
- Fix boo#1188253 - CVE-2021-32725: default share permissions were not
being respected for federated reshares of files and folders
- Fix boo#1188254 - CVE-2021-32726: webauthn tokens were not deleted after
a user has been deleted
- Fix boo#1188255 - CVE-2021-32734: possible full path disclosure on
shared files
- Fix boo#1188256 - CVE-2021-32741: lack of ratelimiting on the public
share link mount endpoint
- Bump handlebars from 4.7.6 to 4.7.7 (server#26900)
- Bump lodash from 4.17.20 to 4.17.21 (server#26909)
- Bump hosted-git-info from 2.8.8 to 2.8.9 (server#26920)
- Don't break OCC if an app is breaking in it's Application class
(server#26954)
- Add bruteforce protection to the shareinfo endpoint (server#26956)
- Ignore readonly flag for directories (server#26965)
- Throttle MountPublicLinkController when share is not found (server#26971)
- Respect default share permissions for federated reshares (server#27001)
- Harden apptoken check (server#27014)
- Use parent wrapper to properly handle moves on the same source/target
storage (server#27016)
- Fix error when using CORS with no auth credentials (server#27027)
- Fix return value of getStorageInfo when 'quota_include_external_storage'
is enabled (server#27108)
- Bump patch dependencies (server#27183)
- Use noreply@ as email address for share emails (server#27209)
- Bump p-queue from 6.6.1 to 6.6.2 (server#27226)
- Bump browserslist from 4.14.0 to 4.16.6 (server#27247)
- Bump webpack from 4.44.1 to 4.44.2 (server#27297)
- Properly use limit and offset for search in Jail wrapper (server#27308)
- Make user:report command scale (server#27319)
- Properly log expiration date removal in audit log (server#27325)
- Propagate throttling on OCS response (server#27337)
- Set umask before operations that create local files (server#27349)
- Escape filename in Content-Disposition (server#27360)
- Don't update statuses to offline again and again (server#27412)
- Header must contain a colon (server#27456)
- Activate constraint check for oracle / pqsql also for 20 (server#27523)
- Only allow removing existing shares that would not be allowed due to
reshare restrictions (server#27552)
- Bump ws from 7.3.1 to 7.5.0 (server#27570)
- Properly cleanup entries of WebAuthn on user deletion (server#27596)
- Throttle on public DAV endpoint (server#27617)
- Bump vue-loader from 15.9.3 to 15.9.7 (server#27639)
- Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (server#27651)
- Validate the theming color also on CLI (server#27680)
- Downstream encryption:fix-encrypted-version for repairing bad signature
errors (server#27728)
- Remove encodeURI code (files_pdfviewer#396)
- Only ask for permissions on HTTPS (notifications#998)
- Fix sorting if one of the file name is only composed with number
(photos#785)
- Backport 20 fix Photos not shown in large browser windows #630 (#686)
(photos#810)
- Update File.vue (photos#813)
- Update chart.js (serverinfo#309)
- Only return workspace property for top node in a propfind request
(text#1611)
- ViewerComponent: pass on autofocus to EditorWrapper (text#1647)
- Use text/plain as content type for fetching the document (text#1692)
- Log exceptions that happen on unknown exception and return generic
messages (text#1698)
- Add fixup (viewer#924)
- Fix: fullscreen for Firefox (viewer#929)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.2:
zypper in -t patch openSUSE-2021-1068=1
- openSUSE Backports SLE-15-SP3:
zypper in -t patch openSUSE-2021-1068=1
- openSUSE Backports SLE-15-SP2:
zypper in -t patch openSUSE-2021-1068=1
- openSUSE Backports SLE-15-SP1:
zypper in -t patch openSUSE-2021-1068=1
Package List:
- openSUSE Leap 15.2 (noarch):
nextcloud-20.0.11-lp152.3.9.1
nextcloud-apache-20.0.11-lp152.3.9.1
- openSUSE Backports SLE-15-SP3 (noarch):
nextcloud-20.0.11-bp153.2.3.1
nextcloud-apache-20.0.11-bp153.2.3.1
- openSUSE Backports SLE-15-SP2 (noarch):
nextcloud-20.0.11-bp152.2.9.1
nextcloud-apache-20.0.11-bp152.2.9.1
- openSUSE Backports SLE-15-SP1 (noarch):
nextcloud-20.0.11-bp151.3.15.1
nextcloud-apache-20.0.11-bp151.3.15.1
References:
https://www.suse.com/security/cve/CVE-2020-8293.html
https://www.suse.com/security/cve/CVE-2020-8294.html
https://www.suse.com/security/cve/CVE-2020-8295.html
https://www.suse.com/security/cve/CVE-2021-32678.html
https://www.suse.com/security/cve/CVE-2021-32679.html
https://www.suse.com/security/cve/CVE-2021-32680.html
https://www.suse.com/security/cve/CVE-2021-32688.html
https://www.suse.com/security/cve/CVE-2021-32703.html
https://www.suse.com/security/cve/CVE-2021-32705.html
https://www.suse.com/security/cve/CVE-2021-32725.html
https://www.suse.com/security/cve/CVE-2021-32726.html
https://www.suse.com/security/cve/CVE-2021-32734.html
https://www.suse.com/security/cve/CVE-2021-32741.html
https://bugzilla.suse.com/1181445
https://bugzilla.suse.com/1181803
https://bugzilla.suse.com/1181804
https://bugzilla.suse.com/1188247
https://bugzilla.suse.com/1188248
https://bugzilla.suse.com/1188249
https://bugzilla.suse.com/1188250
https://bugzilla.suse.com/1188251
https://bugzilla.suse.com/1188252
https://bugzilla.suse.com/1188253
https://bugzilla.suse.com/1188254
https://bugzilla.suse.com/1188255
https://bugzilla.suse.com/1188256
1
0
openSUSE-SU-2021:2415-1: important: Security update for the Linux Kernel
by opensuse-security@opensuse.org 20 Jul '21
by opensuse-security@opensuse.org 20 Jul '21
20 Jul '21
openSUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:2415-1
Rating: important
References: #1188062 #1188116
Cross-References: CVE-2021-22555 CVE-2021-33909
CVSS scores:
CVE-2021-22555 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-22555 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-33909 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Leap 15.3
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various
security and bugfixes.
