openSUSE Security Announce
Threads by month
- ----- 2025 -----
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2004 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2003 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2002 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2001 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2000 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 1999 -----
- December
- November
- October
- September
- August
April 2023
- 1 participants
- 10 discussions

openSUSE-SU-2023:0097-1: important: Security update for stellarium
by opensuse-security@opensuse.org 27 Apr '23
by opensuse-security@opensuse.org 27 Apr '23
27 Apr '23
openSUSE Security Update: Security update for stellarium
______________________________________________________________________________
Announcement ID: openSUSE-SU-2023:0097-1
Rating: important
References: #1209285
Cross-References: CVE-2023-28371
CVSS scores:
CVE-2023-28371 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
This update for stellarium fixes the following issues:
- CVE-2023-28371: Fixed arbitrary file write issue. (boo#1209285)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2023-97=1
Package List:
- openSUSE Backports SLE-15-SP4 (aarch64 ppc64le s390x x86_64):
stellarium-0.21.2-bp154.2.3.1
References:
https://www.suse.com/security/cve/CVE-2023-28371.html
https://bugzilla.suse.com/1209285
1
0

openSUSE-SU-2023:0096-1: important: Security update for liferea
by opensuse-security@opensuse.org 27 Apr '23
by opensuse-security@opensuse.org 27 Apr '23
27 Apr '23
openSUSE Security Update: Security update for liferea
______________________________________________________________________________
Announcement ID: openSUSE-SU-2023:0096-1
Rating: important
References: #1193579 #1209190
Cross-References: CVE-2023-1350
CVSS scores:
CVE-2023-1350 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2023-1350 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________
An update that solves one vulnerability and has one errata
is now available.
Description:
liferea was updated to version 1.14.1:
+ Fix CVE-2023-1350 - Remote code execution on feed enrichment
(boo#1209190).
Update to version 1.14.0:
+ New 'Reader mode' preference that allows stripping all web content
+ Implement support for Webkits Intelligent Tracking Protection
+ New progress bar when loading websites
+ Youtube videos from media:video can be embedded now with a click on the
video preview picture.
+ Changes to UserAgent handling: same UA is now used for both feed
fetching and internal browsing.
+ New view mode 'Automatic' which switches between 'Normal' and 'Wide'
mode based on the window proportions.
+ Liferea now supports the new GTK dark theme logic, where in the
GTK/GNOME preferences you define wether you "prefer" dark mode or light
mode
+ Favicon discovery improvements: now detects all types of Apple Touch
Icons, MS Tile Images and Safari Mask Icons
+ Increase size of stored favicons to 128x128px to improve icon quality in
3-pane wide view.
+ Make several plugins support gettext
+ Allow mutiple feed in same libnotify notification
+ Redesign of the update message in the status bar. It now shows a update
counter of the feeds being in update.
+ You can now export a feed to XML file
+ Added an option to show news bins in reduced feed list
+ Added menu option to send item per mail
+ Default to https:// instead of http:// when user doesn't provide
protocol on subscribing feed
+ Implement support for subscribing to LD+Json metadata listings e.g.
concert or theater event listings
+ Implement support for subscribing to HTML5 websites
+ Support for media:description field of Youtube feeds
+ Improve HTML5 extraction: extract main tag if it exists and no article
was found.
+ Execute feed pipe/filter commands asynchronously
+ Better explanation of feed update errors.
+ Added generic Google Reader API support (allows using FeedHQ, FreshRSS,
Miniflux...)
+ Now allow converting TinyTinyRSS subscriptions to local subscriptions
+ New search folder rule to match podcasts
+ New search folder rule to match headline authors
+ New search folder rule to match subscription source
+ New search folder rule to match parent folder name
+ New search folder property that allows hiding read items
+ Now search folders are automatically rebuild when rules are changed
+ Added new plugin 'add-bookmark-site' that allows to configure a custom
bookmarking site.
+ Added new plugin 'getfocus' that adds transparency on the feed list when
it is not focussed.
+ Trayicon plugin has now a configuration option to change the behaviour
when closing Liferea.
+ Trayicon plugin has now an option to disable minimizing to tray
+ New hot key Ctrl-D for 'Open in External Browser'
+ New hot key F10 for headerbar plugin to allow triggering the hamburger
menu
+ New hot key Ctrl-0 to reset zoom
+ New hot key Ctrl-O to open enclosures
+ Fix hidden panes, Liferea will never allow the panes to be smaller than
5% in height or width
+ Wait for network to be fully available before updating
+ 2-pane mode was removed
+ Dropped CDF channel support
+ Dropped Atom 0.2/0.3 (aka Pie) support
+ Dropped blogChannel namespace support
+ Dropped photo namespace support
- Require python3-cairo; needed for tray icon (boo#1193579).
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2023-96=1
Package List:
- openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64):
liferea-1.14.1-bp154.2.3.1
liferea-debuginfo-1.14.1-bp154.2.3.1
liferea-debugsource-1.14.1-bp154.2.3.1
- openSUSE Backports SLE-15-SP4 (noarch):
liferea-lang-1.14.1-bp154.2.3.1
References:
https://www.suse.com/security/cve/CVE-2023-1350.html
https://bugzilla.suse.com/1193579
https://bugzilla.suse.com/1209190
1
0

openSUSE-SU-2023:0093-1: important: Security update for chromium
by opensuse-security@opensuse.org 24 Apr '23
by opensuse-security@opensuse.org 24 Apr '23
24 Apr '23
openSUSE Security Update: Security update for chromium
______________________________________________________________________________
Announcement ID: openSUSE-SU-2023:0093-1
Rating: important
References: #1210618
Cross-References: CVE-2023-2133 CVE-2023-2134 CVE-2023-2135
CVE-2023-2136 CVE-2023-2137
Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________
An update that fixes 5 vulnerabilities is now available.
Description:
This update for chromium fixes the following issues:
Chromium 112.0.5615.165 (boo#1210618):
* CVE-2023-2133: Out of bounds memory access in Service Worker API
* CVE-2023-2134: Out of bounds memory access in Service Worker API
* CVE-2023-2135: Use after free in DevTools
* CVE-2023-2136: Integer overflow in Skia
* CVE-2023-2137: Heap buffer overflow in sqlite
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2023-93=1
Package List:
- openSUSE Backports SLE-15-SP4 (aarch64 x86_64):
chromedriver-112.0.5615.165-bp154.2.84.1
chromedriver-debuginfo-112.0.5615.165-bp154.2.84.1
chromium-112.0.5615.165-bp154.2.84.1
chromium-debuginfo-112.0.5615.165-bp154.2.84.1
References:
https://www.suse.com/security/cve/CVE-2023-2133.html
https://www.suse.com/security/cve/CVE-2023-2134.html
https://www.suse.com/security/cve/CVE-2023-2135.html
https://www.suse.com/security/cve/CVE-2023-2136.html
https://www.suse.com/security/cve/CVE-2023-2137.html
https://bugzilla.suse.com/1210618
1
0

openSUSE-SU-2023:0092-1: important: Security update for chromium
by opensuse-security@opensuse.org 19 Apr '23
by opensuse-security@opensuse.org 19 Apr '23
19 Apr '23
openSUSE Security Update: Security update for chromium
______________________________________________________________________________
Announcement ID: openSUSE-SU-2023:0092-1
Rating: important
References: #1210126 #1210478
Cross-References: CVE-2023-1810 CVE-2023-1811 CVE-2023-1812
CVE-2023-1813 CVE-2023-1814 CVE-2023-1815
CVE-2023-1816 CVE-2023-1817 CVE-2023-1818
CVE-2023-1819 CVE-2023-1820 CVE-2023-1821
CVE-2023-1822 CVE-2023-1823 CVE-2023-2033
CVSS scores:
CVE-2023-1810 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-1811 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-1812 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-1813 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2023-1814 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2023-1815 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-1816 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2023-1817 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2023-1818 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-1819 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CVE-2023-1820 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-1821 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2023-1822 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2023-1823 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2023-2033 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________
An update that fixes 15 vulnerabilities is now available.
Description:
This update for chromium fixes the following issues:
- Chromium 112.0.5615.121:
* CVE-2023-2033: Type Confusion in V8 (boo#1210478)
- Chromium 112.0.5615.49
* CSS now supports nesting rules.
* The algorithm to set the initial focus on <dialog> elements was
updated.
* No-op fetch() handlers on service workers are skipped from now on to
make navigations faster
* The setter for document.domain is now deprecated.
* The recorder in devtools can now record with pierce selectors.
* Security fixes (boo#1210126):
* CVE-2023-1810: Heap buffer overflow in Visuals
* CVE-2023-1811: Use after free in Frames
* CVE-2023-1812: Out of bounds memory access in DOM Bindings
* CVE-2023-1813: Inappropriate implementation in Extensions
* CVE-2023-1814: Insufficient validation of untrusted input in Safe
Browsing
* CVE-2023-1815: Use after free in Networking APIs
* CVE-2023-1816: Incorrect security UI in Picture In Picture
* CVE-2023-1817: Insufficient policy enforcement in Intents
* CVE-2023-1818: Use after free in Vulkan
* CVE-2023-1819: Out of bounds read in Accessibility
* CVE-2023-1820: Heap buffer overflow in Browser History
* CVE-2023-1821: Inappropriate implementation in WebShare
* CVE-2023-1822: Incorrect security UI in Navigation
* CVE-2023-1823: Inappropriate implementation in FedCM
- Chromium 111.0.5563.147:
* nth-child() validation performance regression for SAP apps
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2023-92=1
Package List:
- openSUSE Backports SLE-15-SP4 (aarch64 x86_64):
chromedriver-112.0.5615.121-bp154.2.79.1
chromium-112.0.5615.121-bp154.2.79.1
References:
https://www.suse.com/security/cve/CVE-2023-1810.html
https://www.suse.com/security/cve/CVE-2023-1811.html
https://www.suse.com/security/cve/CVE-2023-1812.html
https://www.suse.com/security/cve/CVE-2023-1813.html
https://www.suse.com/security/cve/CVE-2023-1814.html
https://www.suse.com/security/cve/CVE-2023-1815.html
https://www.suse.com/security/cve/CVE-2023-1816.html
https://www.suse.com/security/cve/CVE-2023-1817.html
https://www.suse.com/security/cve/CVE-2023-1818.html
https://www.suse.com/security/cve/CVE-2023-1819.html
https://www.suse.com/security/cve/CVE-2023-1820.html
https://www.suse.com/security/cve/CVE-2023-1821.html
https://www.suse.com/security/cve/CVE-2023-1822.html
https://www.suse.com/security/cve/CVE-2023-1823.html
https://www.suse.com/security/cve/CVE-2023-2033.html
https://bugzilla.suse.com/1210126
https://bugzilla.suse.com/1210478
1
0

openSUSE-SU-2023:0090-1: important: Security update for nextcloud-desktop
by opensuse-security@opensuse.org 13 Apr '23
by opensuse-security@opensuse.org 13 Apr '23
13 Apr '23
openSUSE Security Update: Security update for nextcloud-desktop
______________________________________________________________________________
Announcement ID: openSUSE-SU-2023:0090-1
Rating: important
References: #1201070 #1205798 #1205799 #1205800 #1205801
#1207976
Cross-References: CVE-2022-39331 CVE-2022-39332 CVE-2022-39333
CVE-2022-39334 CVE-2023-23942
CVSS scores:
CVE-2022-39331 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-39332 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-39333 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2022-39334 (NVD) : 3.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CVE-2023-23942 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________
An update that solves 5 vulnerabilities and has one errata
is now available.
Description:
This update for nextcloud-desktop fixes the following issues:
nextcloud-desktop was updated to 3.8.0:
- Resize WebView widget once the loginpage rendered
- Feature/secure file drop
- Check German translation for wrong wording
- L10n: Correct word
- Fix displaying of file details button for local syncfileitem activities
- Improve config upgrade warning dialog
- Only accept folder setup page if overrideLocalDir is set
- Update CHANGELOG.
- Prevent ShareModel crash from accessing bad pointers
- Bugfix/init value for pointers
- Log to stdout when built in Debug config
- Clean up account creation and deletion code
- L10n: Added dot to end of sentence
- L10n: Fixed grammar
- Fix "Create new folder" menu entries in settings not working correctly
on macOS
- Ci/clang tidy checks init variables
- Fix share dialog infinite loading
- Fix edit locally job not finding the user account: wrong user id
- Skip e2e encrypted files with empty filename in metadata
- Use new connect syntax
- Fix avatars not showing up in settings dialog account actions until
clicked on
- Always discover blacklisted folders to avoid data loss when modifying
selectivesync list.
- Fix infinite loading in the share dialog when public link shares are
disabled on the server
- With cfapi when dehydrating files add missing flag
- Fix text labels in Sync Status component
- Display 'Search globally' as the last sharees list element
- Fix display of 2FA notification.
- Bugfix/do not restore virtual files
- Show server name in tray main window
- Add Ubuntu Lunar
- Debian build classification 'beta' cannot override 'release'.
- Update changelog
- Follow shouldNotify flag to hide notifications when needed
- Bugfix/stop after creating config file
- E2EE cut extra zeroes from derypted byte array.
- When local sync folder is overriden, respect this choice
- Feature/e2ee fixes
- This also fix security issues:
- (boo#1205798, CVE-2022-39331)
- Arbitrary HyperText Markup Language injection in notifications
- (boo#1205799, CVE-2022-39332)
- Arbitrary HyperText Markup Language injection in user status and
information
- (boo#1205800, CVE-2022-39333)
- Arbitrary HyperText Markup Language injection in desktop client
application
- (boo#1205801, CVE-2022-39334)
- Client incorrectly trusts invalid TLS certificates
- (boo#1207976, CVE-2023-23942)
- missing sanitisation on qml labels leading to javascript injection
- Update to 3.7.4
- check German translation for wrong wording
- Fix "Create new folder" menu entries in settings not working correctly
on macOS
- Clean up account creation and deletion code
- Fix share dialog infinite loading
- fix edit locally job not finding the user account: wrong user id
- skip e2e encrypted files with empty filename in metadata
- Always discover blacklisted folders to avoid data loss when modifying
selectivesync list.
- use new connect syntax
- with cfapi when dehydrating files add missing flag
- Fix avatars not showing up in settings dialog account actions until
clicked on
- Fix text labels in Sync Status component
- Fix infinite loading in the share dialog when public link shares are
disabled on the server
- Ci/clang tidy checks init variables
- Display 'Search globally' as the last sharees list element
- Resize WebView widget once the loginpage rendered
- Bugfix/do not restore virtual files
- Fix display of 2FA notification.
- Update to 3.7.3
- Revert "Fix(l10n): capital_abcd Update translations from Transifex"
- Revert "Fix(l10n): capital_abcd Update translations from Transifex"
- Revert "Fix(l10n): capital_abcd Update translations from Transifex"
- Update to 3.7.2
- No regular changelog from upstream. See instead:
https://github.com/nextcloud/desktop/compare/v3.7.1...v3.7.2
- Update to 3.7.1
- Backport/5393/stable 3.7 by @mgallien in #5403
- Fix wrong estimated time when doing sync. in #4902
- Bugfix/selective sync abort error in #4903
- Set UnifiedSearchResultNothingFound visibility less messily in #4751
- Clean up QML type and singleton registration in #4817
- Simplify activity list delegates by making them ItemDelegates, clean
up in #4786
- Improve activity list highlighting/keyboard item selection in #4781
- Replace private API QZipWriter with KArchive in #4768
- makes Qt WebEngine optional only on macOS in #4875
- Bugfix/conflict resolution when selecting folder in #4914
- Fix fileactivitylistmodel QML registration in #4920
- Updated link to documentation in #4792
- Fix menu bar height calculation on macOS in #4917
- Fix ActivityItem activityHover error in #4921
- Fix add account window text clipping, enlarge text in #4910
- Accept valid lsColJob reply XML content types in #4919
- Fix low-resolution file changed overlay icons in activities in #4930
- Refactor ActivityListModel population mechanisms in #4736
- Make account setup wizard's adjustWizardSize resize to current page
size instead of largest wizard page in #4911
- Deallocate call notification dialog objects when closed by @claucambra
in #4939
- Ensure that the file being processed has had its etag properly
sanitised, log etag more in #4940
- Feature/syncjournaldb handle errors in #4819
- Do not format text in QML components as HTML in #4944
- Fix two factor auth notification: activity item was disabled. in #4961
- Add a placeholder item for empty activity list in #4959
- Ensure strings in main window QML are presented as plain text and not
HTML by @claucambra in #4972
- Improve handling of file name clashes by @claucambra in #4970
- Add a QSortFilterProxyModel-based SortedActivityListModel by
@claucambra in #4933
- Bring back .lnk files on Windows and always treat them as non-virtual
files. by @allexzander in #4968
- Fix two factor authentication notification by @camilasan in #4967
- Ensure placeholder message in emoji picker wraps correctly in #4960
- Make activity action button an actual button, clean up contents in
#4784
- Improve the error box QML component in #4976
- Fix 'Reply' primary property. in #4985
- Fix sync progress bar colours in dark mode in #4986
- Fix predefined status text formatting in #4987
- Don't set up tray context menu on macOS, even if not building app
bundle in #4988
- Ci/check clang tidy in ci in #4995
- check our code with clang-tidy in #4999
- alway use constexpr for all text constants in #4996
- avoid possibly crashing static_cast in #4994
- switch AppImage CI to latest tag: client-appimage-6 in #5003
- configure a list of checks for clang-tidy in #5004
- Fix link shares default expire date being enforced as maximum expire
date even when maximum date enforcement is disabled on the server in
#4982
- apply modernize-use-using via clang-tidy in #4993
- Ci/use no discard in #4992
- Fix files not unlocking after lock time expired in #4962
- Update client image in #5002
- let's check the format via some github action in #4991
- Feature/vfs windows sharing and lock state in #4942
- Update after tx migrate in #5019
- Improve 'Handle local file editing' feature. Add loading popup. Add
force sync before opening a file. in #4990
- Command-line client. Do not trust SSL certificates by default, unless
'--trust' option is set. in #5022
- Bugfix/files lock fail metadata in #5024
- do not ignore return value in #4998
- improve logs when adding sync errors in activity list of main dialog
in #5032
- Fix invisible user status selector button not being checked when user
is in Offline mode in #5012
- use correct version copmparison on NSIS updater: fix update from rc in
#4979
- Bugfix/check token for edit locally requests in #5039
- Fix the dismiss button: display it whenever possible. in #4989
- Fix account not found when doing local file editing. in #5040
- Improve "pretty user name"-related strings, display in webflow
credentials in #5013
- Update CHANGELOG with 3.6.1 changes. in #5066
- Fix call notification dialog buttons in #5074
- validate certificate for E2EE against private key in #4949
- emit missing signal to update folder sync status icon in #5087
- Update CMake usage in README build instructions in #5086
- Clean up methods in sync engine in #5071
- Make Systray's void methods slots in #5042
- Remove unneeded parameter from CleanupPollsJob constructor in #5070
- Add a 'Sync now' button to the sync status header in the tray window
in #5018
- Modernise and improve code in AccountManager in #5026
- Fix macOS autoupdater settings in #5102
- Validate and sanitise edit locally token and relpath before sending to
server in #5093
- Refactor FolderMan's "Edit Locally" capabilities as separate class in
#5107
- Modernise and improve code in AccountSettings in #5027
- Fix compatibility with newer python3-nautilus in #5105
- Only show Sync Now button if account is connected in #5097
- use new public API to open an edit locally URL in #5116
- Add a new file details window, unify file activity and sharing in #4929
- E2EE. Do not generate keypair without user request. in #5067
- Fix incorrect current user index when adding or removing a user
account. Also fix incorrect user avatar lookup by id. in #5092
- Remove unused internal link widget from old share dialog in #5123
- Use separate variable for cfg file name in CMAKE. in #5136
- Bugfix/delete folders during propagation even when propagation has
errors in #5104
- Remove unused app pointer in CocoaInitializer in #5127
- Ensure 'Sync now' button doesn't have its text elided in #5129
- Fix share delegate button icon colors in dark mode in #5132
- Do not use copy-assignment of QDialog. in #5148
- Remove unused remotePath in User::processCompletedSyncItem in #5118
- Make user status selector modal, show user header in #5145
- properly escape a path when creating a test file during tests in #5151
- Add support cmake unity build in #5109
- Fix typo of connector in #5157
- fully qualify types in signals and slots in #5088
- Remove reference to inexistent property in NCCustomButton in #5173
- Fix ActivityList delegate warnings in #5172
- Ensure forcing a folder to be synced unpauses syncing on said folder
in #5152
- switch back to upstream craft in #5178
- fix renaming of folders with a deep hierarchy inside them in #5182
- fix instances of: c++11 range-loop might detach Qt container warnings
in #5089
- Implement context menu entry "Leave this share" in #5081
- check that we update local file mtime on changes from server in #5188
- Add end-to-end tests to our CI in #5124
- Modernize the Dolphin action plugin in #5192