Security issues fixed:
- CVE-2021-22555: A heap out-of-bounds write was discovered in
net/netfilter/x_tables.c (bnc#1188116).
- CVE-2021-33909: Extremely large seq buffer allocations in seq_file could
lead to buffer underruns and code execution (bsc#1188062).
The following non-security bugs were fixed:
- usb: dwc3: Fix debugfs creation flow (git-fixes).
Special Instructions and Notes:
Please reboot the system after installing this update.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2021-2415=1
Package List:
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
cluster-md-kmp-default-5.3.18-59.16.1
cluster-md-kmp-default-debuginfo-5.3.18-59.16.1
dlm-kmp-default-5.3.18-59.16.1
dlm-kmp-default-debuginfo-5.3.18-59.16.1
gfs2-kmp-default-5.3.18-59.16.1
gfs2-kmp-default-debuginfo-5.3.18-59.16.1
kernel-default-5.3.18-59.16.1
kernel-default-base-5.3.18-59.16.1.18.8.1
kernel-default-base-rebuild-5.3.18-59.16.1.18.8.1
kernel-default-debuginfo-5.3.18-59.16.1
kernel-default-debugsource-5.3.18-59.16.1
kernel-default-devel-5.3.18-59.16.1
kernel-default-devel-debuginfo-5.3.18-59.16.1
kernel-default-extra-5.3.18-59.16.1
kernel-default-extra-debuginfo-5.3.18-59.16.1
kernel-default-livepatch-5.3.18-59.16.1
kernel-default-livepatch-devel-5.3.18-59.16.1
kernel-default-optional-5.3.18-59.16.1
kernel-default-optional-debuginfo-5.3.18-59.16.1
kernel-obs-build-5.3.18-59.16.1
kernel-obs-build-debugsource-5.3.18-59.16.1
kernel-obs-qa-5.3.18-59.16.1
kernel-syms-5.3.18-59.16.1
kselftests-kmp-default-5.3.18-59.16.1
kselftests-kmp-default-debuginfo-5.3.18-59.16.1
ocfs2-kmp-default-5.3.18-59.16.1
ocfs2-kmp-default-debuginfo-5.3.18-59.16.1
reiserfs-kmp-default-5.3.18-59.16.1
reiserfs-kmp-default-debuginfo-5.3.18-59.16.1
- openSUSE Leap 15.3 (ppc64le x86_64):
kernel-debug-5.3.18-59.16.1
kernel-debug-debuginfo-5.3.18-59.16.1
kernel-debug-debugsource-5.3.18-59.16.1
kernel-debug-devel-5.3.18-59.16.1
kernel-debug-devel-debuginfo-5.3.18-59.16.1
kernel-debug-livepatch-devel-5.3.18-59.16.1
kernel-kvmsmall-5.3.18-59.16.1
kernel-kvmsmall-debuginfo-5.3.18-59.16.1
kernel-kvmsmall-debugsource-5.3.18-59.16.1
kernel-kvmsmall-devel-5.3.18-59.16.1
kernel-kvmsmall-devel-debuginfo-5.3.18-59.16.1
kernel-kvmsmall-livepatch-devel-5.3.18-59.16.1
- openSUSE Leap 15.3 (aarch64 x86_64):
cluster-md-kmp-preempt-5.3.18-59.16.1
cluster-md-kmp-preempt-debuginfo-5.3.18-59.16.1
dlm-kmp-preempt-5.3.18-59.16.1
dlm-kmp-preempt-debuginfo-5.3.18-59.16.1
gfs2-kmp-preempt-5.3.18-59.16.1
gfs2-kmp-preempt-debuginfo-5.3.18-59.16.1
kernel-preempt-5.3.18-59.16.1
kernel-preempt-debuginfo-5.3.18-59.16.1
kernel-preempt-debugsource-5.3.18-59.16.1
kernel-preempt-devel-5.3.18-59.16.1
kernel-preempt-devel-debuginfo-5.3.18-59.16.1
kernel-preempt-extra-5.3.18-59.16.1
kernel-preempt-extra-debuginfo-5.3.18-59.16.1
kernel-preempt-livepatch-devel-5.3.18-59.16.1
kernel-preempt-optional-5.3.18-59.16.1
kernel-preempt-optional-debuginfo-5.3.18-59.16.1
kselftests-kmp-preempt-5.3.18-59.16.1
kselftests-kmp-preempt-debuginfo-5.3.18-59.16.1
ocfs2-kmp-preempt-5.3.18-59.16.1
ocfs2-kmp-preempt-debuginfo-5.3.18-59.16.1