- Ci/do not modify configuration file duringtests in #5200
- cmake: Use FindPkgConfig's pkg_get_variable instead of custom macro in
#5199
- Fix tray window margins, stop cutting into window border in #5202
- fix regressions on pinState management when doing renames in #520
- Fix bad custom button alignments, sizings, etc. in #5189
- Ci/do not override configuration file in #5206
- Clearly tell user that E2EE has been enabled for an account in #5164
- Fix CfApiShellExtensionsIPCTest in #5209
- l10n: Fixed grammar in #5220
- Prevent bad encrypting of folder if E2EE has not been correctly set up
in #5223
- Remove close/dismiss button from encryption message in #5163
- Update macOS shell integration deployment targets in #5227
- Bugfix/case cash conflicts should not terminate sync in #5224
- Differentiate between E2EE not being enabled at all vs. E2EE being
enabled already through another device in account settings message in
#5179
- Ensure more QML text components are rendering things as plain text in
#5231
- l10n: Correct spelling in #5221
- Make use of plain text-enforcing qml labels in #5233
- Feature/edit file locally restart sync in #5175
- Fix CI errors for Edit Locally. in #5241
- Lock file when editing locally in #5226
- Format some QLabels as plain text in #5247
- do not create GUI from a random thread and show error on real error in
#5253
- Fix BasicComboBox internal layout in #5216
- Explicitly size and align user status selector text input to avoid
bugs with alternate QtQuick styles in #5214
- do not use bulk upload for e2ee files in #5256
- Only show mnemonic request dialog when user explicitly wants to enable
E2EE in #5181
- Replace share settings popup with a page on a StackView in #5194
- Add interactive NC Talk notifications on macOS in #5143
- Show file details within the tray dialog, rather than in a separate
dialog in #5139
- Silence sync termination errors when running EditLocallyJob. in #5261
- Fix typo in #5257
- Add an "Encrypt" menu entry in file browser context menu for folders
in #5263
- Add a nix flake for easy building and dev environments in #5007
- Add an internal link share to the share dialog in #5131
- Avoid the Get-Task-Allow Entitlement (macOS Notarization) in #5274
- sets a fixed version for pixman when buildign desktop client via Craft
in #5269
- Fix SyncEngineTest failure when localstate is destroyed. in #5273
- Feature/remove obsolete names in #5271
- Remove unused HeaderBanner component in #5245
- Feature/do not sync enc folders if e2ee is not setup in #5258
- fix migration from old settings configuration files in #5141
- Use QFileInfo::exists where we are only creating a QFileInfo to check
if file exists in #5291
- Make correct use of Qt signal 'emit' keyword in #5287
- Remove unused variables in #5290
- Declare all QRegularExpressions statically in #5289
- l10n: Remove space in #5297
- Feature/move shellextensions to root installdir in #5295
- Improve backup dark mode palette for Windows in #5298
- Allow setting up an account with apppasword and folder via
command-line arguments. For deployment. in #5296
- Update file's metadata in the local database when the etag changes
while file remains unchanged. Fix subsequent conflict when locking and
unlocking. in #5293
- Fix warnings on QPROPERTY-s in #5286
- Replace now deprecated FSEventStreamScheduleWithRunLoop with
FSEventStreamSetDispatchQueue in #5272
- Fix macOS shell integration class inits in #5299
- Drop dependency on Qt Quick Controls 1 in #5309
- Fix full-text search results not being opened in browser in #5279
- Feature/allow forceoverrideurl via command line in #5329
- Bugfix/e2ee vulnerability empty metadatakeys in #5323
- Always generate random initialization vector when uploading encrypted
file in #5324
- Fix bad string for translation. in #5358
- Update legal notice to 2023 in #5361
- Fix migration from legacy client when override server url is set in
#5322
- Don't try to lock folders when editing locally in #5317
- Fix fetch more unified search result item not being clickable in #5266
- Add ability to disable E2EE in #5167
- Remove unused monochrome icons setting in #5366
- Feature/sync with case clash names in #5232
- Edit locally. Do not lock if locking is disabled on the server. in
#5371
- Revert "Merge pull request #5366 from
nextcloud/bugfix/remove-mono-icons-setting" in #5372
- Open calendar notifications in the browser. in #4684
- Migrate old configs in #5362
- Always unlock E2EE folders, even when network failure or crash. in
#5370
- Fix displaying of file details button for local syncfileitem
activities in #5380
- Improve config upgrade warning dialog in #5386
- Backport/5385/stable 3.7 in #5388
- Update to 3.6.6
- Revert "Fix(l10n): capital_abcd Update translations from Transifex"
33f3975
- Update to 3.6.5
- do not assert when sharing to a circle in #5310
- Fix macOS shell integration class inits in #5311
- Drop dependency on Qt Quick Controls 1 in #5312
- Feature/allow forceoverrideurl via command line in #5332
- Fix typo in #5270
- check that we update local file mtime on changes from server in #5321
- fix regressions on pinState management when doing renames in #5333
- Always generate random initialization vector when uploading encrypted
file in #5334
- Fix SyncEngineTest failure when localstate is destroyed. in #5336
- Bugfix/e2ee vulnerability empty metadatakeys in #5335
- Update to 3.6.4
- do not create GUI from a random thread and show error on real error
- Update to 3.6.3
- Fix typo of connector
- fix renaming of folders with a deep hierarchy inside them
- Make user status selector modal, show user header
- Prevent bad encrypting of folder if E2EE has not been correctly set up
- Feature/edit file locally restart sync
- Add forcefoldersync method to folder manager
- Make use of plain text-enforcing qml labels
- Lock file when editing locally
- Format some QLabels as plain text
- Update to 3.6.2
- Fix call notification dialog buttons by @backportbot-nextcloud in #5075
- emit missing signal to update folder sync status icon by
@backportbot-nextcloud in #5090
- Fix macOS autoupdater settings by @backportbot-nextcloud in #5103
- Validate and sanitise edit locally token and relpath before sending to
server by @backportbot-nextcloud in #5106
- Fix compatibility with newer python3-nautilus by
@backportbot-nextcloud in #5112
- Refactor FolderMan's "Edit Locally" capabilities as separate class by
@backportbot-nextcloud in #5111
- use new public API to open an edit locally URL by
@backportbot-nextcloud in #5117
- Use separate variable for cfg file name in CMAKE. by
@backportbot-nextcloud in #5140
- Fix stable-3.6 compile on macOS by @claucambra in #5154
- Fix bad backport of CustomButton changes in Stable-3.6 by @claucambra
in #5155
- Backport/5067/stable 3.6 by @allexzander in #5153
- Backport/5092/stable 3.6 by @allexzander in #5156
- properly escape a path when creating a test file during tests by
@backportbot-nextcloud in #5158
- Split out the dbus service related files that provides libcloudproviders
integration for nextcloud desktop client into a separate package; when
this is installed, launching any app supporting libowncloudproviders
(e.g. nautilus on GNOME) will automatically launch the desktop client --
which is rather annoying to happen by default, esp. in cases where a
user does not even have a nextcloud account (gh#nextcloud/desktop#1982,
gh#nextcloud/desktop#2622).
- Make the extension working again on Nautilus 43. This patch also support
previous Nautilus versions.
- Update to 3.6.1
- Fix wrong estimated time when doing sync.
- Bugfix/selective sync abort error
- Bugfix/conflict resolution when selecting folder
- Fix menu bar height calculation on macOS
- Fix add account window text clipping, enlarge text
- Accept valid lsColJob reply XML content types
- Fix low-resolution file changed overlay icons in activities
- Deallocate call notification dialog objects when closed
- Ensure that the file being processed has had its etag properly
sanitised, log etag more
- Ensure strings in main window QML are presented as plain text and not
HTML
- Do not format text in QML components as HTML
- Fix two factor authentication notification
- Bring back .lnk files on Windows and always treat them as non-virtual
files.
- Fix 'Reply' primary property.
- Update after tx migrate
- Command-line client. Do not trust SSL certificates by default, unless
'--trust' option is set.
- Fix invisible user status selector button not being checked when user
is in Offline mode
- Fix link shares default expire date being enforced as maximum expire
date even when maximum date enforcement is disabled on the server
- Backport/4989/stable 3.6
- use correct version copmparison on NSIS updater: fix update from rc
- Improve 'Handle local file editing' feature. Add loading popup. Add
f���
- Backport/5039/bugfix/check token for edit locally requests
- Fix account not found when doing local file editing.
- Fix two factor auth notification: activity item was disabled.
- Fix predefined status text formatting
- Fix sync progress bar colours in dark mode
- Improve handling of file name clashes
- Ensure placeholder message in emoji picker wraps correctly
- Update to 3.6.0
- Fix crash in cldapi.dll
- Updating command-rebase.yml workflow from template
- Reply button size should be same as the input field, smaller + text
color
- Fix crashing when selecting user status and predefined statuses not
appearing
- Make user status dialog look in line with the rest of the desktop
client tray and Nextcloud
- Add a placeholder message for the recents tab of the emoji picker
- Add SVG icon styled for macOS Big Sur
- Ensure the dispatch source only gets deallocated after the
dispatch_source_cancel is done, avoiding crashing of the Finder Sync
Extension on macOS
- Properly adapt the UserStatusSelectorModel to QML, eliminate hacks,
make code more declarative
- Fix the system tray menu not being correctly replaced in
setupContextMenu on GNOME
- Make the share dialog resizeable
- Make client language gender-neutral and more clear
- Use an en-dash for the userstatus panel
- Close call notifications when the call has been joined by the user, or
the call has ended
- Correct spelling
- Print sync direction in SyncFileStatusTracker::slotAboutToPropagate
- Windows CI. Use specific Craft revision.
- Add 'db/local/remote' reference to log string.
- Work around issues with window positioning on Linux DEs, hardcode tray
window to screen center when new account added
- Add a custom back button to the account wizard's advanced setup page
- Clean up systray methods, make more QML-friendly
- Refactor tray window opening code for clarity and efficiency
- Increase the call state checking interval to not overload the server
- Fix bad quote in CMakeLists PNG generation message
- Only set _FORTIFY_SOURCE when a higher level of this flag has not been
set
- Switch to using the main client CI image based on ubuntu 22.04
- Limit concurrent notifications
- Use macOS-specific application icon
- QML-ify the UserModel, use properties rather than setter methods
- Take ints by value rather than reference in UserModel methods
- Feature/vfs windows thumbnails
- Respect skipAutoUpdateCheck in nextcloud.cfg with Sparkle on macOS
- Restyle unified search skeleton items animation and simplify their code
- Stop styling QML unified search items hierarchically, use global Style
constants
- Use preprocessor directive rather than normal 'if' for UNNotification
types
- Make apps menu scrollable when content taller than available vertical
space, preventing borking of layout
- Ensure that throttled notifications still appear in tray activity model
- Stop clearing notifications when new notifications are received
- Fix ActivityItemContent QML paintedWidth errors
- Clicking on an activity list item for a file opens the local file if
available
- Replace unified search text field busy indicator with custom indicator
- Update macOS Info.plist
- Ensure debug archive contents are readable by any user
- Remove Ubuntu Impish, add Kinetic
- Make UserStatusSelector a dismissible page pushed onto the tray window
- Feature/handle edit locally
- Add Debian Bullseye build
- Double-clicking tray icon opens currently-selected user's local folder
(if available)
- Clean up TalkReplyTextField, remove unnecessary parent Item
- Refactor user line
- Do not reboot PC when running an MSI via autoupdate.
- Always run MSI with full UI.
- Eliminate padding around the menu separator in the account menu
- Feature/enable more warnings also for gcc
- Move CFAPI shell extensions variables to root CMakeLists.
- Move URI scheme variable from Nextcloud.cmake to root CMakeListsts.
- Ensure SyncEngine use an initialized instance of SyncOptions
- Fix QML warnings
- I18n: Spelling unification
- Fix crash: 'Failed to create OpenGL context'.
- Fix bugs with setting 'Away' user status
- Fix greek translation for application name in menu
- Align, resize, and layout everything uniformly in the unified search
view
- Remove libglib-2.0.so.0 and libgobject-2.0.so.0 from Appimage.
- Fix unified search item placeholder image source
- Use same tooltip component everywhere, fix tooltip clipping bugs
- Fix account switching and hover issues with UserLine component
- Remove Ubuntu Focal
- Add a ScrollView to the predefined statuses area of the
UserStatusSelector
- Prevent the 'Cancel' button of the user status selector getting
squashed
- Ensure that clear status message combo box is at least implicit width
- Fix alignment of predefined status contents regardless of emoji fonts
- Prevent crashing when trying to create error-ing QML component in
systray.cpp, output error to log
- Add CHANGELOG.md.
- Ensure file activity dialog is centered on screen and appears at top
of window stack
- Build script for AppImage should not assume Nextcloud is the name
- Fix File Activities dialog not showing up.
- Reads and store fileId and remote permissions during bulk upload
- Do not build qt keychain already included in the CI images
- Bugfix/web engine on win11
- Update CHANGELOG for the 3.6.0 release.
- Fix script that upload AppImage to go in correct path
- Update to 3.5.4
- Add and use DO_NOT_REBOOT_IN_SILENT=1 parameter for MSI to not reboot
during the auto-update.
- Update to 3.5.3
- Fix the system tray menu not being correctly replaced in
setupContextMenu on GNOME
- Ensure call notification stays on top of other windows
- Work around issues with window positioning on Linux DEs, hardcode tray
window to screen center when new account added
- Clean up systray methods, make more QML-friendly
- Refactor tray window opening code for clarity and efficiency
- Only set _FORTIFY_SOURCE when a higher level of this flag has not been
set
- Limit concurrent notifications
- Take ints by value rather than reference in UserModel methods
- Respect skipAutoUpdateCheck in nextcloud.cfg with Sparkle on macOS
- Use preprocessor directive rather than normal 'if' for UNNotification
types
- QML-ify the UserModel, use properties rather than setter methods
- Fix ActivityItemContent QML paintedWidth errors
- Stop clearing notifications when new notifications are received
- Ensure debug archive contents are readable by any user
- Stop styling QML unified search items hierarchically, use global Style
constants
- Update macOS Info.plist
- print sync direction in SyncFileStatusTracker::slotAboutToPropagate
- Remove Ubuntu Impish, add Kinetic
- Ensure that throttled notifications still appear in tray activity model
- Make apps menu scrollable when content taller than available vertical
space, preventing borking of layout
- Update to 3.5.2
- Explicitly ask user for notification authorisation on launch (macOS)
- Fix crash caused by overflow in FinderSyncExtension
- add new fixup workflow from nextcloud org
- Display chat message inside the OS notification.
- Fix 'TypeError: Cannot readproperty 'messageSent' of undefined'.
- Add a transparent background to the send reply button.
- Fix build on macOS versions pre-11 (down to 10.14)
- Ignore Office temp folders on Mac ('.sb-' in folder name).
- Remove assert, it is no longer useful.
- Add contrast to the text/icon of buttons if the server defined color
is light.
- fix general section
- Remove tooltip because it is only repeating the label of the link.
- bugfix/share-dialog
- Updating command-rebase.yml workflow from template
- Reply button size should be same as the input field, smaller + text
color
- Close call notifications when the call has been joined by the user, or
the call has ended
- Increase the call state checking interval to not overload the server
- Ensure the dispatch source only gets deallocated after the
dispatch_source_cancel is done, avoiding crashing of the Finder Sync
Extension on macOS
* A more future-proof and distribution friendly fix for boo#1201070
- Fix Tumbleweed build and install error boo#1201070. Use own CFLAGS for
Tumblweed with -D_FORTIFY_SOURCE=2 instead of -D_FORTIFY_SOURCE=3.
- Update to 3.5.1
- Add new and correct sparkle update signature
- l10n: Remove string from translation
- l10n: Changed triple dot to ellipsis
- Ensure cache is stored in default cache location
- Updating command-rebase.yml workflow from template
- Remove "���" from "Create Debug Archive" button
- docs: Replace "preceded" with "followed"
- only add OCS-APIREQUEST header for 1st request of webflow v1
- Make the make_universal.py script more verbose for easier debugging
- Revamp notifications for macOS and add support for actionable update
notifications
- Use proper online status for user ('dnd', 'online', 'invisible', etc.)
to enable or disable desktop notifications.
- Bugfix. Take root folder's files size into account when displaying the
total size in selective sync dialog.
- Fix activity list item issues with colours/layout/etc.
- Bugfix/allow manual rename files with spaces
- Fixed share link expiration box being ineditable and always attempting
to set invalid date
- Fix crashing of finder sync extension caused by dispatch_source_cancel
of nullptr
- Simplify and remove the notification "cache"
- Fix tray icon not displaying "Open main dialog"
- if an exclude file is deleted, skip it and remove it from internal list
- Bugfix/two factor notification
- Fix visual borking in the share dialog
- add explicit capture for lambda
- Update to 3.5.0
- Require cmake 3.16
- Add testing for ActivityListModel
- Check for dbus-1 when building with cloudproviders
- Add ability to copy internal link from share dialog
- Feature/improve activity buttons
- Add thumbnails for files in the activity view
- Use proper API to dehydrate a placeholder file
- Feature/Talk Reply v1
- Ensure we emit a rename command for renamed files
- Remove Hirsute, add Jammy
- Allow account menu to scroll when content height is larger than menu
height
- Always build with updater. Use 'beta/stable' channel selector in
'General Settins' dialog with default 'stable'.
- Cmake option to disable proxy
- Add support for server color theming
- No longer assume status bar height, calculate, fixing notch borking on
new MacBook Pro
- Add a dark mode
- Generates pot files automatically.
- Add headers in cmake files to get them properly detected
- Ensure that bulk upload network job errors are handled
- Do not remove a folder that has files that were not uploaded yet
during propagation
- L10n: Change to lowercase
- Simplify currentScreen in systray.cpp
- Fix warn colour in dark mode
- Do not remove files from a Group folder and its nested folders when it
is renamed or removed while not allowed.
- Rollback local move on server move failure
- Implement local socket to communicate with finder extension
- Bugfix/prevent overflow with mtime
- L10n: Changed spelling
- Add 'Help' action back.
- Ensure file activity dialog appears in centre of screen
- Increase maximum text line count in tray activity items to two lines
- Fix file activity dialog
- Properly ask Qt to create qml opengl surface with proper options
- Old submodule url does not work anylonger
- Old submodule url does not work anylonger
- Prepare for 3.5.0-rc1
- Fix icon color and highlight color issues
- Fix for VFS crashes due to mimetype checking for thumbnails
- Fix various dark mode bugs
- Add a new yml github issue template for bug reports.
- Ensure we only store update channel not localized in settings
- Improve talk reply
- Prepare for 3.5.0-rc2
- Bugfix/talk reply part 2
- Darkmode. Fix crash on exit.
- Avoid deleting renamed file with spaces in name
- More dark mode fixes
- Ensure we do properly failed hydration jobs
- Fix build of appimage for branded clients
- Prepare for 3.5.0-rc3
- Feature/files lock
- Add call notification dialog.
- Fix thumbnails for new files made while client open
- Increase time between connection tries
- Improve contrast on server color themed elements
- Fix positioning of activities in the activities list
- Bugfix/activities fetch server overload
- Realigned and resized thumbnails
- Add user avatars in talk notifications in activity list
- Fix sparkle implementation in the desktop client
- Prepare 3.5.0-rc4
- Prepare final 3.5.0 release
- Update to 3.4.4
- Do not remove files from a Group folder and its nested folders when it
is renamed or removed while not allowed.
- Bugfix/prevent overflow with mtime
- Old submodule url does not work anylonger
- Update to 3.4.3
- Remove Hirsute, add Jammy
- Cmake option to disable proxy
- ensure we emit a rename command for renamed files
- Makes sure that sync engine terminates when an error happen
- ensure that bulk upload network job errors are handled
- Rollback local move on server move failure
- Do not remove a folder that has files that were not uploaded yet
during propagation
- Update to 3.4.2
- Bugfix/force re-login on SSL Handshake error
- Do not display 'Conflict when uploading some files to a folder
- Windows. MSI. Unregister Nextcloud folders in SyncRootManager on
uninstall.