reiserfs-kmp-preempt-5.3.18-59.16.1
reiserfs-kmp-preempt-debuginfo-5.3.18-59.16.1
- openSUSE Leap 15.3 (aarch64):
cluster-md-kmp-64kb-5.3.18-59.16.1
cluster-md-kmp-64kb-debuginfo-5.3.18-59.16.1
dlm-kmp-64kb-5.3.18-59.16.1
dlm-kmp-64kb-debuginfo-5.3.18-59.16.1
gfs2-kmp-64kb-5.3.18-59.16.1
gfs2-kmp-64kb-debuginfo-5.3.18-59.16.1
kernel-64kb-5.3.18-59.16.1
kernel-64kb-debuginfo-5.3.18-59.16.1
kernel-64kb-debugsource-5.3.18-59.16.1
kernel-64kb-devel-5.3.18-59.16.1
kernel-64kb-devel-debuginfo-5.3.18-59.16.1
kernel-64kb-extra-5.3.18-59.16.1
kernel-64kb-extra-debuginfo-5.3.18-59.16.1
kernel-64kb-livepatch-devel-5.3.18-59.16.1
kernel-64kb-optional-5.3.18-59.16.1
kernel-64kb-optional-debuginfo-5.3.18-59.16.1
kselftests-kmp-64kb-5.3.18-59.16.1
kselftests-kmp-64kb-debuginfo-5.3.18-59.16.1
ocfs2-kmp-64kb-5.3.18-59.16.1
ocfs2-kmp-64kb-debuginfo-5.3.18-59.16.1
reiserfs-kmp-64kb-5.3.18-59.16.1
reiserfs-kmp-64kb-debuginfo-5.3.18-59.16.1
- openSUSE Leap 15.3 (noarch):
kernel-devel-5.3.18-59.16.1
kernel-docs-5.3.18-59.16.1
kernel-docs-html-5.3.18-59.16.1
kernel-macros-5.3.18-59.16.1
kernel-source-5.3.18-59.16.1
kernel-source-vanilla-5.3.18-59.16.1
- openSUSE Leap 15.3 (s390x):
kernel-zfcpdump-5.3.18-59.16.1
kernel-zfcpdump-debuginfo-5.3.18-59.16.1
kernel-zfcpdump-debugsource-5.3.18-59.16.1
References:
https://www.suse.com/security/cve/CVE-2021-22555.html
https://www.suse.com/security/cve/CVE-2021-33909.html
https://bugzilla.suse.com/1188062
https://bugzilla.suse.com/1188116
1
0
openSUSE-SU-2021:2414-1: important: Security update for caribou
by opensuse-security@opensuse.org 20 Jul '21
by opensuse-security@opensuse.org 20 Jul '21
20 Jul '21
openSUSE Security Update: Security update for caribou
______________________________________________________________________________
Announcement ID: openSUSE-SU-2021:2414-1
Rating: important
References: #1186617 #1187112
Cross-References: CVE-2021-3567
CVSS scores:
CVE-2021-3567 (SUSE): 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Leap 15.3
______________________________________________________________________________
An update that solves one vulnerability and has one errata
is now available.
Description:
This update for caribou fixes the following issues:
Security issue fixed:
- CVE-2021-3567: Fixed a segfault when attempting to use shifted
characters (bsc#1186617).
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2021-2414=1
Package List:
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
caribou-0.4.21-12.5.1
caribou-common-0.4.21-12.5.1
caribou-debuginfo-0.4.21-12.5.1
caribou-debugsource-0.4.21-12.5.1
caribou-devel-0.4.21-12.5.1
caribou-gtk-module-common-0.4.21-12.5.1
caribou-gtk2-module-0.4.21-12.5.1
caribou-gtk2-module-debuginfo-0.4.21-12.5.1
caribou-gtk3-module-0.4.21-12.5.1
caribou-gtk3-module-debuginfo-0.4.21-12.5.1
libcaribou0-0.4.21-12.5.1
libcaribou0-debuginfo-0.4.21-12.5.1
typelib-1_0-Caribou-1_0-0.4.21-12.5.1
- openSUSE Leap 15.3 (noarch):
caribou-lang-0.4.21-12.5.1
References:
https://www.suse.com/security/cve/CVE-2021-3567.html
https://bugzilla.suse.com/1186617
https://bugzilla.suse.com/1187112
1
0