- Unbreak loading translations
- Hide share button for deleted files and ignored files in tray activity
- Display error message when creating a link share with compromised
password.
- Bugfix. Re-init sharing manager to enable link sharing UI when
receivng sharing permissions.
- Show only filenames in tray activity items, with full path in tooltip
- use proper API to dehydrate a placeholder file
- Add macOS *.textClipping files to ignore list
- Updatete to 3.4.1
- fix random error when updating CfApi metadata
- do not forget the path when renaming files with invalid names
- Bugfix/assert invalid modtime
- Feature/folder logo variations
- Always prefill username from Windows login name based on server version
- Bugfix/3.4.1 rc1
- Bugfix/sync stuck on error
- Bugfix/force download local invalid files
- Enforce VFS. Disable 'Make always available locally'.
- Bugfix/avoid sync getting stuck
- Fix CMake error in ECMAddAppIcon for mac
- Do not crash on findAndCancelDeletedJob
- ensure any errors after calling FileSystem::getModTime are handled
- Skiped version 3.4.0 because of modtime bug: See:
https://github.com/nextcloud/desktop/pull/4049 Please read the following
wiki page How to fix files invalid modification date:
https://github.com/nextcloud/desktop/wiki/Fix-bug-invalid-modification-date
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2023-90=1
Package List:
- openSUSE Backports SLE-15-SP4 (aarch64 x86_64):
libnextcloudsync-devel-3.8.0-bp154.2.3.1
libnextcloudsync0-3.8.0-bp154.2.3.1
nextcloud-desktop-3.8.0-bp154.2.3.1
nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1
- openSUSE Backports SLE-15-SP4 (noarch):
caja-extension-nextcloud-3.8.0-bp154.2.3.1
cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1
nautilus-extension-nextcloud-3.8.0-bp154.2.3.1
nemo-extension-nextcloud-3.8.0-bp154.2.3.1
nextcloud-desktop-doc-3.8.0-bp154.2.3.1
nextcloud-desktop-lang-3.8.0-bp154.2.3.1
References:
https://www.suse.com/security/cve/CVE-2022-39331.html
https://www.suse.com/security/cve/CVE-2022-39332.html
https://www.suse.com/security/cve/CVE-2022-39333.html
https://www.suse.com/security/cve/CVE-2022-39334.html
https://www.suse.com/security/cve/CVE-2023-23942.html
https://bugzilla.suse.com/1201070
https://bugzilla.suse.com/1205798
https://bugzilla.suse.com/1205799
https://bugzilla.suse.com/1205800
https://bugzilla.suse.com/1205801
https://bugzilla.suse.com/1207976
1
0

openSUSE-SU-2023:0090-1: important: Security update for nextcloud-desktop
by opensuse-security@opensuse.org 13 Apr '23
by opensuse-security@opensuse.org 13 Apr '23
13 Apr '23
openSUSE Security Update: Security update for nextcloud-desktop
______________________________________________________________________________
Announcement ID: openSUSE-SU-2023:0090-1
Rating: important
References: #1201070 #1205798 #1205799 #1205800 #1205801
#1207976
Cross-References: CVE-2022-39331 CVE-2022-39332 CVE-2022-39333
CVE-2022-39334 CVE-2023-23942
CVSS scores:
CVE-2022-39331 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-39332 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-39333 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2022-39334 (NVD) : 3.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CVE-2023-23942 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________
An update that solves 5 vulnerabilities and has one errata
is now available.
Description:
This update for nextcloud-desktop fixes the following issues:
nextcloud-desktop was updated to 3.8.0:
- Resize WebView widget once the loginpage rendered
- Feature/secure file drop
- Check German translation for wrong wording
- L10n: Correct word
- Fix displaying of file details button for local syncfileitem activities
- Improve config upgrade warning dialog
- Only accept folder setup page if overrideLocalDir is set
- Update CHANGELOG.
- Prevent ShareModel crash from accessing bad pointers
- Bugfix/init value for pointers
- Log to stdout when built in Debug config
- Clean up account creation and deletion code
- L10n: Added dot to end of sentence
- L10n: Fixed grammar
- Fix "Create new folder" menu entries in settings not working correctly
on macOS
- Ci/clang tidy checks init variables
- Fix share dialog infinite loading
- Fix edit locally job not finding the user account: wrong user id
- Skip e2e encrypted files with empty filename in metadata
- Use new connect syntax
- Fix avatars not showing up in settings dialog account actions until
clicked on
- Always discover blacklisted folders to avoid data loss when modifying
selectivesync list.
- Fix infinite loading in the share dialog when public link shares are
disabled on the server
- With cfapi when dehydrating files add missing flag
- Fix text labels in Sync Status component
- Display 'Search globally' as the last sharees list element
- Fix display of 2FA notification.
- Bugfix/do not restore virtual files
- Show server name in tray main window
- Add Ubuntu Lunar
- Debian build classification 'beta' cannot override 'release'.
- Update changelog
- Follow shouldNotify flag to hide notifications when needed
- Bugfix/stop after creating config file
- E2EE cut extra zeroes from derypted byte array.
- When local sync folder is overriden, respect this choice
- Feature/e2ee fixes
- This also fix security issues:
- (boo#1205798, CVE-2022-39331)
- Arbitrary HyperText Markup Language injection in notifications
- (boo#1205799, CVE-2022-39332)
- Arbitrary HyperText Markup Language injection in user status and
information
- (boo#1205800, CVE-2022-39333)
- Arbitrary HyperText Markup Language injection in desktop client
application
- (boo#1205801, CVE-2022-39334)
- Client incorrectly trusts invalid TLS certificates
- (boo#1207976, CVE-2023-23942)
- missing sanitisation on qml labels leading to javascript injection
- Update to 3.7.4
- check German translation for wrong wording
- Fix "Create new folder" menu entries in settings not working correctly
on macOS
- Clean up account creation and deletion code
- Fix share dialog infinite loading
- fix edit locally job not finding the user account: wrong user id
- skip e2e encrypted files with empty filename in metadata
- Always discover blacklisted folders to avoid data loss when modifying
selectivesync list.
- use new connect syntax
- with cfapi when dehydrating files add missing flag
- Fix avatars not showing up in settings dialog account actions until
clicked on
- Fix text labels in Sync Status component
- Fix infinite loading in the share dialog when public link shares are
disabled on the server
- Ci/clang tidy checks init variables
- Display 'Search globally' as the last sharees list element
- Resize WebView widget once the loginpage rendered
- Bugfix/do not restore virtual files
- Fix display of 2FA notification.
- Update to 3.7.3
- Revert "Fix(l10n): capital_abcd Update translations from Transifex"
- Revert "Fix(l10n): capital_abcd Update translations from Transifex"
- Revert "Fix(l10n): capital_abcd Update translations from Transifex"
- Update to 3.7.2
- No regular changelog from upstream. See instead:
https://github.com/nextcloud/desktop/compare/v3.7.1...v3.7.2
- Update to 3.7.1
- Backport/5393/stable 3.7 by @mgallien in #5403
- Fix wrong estimated time when doing sync. in #4902
- Bugfix/selective sync abort error in #4903
- Set UnifiedSearchResultNothingFound visibility less messily in #4751
- Clean up QML type and singleton registration in #4817
- Simplify activity list delegates by making them ItemDelegates, clean
up in #4786
- Improve activity list highlighting/keyboard item selection in #4781
- Replace private API QZipWriter with KArchive in #4768
- makes Qt WebEngine optional only on macOS in #4875
- Bugfix/conflict resolution when selecting folder in #4914
- Fix fileactivitylistmodel QML registration in #4920
- Updated link to documentation in #4792
- Fix menu bar height calculation on macOS in #4917
- Fix ActivityItem activityHover error in #4921
- Fix add account window text clipping, enlarge text in #4910
- Accept valid lsColJob reply XML content types in #4919
- Fix low-resolution file changed overlay icons in activities in #4930
- Refactor ActivityListModel population mechanisms in #4736
- Make account setup wizard's adjustWizardSize resize to current page
size instead of largest wizard page in #4911
- Deallocate call notification dialog objects when closed by @claucambra
in #4939
- Ensure that the file being processed has had its etag properly
sanitised, log etag more in #4940
- Feature/syncjournaldb handle errors in #4819
- Do not format text in QML components as HTML in #4944
- Fix two factor auth notification: activity item was disabled. in #4961
- Add a placeholder item for empty activity list in #4959
- Ensure strings in main window QML are presented as plain text and not
HTML by @claucambra in #4972
- Improve handling of file name clashes by @claucambra in #4970
- Add a QSortFilterProxyModel-based SortedActivityListModel by
@claucambra in #4933
- Bring back .lnk files on Windows and always treat them as non-virtual
files. by @allexzander in #4968
- Fix two factor authentication notification by @camilasan in #4967
- Ensure placeholder message in emoji picker wraps correctly in #4960
- Make activity action button an actual button, clean up contents in
#4784
- Improve the error box QML component in #4976
- Fix 'Reply' primary property. in #4985
- Fix sync progress bar colours in dark mode in #4986
- Fix predefined status text formatting in #4987
- Don't set up tray context menu on macOS, even if not building app
bundle in #4988
- Ci/check clang tidy in ci in #4995
- check our code with clang-tidy in #4999
- alway use constexpr for all text constants in #4996
- avoid possibly crashing static_cast in #4994
- switch AppImage CI to latest tag: client-appimage-6 in #5003
- configure a list of checks for clang-tidy in #5004
- Fix link shares default expire date being enforced as maximum expire
date even when maximum date enforcement is disabled on the server in
#4982
- apply modernize-use-using via clang-tidy in #4993
- Ci/use no discard in #4992
- Fix files not unlocking after lock time expired in #4962
- Update client image in #5002
- let's check the format via some github action in #4991
- Feature/vfs windows sharing and lock state in #4942
- Update after tx migrate in #5019
- Improve 'Handle local file editing' feature. Add loading popup. Add
force sync before opening a file. in #4990
- Command-line client. Do not trust SSL certificates by default, unless
'--trust' option is set. in #5022
- Bugfix/files lock fail metadata in #5024
- do not ignore return value in #4998
- improve logs when adding sync errors in activity list of main dialog
in #5032
- Fix invisible user status selector button not being checked when user
is in Offline mode in #5012
- use correct version copmparison on NSIS updater: fix update from rc in
#4979
- Bugfix/check token for edit locally requests in #5039
- Fix the dismiss button: display it whenever possible. in #4989
- Fix account not found when doing local file editing. in #5040
- Improve "pretty user name"-related strings, display in webflow
credentials in #5013
- Update CHANGELOG with 3.6.1 changes. in #5066
- Fix call notification dialog buttons in #5074
- validate certificate for E2EE against private key in #4949
- emit missing signal to update folder sync status icon in #5087
- Update CMake usage in README build instructions in #5086
- Clean up methods in sync engine in #5071
- Make Systray's void methods slots in #5042
- Remove unneeded parameter from CleanupPollsJob constructor in #5070
- Add a 'Sync now' button to the sync status header in the tray window
in #5018
- Modernise and improve code in AccountManager in #5026
- Fix macOS autoupdater settings in #5102
- Validate and sanitise edit locally token and relpath before sending to
server in #5093
- Refactor FolderMan's "Edit Locally" capabilities as separate class in
#5107
- Modernise and improve code in AccountSettings in #5027
- Fix compatibility with newer python3-nautilus in #5105
- Only show Sync Now button if account is connected in #5097
- use new public API to open an edit locally URL in #5116
- Add a new file details window, unify file activity and sharing in #4929
- E2EE. Do not generate keypair without user request. in #5067
- Fix incorrect current user index when adding or removing a user
account. Also fix incorrect user avatar lookup by id. in #5092
- Remove unused internal link widget from old share dialog in #5123
- Use separate variable for cfg file name in CMAKE. in #5136
- Bugfix/delete folders during propagation even when propagation has
errors in #5104
- Remove unused app pointer in CocoaInitializer in #5127
- Ensure 'Sync now' button doesn't have its text elided in #5129
- Fix share delegate button icon colors in dark mode in #5132
- Do not use copy-assignment of QDialog. in #5148
- Remove unused remotePath in User::processCompletedSyncItem in #5118
- Make user status selector modal, show user header in #5145
- properly escape a path when creating a test file during tests in #5151
- Add support cmake unity build in #5109
- Fix typo of connector in #5157
- fully qualify types in signals and slots in #5088
- Remove reference to inexistent property in NCCustomButton in #5173
- Fix ActivityList delegate warnings in #5172
- Ensure forcing a folder to be synced unpauses syncing on said folder
in #5152
- switch back to upstream craft in #5178
- fix renaming of folders with a deep hierarchy inside them in #5182
- fix instances of: c++11 range-loop might detach Qt container warnings
in #5089
- Implement context menu entry "Leave this share" in #5081
- check that we update local file mtime on changes from server in #5188
- Add end-to-end tests to our CI in #5124
- Modernize the Dolphin action plugin in #5192
- Ci/do not modify configuration file duringtests in #5200
- cmake: Use FindPkgConfig's pkg_get_variable instead of custom macro in
#5199
- Fix tray window margins, stop cutting into window border in #5202
- fix regressions on pinState management when doing renames in #520
- Fix bad custom button alignments, sizings, etc. in #5189
- Ci/do not override configuration file in #5206
- Clearly tell user that E2EE has been enabled for an account in #5164
- Fix CfApiShellExtensionsIPCTest in #5209
- l10n: Fixed grammar in #5220
- Prevent bad encrypting of folder if E2EE has not been correctly set up
in #5223
- Remove close/dismiss button from encryption message in #5163
- Update macOS shell integration deployment targets in #5227
- Bugfix/case cash conflicts should not terminate sync in #5224
- Differentiate between E2EE not being enabled at all vs. E2EE being
enabled already through another device in account settings message in
#5179
- Ensure more QML text components are rendering things as plain text in
#5231
- l10n: Correct spelling in #5221
- Make use of plain text-enforcing qml labels in #5233
- Feature/edit file locally restart sync in #5175
- Fix CI errors for Edit Locally. in #5241
- Lock file when editing locally in #5226
- Format some QLabels as plain text in #5247
- do not create GUI from a random thread and show error on real error in
#5253
- Fix BasicComboBox internal layout in #5216
- Explicitly size and align user status selector text input to avoid
bugs with alternate QtQuick styles in #5214
- do not use bulk upload for e2ee files in #5256
- Only show mnemonic request dialog when user explicitly wants to enable
E2EE in #5181
- Replace share settings popup with a page on a StackView in #5194
- Add interactive NC Talk notifications on macOS in #5143
- Show file details within the tray dialog, rather than in a separate
dialog in #5139
- Silence sync termination errors when running EditLocallyJob. in #5261
- Fix typo in #5257
- Add an "Encrypt" menu entry in file browser context menu for folders
in #5263
- Add a nix flake for easy building and dev environments in #5007
- Add an internal link share to the share dialog in #5131
- Avoid the Get-Task-Allow Entitlement (macOS Notarization) in #5274
- sets a fixed version for pixman when buildign desktop client via Craft
in #5269
- Fix SyncEngineTest failure when localstate is destroyed. in #5273
- Feature/remove obsolete names in #5271
- Remove unused HeaderBanner component in #5245
- Feature/do not sync enc folders if e2ee is not setup in #5258
- fix migration from old settings configuration files in #5141
- Use QFileInfo::exists where we are only creating a QFileInfo to check
if file exists in #5291
- Make correct use of Qt signal 'emit' keyword in #5287
- Remove unused variables in #5290
- Declare all QRegularExpressions statically in #5289
- l10n: Remove space in #5297
- Feature/move shellextensions to root installdir in #5295
- Improve backup dark mode palette for Windows in #5298
- Allow setting up an account with apppasword and folder via
command-line arguments. For deployment. in #5296
- Update file's metadata in the local database when the etag changes
while file remains unchanged. Fix subsequent conflict when locking and
unlocking. in #5293
- Fix warnings on QPROPERTY-s in #5286
- Replace now deprecated FSEventStreamScheduleWithRunLoop with
FSEventStreamSetDispatchQueue in #5272
- Fix macOS shell integration class inits in #5299
- Drop dependency on Qt Quick Controls 1 in #5309
- Fix full-text search results not being opened in browser in #5279
- Feature/allow forceoverrideurl via command line in #5329
- Bugfix/e2ee vulnerability empty metadatakeys in #5323
- Always generate random initialization vector when uploading encrypted
file in #5324
- Fix bad string for translation. in #5358
- Update legal notice to 2023 in #5361
- Fix migration from legacy client when override server url is set in
#5322
- Don't try to lock folders when editing locally in #5317
- Fix fetch more unified search result item not being clickable in #5266
- Add ability to disable E2EE in #5167
- Remove unused monochrome icons setting in #5366
- Feature/sync with case clash names in #5232
- Edit locally. Do not lock if locking is disabled on the server. in
#5371
- Revert "Merge pull request #5366 from
nextcloud/bugfix/remove-mono-icons-setting" in #5372
- Open calendar notifications in the browser. in #4684
- Migrate old configs in #5362
- Always unlock E2EE folders, even when network failure or crash. in
#5370
- Fix displaying of file details button for local syncfileitem
activities in #5380
- Improve config upgrade warning dialog in #5386
- Backport/5385/stable 3.7 in #5388
- Update to 3.6.6
- Revert "Fix(l10n): capital_abcd Update translations from Transifex"
33f3975
- Update to 3.6.5
- do not assert when sharing to a circle in #5310
- Fix macOS shell integration class inits in #5311
- Drop dependency on Qt Quick Controls 1 in #5312
- Feature/allow forceoverrideurl via command line in #5332
- Fix typo in #5270
- check that we update local file mtime on changes from server in #5321
- fix regressions on pinState management when doing renames in #5333
- Always generate random initialization vector when uploading encrypted
file in #5334
- Fix SyncEngineTest failure when localstate is destroyed. in #5336
- Bugfix/e2ee vulnerability empty metadatakeys in #5335
- Update to 3.6.4
- do not create GUI from a random thread and show error on real error
- Update to 3.6.3
- Fix typo of connector
- fix renaming of folders with a deep hierarchy inside them
- Make user status selector modal, show user header
- Prevent bad encrypting of folder if E2EE has not been correctly set up
- Feature/edit file locally restart sync
- Add forcefoldersync method to folder manager
- Make use of plain text-enforcing qml labels
- Lock file when editing locally
- Format some QLabels as plain text
- Update to 3.6.2
- Fix call notification dialog buttons by @backportbot-nextcloud in #5075
- emit missing signal to update folder sync status icon by
@backportbot-nextcloud in #5090
- Fix macOS autoupdater settings by @backportbot-nextcloud in #5103
- Validate and sanitise edit locally token and relpath before sending to
server by @backportbot-nextcloud in #5106
- Fix compatibility with newer python3-nautilus by
@backportbot-nextcloud in #5112
- Refactor FolderMan's "Edit Locally" capabilities as separate class by
@backportbot-nextcloud in #5111
- use new public API to open an edit locally URL by
@backportbot-nextcloud in #5117
- Use separate variable for cfg file name in CMAKE. by
@backportbot-nextcloud in #5140
- Fix stable-3.6 compile on macOS by @claucambra in #5154
- Fix bad backport of CustomButton changes in Stable-3.6 by @claucambra
in #5155
- Backport/5067/stable 3.6 by @allexzander in #5153
- Backport/5092/stable 3.6 by @allexzander in #5156
- properly escape a path when creating a test file during tests by
@backportbot-nextcloud in #5158
- Split out the dbus service related files that provides libcloudproviders
integration for nextcloud desktop client into a separate package; when
this is installed, launching any app supporting libowncloudproviders
(e.g. nautilus on GNOME) will automatically launch the desktop client --
which is rather annoying to happen by default, esp. in cases where a
user does not even have a nextcloud account (gh#nextcloud/desktop#1982,
gh#nextcloud/desktop#2622).
- Make the extension working again on Nautilus 43. This patch also support
previous Nautilus versions.
- Update to 3.6.1
- Fix wrong estimated time when doing sync.
- Bugfix/selective sync abort error
- Bugfix/conflict resolution when selecting folder
- Fix menu bar height calculation on macOS
- Fix add account window text clipping, enlarge text
- Accept valid lsColJob reply XML content types
- Fix low-resolution file changed overlay icons in activities
- Deallocate call notification dialog objects when closed
- Ensure that the file being processed has had its etag properly
sanitised, log etag more
- Ensure strings in main window QML are presented as plain text and not
HTML
- Do not format text in QML components as HTML
- Fix two factor authentication notification
- Bring back .lnk files on Windows and always treat them as non-virtual
files.
- Fix 'Reply' primary property.
- Update after tx migrate
- Command-line client. Do not trust SSL certificates by default, unless
'--trust' option is set.
- Fix invisible user status selector button not being checked when user
is in Offline mode
- Fix link shares default expire date being enforced as maximum expire
date even when maximum date enforcement is disabled on the server
- Backport/4989/stable 3.6
- use correct version copmparison on NSIS updater: fix update from rc
- Improve 'Handle local file editing' feature. Add loading popup. Add
f���
- Backport/5039/bugfix/check token for edit locally requests
- Fix account not found when doing local file editing.
- Fix two factor auth notification: activity item was disabled.
- Fix predefined status text formatting
- Fix sync progress bar colours in dark mode
- Improve handling of file name clashes
- Ensure placeholder message in emoji picker wraps correctly
- Update to 3.6.0
- Fix crash in cldapi.dll
- Updating command-rebase.yml workflow from template
- Reply button size should be same as the input field, smaller + text
color
- Fix crashing when selecting user status and predefined statuses not
appearing
- Make user status dialog look in line with the rest of the desktop
client tray and Nextcloud
- Add a placeholder message for the recents tab of the emoji picker
- Add SVG icon styled for macOS Big Sur
- Ensure the dispatch source only gets deallocated after the
dispatch_source_cancel is done, avoiding crashing of the Finder Sync
Extension on macOS
- Properly adapt the UserStatusSelectorModel to QML, eliminate hacks,
make code more declarative
- Fix the system tray menu not being correctly replaced in
setupContextMenu on GNOME
- Make the share dialog resizeable
- Make client language gender-neutral and more clear
- Use an en-dash for the userstatus panel
- Close call notifications when the call has been joined by the user, or
the call has ended
- Correct spelling
- Print sync direction in SyncFileStatusTracker::slotAboutToPropagate
- Windows CI. Use specific Craft revision.
- Add 'db/local/remote' reference to log string.
- Work around issues with window positioning on Linux DEs, hardcode tray
window to screen center when new account added
- Add a custom back button to the account wizard's advanced setup page
- Clean up systray methods, make more QML-friendly
- Refactor tray window opening code for clarity and efficiency
- Increase the call state checking interval to not overload the server
- Fix bad quote in CMakeLists PNG generation message
- Only set _FORTIFY_SOURCE when a higher level of this flag has not been
set
- Switch to using the main client CI image based on ubuntu 22.04
- Limit concurrent notifications
- Use macOS-specific application icon
- QML-ify the UserModel, use properties rather than setter methods
- Take ints by value rather than reference in UserModel methods
- Feature/vfs windows thumbnails
- Respect skipAutoUpdateCheck in nextcloud.cfg with Sparkle on macOS
- Restyle unified search skeleton items animation and simplify their code
- Stop styling QML unified search items hierarchically, use global Style
constants
- Use preprocessor directive rather than normal 'if' for UNNotification
types
- Make apps menu scrollable when content taller than available vertical
space, preventing borking of layout
- Ensure that throttled notifications still appear in tray activity model
- Stop clearing notifications when new notifications are received
- Fix ActivityItemContent QML paintedWidth errors
- Clicking on an activity list item for a file opens the local file if
available
- Replace unified search text field busy indicator with custom indicator
- Update macOS Info.plist
- Ensure debug archive contents are readable by any user
- Remove Ubuntu Impish, add Kinetic
- Make UserStatusSelector a dismissible page pushed onto the tray window
- Feature/handle edit locally
- Add Debian Bullseye build
- Double-clicking tray icon opens currently-selected user's local folder
(if available)
- Clean up TalkReplyTextField, remove unnecessary parent Item
- Refactor user line
- Do not reboot PC when running an MSI via autoupdate.
- Always run MSI with full UI.
- Eliminate padding around the menu separator in the account menu
- Feature/enable more warnings also for gcc
- Move CFAPI shell extensions variables to root CMakeLists.
- Move URI scheme variable from Nextcloud.cmake to root CMakeListsts.
- Ensure SyncEngine use an initialized instance of SyncOptions
- Fix QML warnings
- I18n: Spelling unification
- Fix crash: 'Failed to create OpenGL context'.
- Fix bugs with setting 'Away' user status
- Fix greek translation for application name in menu
- Align, resize, and layout everything uniformly in the unified search
view
- Remove libglib-2.0.so.0 and libgobject-2.0.so.0 from Appimage.
- Fix unified search item placeholder image source
- Use same tooltip component everywhere, fix tooltip clipping bugs
- Fix account switching and hover issues with UserLine component
- Remove Ubuntu Focal
- Add a ScrollView to the predefined statuses area of the
UserStatusSelector
- Prevent the 'Cancel' button of the user status selector getting
squashed
- Ensure that clear status message combo box is at least implicit width
- Fix alignment of predefined status contents regardless of emoji fonts
- Prevent crashing when trying to create error-ing QML component in
systray.cpp, output error to log
- Add CHANGELOG.md.
- Ensure file activity dialog is centered on screen and appears at top
of window stack
- Build script for AppImage should not assume Nextcloud is the name
- Fix File Activities dialog not showing up.
- Reads and store fileId and remote permissions during bulk upload
- Do not build qt keychain already included in the CI images
- Bugfix/web engine on win11
- Update CHANGELOG for the 3.6.0 release.
- Fix script that upload AppImage to go in correct path
- Update to 3.5.4
- Add and use DO_NOT_REBOOT_IN_SILENT=1 parameter for MSI to not reboot
during the auto-update.
- Update to 3.5.3
- Fix the system tray menu not being correctly replaced in
setupContextMenu on GNOME
- Ensure call notification stays on top of other windows
- Work around issues with window positioning on Linux DEs, hardcode tray
window to screen center when new account added
- Clean up systray methods, make more QML-friendly
- Refactor tray window opening code for clarity and efficiency
- Only set _FORTIFY_SOURCE when a higher level of this flag has not been
set
- Limit concurrent notifications
- Take ints by value rather than reference in UserModel methods
- Respect skipAutoUpdateCheck in nextcloud.cfg with Sparkle on macOS
- Use preprocessor directive rather than normal 'if' for UNNotification
types
- QML-ify the UserModel, use properties rather than setter methods
- Fix ActivityItemContent QML paintedWidth errors
- Stop clearing notifications when new notifications are received
- Ensure debug archive contents are readable by any user
- Stop styling QML unified search items hierarchically, use global Style
constants
- Update macOS Info.plist
- print sync direction in SyncFileStatusTracker::slotAboutToPropagate
- Remove Ubuntu Impish, add Kinetic
- Ensure that throttled notifications still appear in tray activity model
- Make apps menu scrollable when content taller than available vertical
space, preventing borking of layout
- Update to 3.5.2
- Explicitly ask user for notification authorisation on launch (macOS)
- Fix crash caused by overflow in FinderSyncExtension
- add new fixup workflow from nextcloud org
- Display chat message inside the OS notification.
- Fix 'TypeError: Cannot readproperty 'messageSent' of undefined'.
- Add a transparent background to the send reply button.
- Fix build on macOS versions pre-11 (down to 10.14)
- Ignore Office temp folders on Mac ('.sb-' in folder name).
- Remove assert, it is no longer useful.
- Add contrast to the text/icon of buttons if the server defined color
is light.
- fix general section
- Remove tooltip because it is only repeating the label of the link.
- bugfix/share-dialog
- Updating command-rebase.yml workflow from template
- Reply button size should be same as the input field, smaller + text
color
- Close call notifications when the call has been joined by the user, or
the call has ended
- Increase the call state checking interval to not overload the server
- Ensure the dispatch source only gets deallocated after the
dispatch_source_cancel is done, avoiding crashing of the Finder Sync
Extension on macOS
* A more future-proof and distribution friendly fix for boo#1201070
- Fix Tumbleweed build and install error boo#1201070. Use own CFLAGS for
Tumblweed with -D_FORTIFY_SOURCE=2 instead of -D_FORTIFY_SOURCE=3.
- Update to 3.5.1
- Add new and correct sparkle update signature
- l10n: Remove string from translation
- l10n: Changed triple dot to ellipsis
- Ensure cache is stored in default cache location
- Updating command-rebase.yml workflow from template
- Remove "���" from "Create Debug Archive" button
- docs: Replace "preceded" with "followed"
- only add OCS-APIREQUEST header for 1st request of webflow v1
- Make the make_universal.py script more verbose for easier debugging
- Revamp notifications for macOS and add support for actionable update
notifications
- Use proper online status for user ('dnd', 'online', 'invisible', etc.)
to enable or disable desktop notifications.
- Bugfix. Take root folder's files size into account when displaying the
total size in selective sync dialog.
- Fix activity list item issues with colours/layout/etc.
- Bugfix/allow manual rename files with spaces
- Fixed share link expiration box being ineditable and always attempting
to set invalid date
- Fix crashing of finder sync extension caused by dispatch_source_cancel
of nullptr
- Simplify and remove the notification "cache"
- Fix tray icon not displaying "Open main dialog"
- if an exclude file is deleted, skip it and remove it from internal list
- Bugfix/two factor notification
- Fix visual borking in the share dialog
- add explicit capture for lambda
- Update to 3.5.0
- Require cmake 3.16
- Add testing for ActivityListModel
- Check for dbus-1 when building with cloudproviders
- Add ability to copy internal link from share dialog
- Feature/improve activity buttons
- Add thumbnails for files in the activity view
- Use proper API to dehydrate a placeholder file
- Feature/Talk Reply v1
- Ensure we emit a rename command for renamed files
- Remove Hirsute, add Jammy
- Allow account menu to scroll when content height is larger than menu
height
- Always build with updater. Use 'beta/stable' channel selector in
'General Settins' dialog with default 'stable'.
- Cmake option to disable proxy
- Add support for server color theming
- No longer assume status bar height, calculate, fixing notch borking on
new MacBook Pro
- Add a dark mode
- Generates pot files automatically.
- Add headers in cmake files to get them properly detected
- Ensure that bulk upload network job errors are handled
- Do not remove a folder that has files that were not uploaded yet
during propagation
- L10n: Change to lowercase
- Simplify currentScreen in systray.cpp
- Fix warn colour in dark mode
- Do not remove files from a Group folder and its nested folders when it
is renamed or removed while not allowed.
- Rollback local move on server move failure
- Implement local socket to communicate with finder extension
- Bugfix/prevent overflow with mtime
- L10n: Changed spelling
- Add 'Help' action back.
- Ensure file activity dialog appears in centre of screen
- Increase maximum text line count in tray activity items to two lines
- Fix file activity dialog
- Properly ask Qt to create qml opengl surface with proper options
- Old submodule url does not work anylonger
- Old submodule url does not work anylonger
- Prepare for 3.5.0-rc1
- Fix icon color and highlight color issues
- Fix for VFS crashes due to mimetype checking for thumbnails
- Fix various dark mode bugs
- Add a new yml github issue template for bug reports.
- Ensure we only store update channel not localized in settings
- Improve talk reply
- Prepare for 3.5.0-rc2
- Bugfix/talk reply part 2
- Darkmode. Fix crash on exit.
- Avoid deleting renamed file with spaces in name
- More dark mode fixes
- Ensure we do properly failed hydration jobs
- Fix build of appimage for branded clients
- Prepare for 3.5.0-rc3
- Feature/files lock
- Add call notification dialog.
- Fix thumbnails for new files made while client open
- Increase time between connection tries
- Improve contrast on server color themed elements
- Fix positioning of activities in the activities list
- Bugfix/activities fetch server overload
- Realigned and resized thumbnails
- Add user avatars in talk notifications in activity list
- Fix sparkle implementation in the desktop client
- Prepare 3.5.0-rc4
- Prepare final 3.5.0 release
- Update to 3.4.4
- Do not remove files from a Group folder and its nested folders when it
is renamed or removed while not allowed.
- Bugfix/prevent overflow with mtime
- Old submodule url does not work anylonger
- Update to 3.4.3
- Remove Hirsute, add Jammy
- Cmake option to disable proxy
- ensure we emit a rename command for renamed files
- Makes sure that sync engine terminates when an error happen
- ensure that bulk upload network job errors are handled
- Rollback local move on server move failure
- Do not remove a folder that has files that were not uploaded yet
during propagation
- Update to 3.4.2
- Bugfix/force re-login on SSL Handshake error
- Do not display 'Conflict when uploading some files to a folder
- Windows. MSI. Unregister Nextcloud folders in SyncRootManager on
uninstall.
- Unbreak loading translations
- Hide share button for deleted files and ignored files in tray activity
- Display error message when creating a link share with compromised
password.
- Bugfix. Re-init sharing manager to enable link sharing UI when
receivng sharing permissions.
- Show only filenames in tray activity items, with full path in tooltip
- use proper API to dehydrate a placeholder file
- Add macOS *.textClipping files to ignore list
- Updatete to 3.4.1
- fix random error when updating CfApi metadata
- do not forget the path when renaming files with invalid names
- Bugfix/assert invalid modtime
- Feature/folder logo variations
- Always prefill username from Windows login name based on server version
- Bugfix/3.4.1 rc1
- Bugfix/sync stuck on error
- Bugfix/force download local invalid files
- Enforce VFS. Disable 'Make always available locally'.
- Bugfix/avoid sync getting stuck
- Fix CMake error in ECMAddAppIcon for mac
- Do not crash on findAndCancelDeletedJob
- ensure any errors after calling FileSystem::getModTime are handled
- Skiped version 3.4.0 because of modtime bug: See:
https://github.com/nextcloud/desktop/pull/4049 Please read the following
wiki page How to fix files invalid modification date:
https://github.com/nextcloud/desktop/wiki/Fix-bug-invalid-modification-date
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2023-90=1
Package List:
- openSUSE Backports SLE-15-SP4 (aarch64 x86_64):
libnextcloudsync-devel-3.8.0-bp154.2.3.1
libnextcloudsync0-3.8.0-bp154.2.3.1
nextcloud-desktop-3.8.0-bp154.2.3.1
nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1
- openSUSE Backports SLE-15-SP4 (noarch):
caja-extension-nextcloud-3.8.0-bp154.2.3.1
cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1
nautilus-extension-nextcloud-3.8.0-bp154.2.3.1
nemo-extension-nextcloud-3.8.0-bp154.2.3.1
nextcloud-desktop-doc-3.8.0-bp154.2.3.1
nextcloud-desktop-lang-3.8.0-bp154.2.3.1
References:
https://www.suse.com/security/cve/CVE-2022-39331.html
https://www.suse.com/security/cve/CVE-2022-39332.html
https://www.suse.com/security/cve/CVE-2022-39333.html
https://www.suse.com/security/cve/CVE-2022-39334.html
https://www.suse.com/security/cve/CVE-2023-23942.html
https://bugzilla.suse.com/1201070
https://bugzilla.suse.com/1205798
https://bugzilla.suse.com/1205799
https://bugzilla.suse.com/1205800
https://bugzilla.suse.com/1205801
https://bugzilla.suse.com/1207976
1
0

openSUSE-SU-2023:0090-1: important: Security update for nextcloud-desktop
by opensuse-security@opensuse.org 12 Apr '23
by opensuse-security@opensuse.org 12 Apr '23
12 Apr '23
openSUSE Security Update: Security update for nextcloud-desktop
______________________________________________________________________________
Announcement ID: openSUSE-SU-2023:0090-1
Rating: important
References: #1201070 #1205798 #1205799 #1205800 #1205801
#1207976
Cross-References: CVE-2022-39331 CVE-2022-39332 CVE-2022-39333
CVE-2022-39334 CVE-2023-23942
CVSS scores:
CVE-2022-39331 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-39332 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-39333 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2022-39334 (NVD) : 3.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CVE-2023-23942 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________
An update that solves 5 vulnerabilities and has one errata
is now available.
Description:
This update for nextcloud-desktop fixes the following issues:
nextcloud-desktop was updated to 3.8.0:
- Resize WebView widget once the loginpage rendered
- Feature/secure file drop
- Check German translation for wrong wording
- L10n: Correct word
- Fix displaying of file details button for local syncfileitem activities
- Improve config upgrade warning dialog
- Only accept folder setup page if overrideLocalDir is set
- Update CHANGELOG.
- Prevent ShareModel crash from accessing bad pointers
- Bugfix/init value for pointers
- Log to stdout when built in Debug config
- Clean up account creation and deletion code
- L10n: Added dot to end of sentence
- L10n: Fixed grammar
- Fix "Create new folder" menu entries in settings not working correctly
on macOS
- Ci/clang tidy checks init variables
- Fix share dialog infinite loading
- Fix edit locally job not finding the user account: wrong user id
- Skip e2e encrypted files with empty filename in metadata
- Use new connect syntax
- Fix avatars not showing up in settings dialog account actions until
clicked on
- Always discover blacklisted folders to avoid data loss when modifying
selectivesync list.
- Fix infinite loading in the share dialog when public link shares are
disabled on the server
- With cfapi when dehydrating files add missing flag
- Fix text labels in Sync Status component
- Display 'Search globally' as the last sharees list element
- Fix display of 2FA notification.
- Bugfix/do not restore virtual files
- Show server name in tray main window
- Add Ubuntu Lunar
- Debian build classification 'beta' cannot override 'release'.
- Update changelog
- Follow shouldNotify flag to hide notifications when needed
- Bugfix/stop after creating config file
- E2EE cut extra zeroes from derypted byte array.
- When local sync folder is overriden, respect this choice
- Feature/e2ee fixes
- This also fix security issues:
- (boo#1205798, CVE-2022-39331)
- Arbitrary HyperText Markup Language injection in notifications
- (boo#1205799, CVE-2022-39332)
- Arbitrary HyperText Markup Language injection in user status and
information
- (boo#1205800, CVE-2022-39333)
- Arbitrary HyperText Markup Language injection in desktop client
application
- (boo#1205801, CVE-2022-39334)
- Client incorrectly trusts invalid TLS certificates
- (boo#1207976, CVE-2023-23942)
- missing sanitisation on qml labels leading to javascript injection
- Update to 3.7.4
- check German translation for wrong wording
- Fix "Create new folder" menu entries in settings not working correctly
on macOS
- Clean up account creation and deletion code
- Fix share dialog infinite loading
- fix edit locally job not finding the user account: wrong user id
- skip e2e encrypted files with empty filename in metadata
- Always discover blacklisted folders to avoid data loss when modifying
selectivesync list.
- use new connect syntax
- with cfapi when dehydrating files add missing flag
- Fix avatars not showing up in settings dialog account actions until
clicked on
- Fix text labels in Sync Status component
- Fix infinite loading in the share dialog when public link shares are
disabled on the server
- Ci/clang tidy checks init variables
- Display 'Search globally' as the last sharees list element
- Resize WebView widget once the loginpage rendered
- Bugfix/do not restore virtual files
- Fix display of 2FA notification.
- Update to 3.7.3
- Revert "Fix(l10n): capital_abcd Update translations from Transifex"
- Revert "Fix(l10n): capital_abcd Update translations from Transifex"
- Revert "Fix(l10n): capital_abcd Update translations from Transifex"
- Update to 3.7.2
- No regular changelog from upstream. See instead:
https://github.com/nextcloud/desktop/compare/v3.7.1...v3.7.2
- Update to 3.7.1
- Backport/5393/stable 3.7 by @mgallien in #5403
- Fix wrong estimated time when doing sync. in #4902
- Bugfix/selective sync abort error in #4903
- Set UnifiedSearchResultNothingFound visibility less messily in #4751
- Clean up QML type and singleton registration in #4817
- Simplify activity list delegates by making them ItemDelegates, clean
up in #4786
- Improve activity list highlighting/keyboard item selection in #4781
- Replace private API QZipWriter with KArchive in #4768
- makes Qt WebEngine optional only on macOS in #4875
- Bugfix/conflict resolution when selecting folder in #4914
- Fix fileactivitylistmodel QML registration in #4920
- Updated link to documentation in #4792
- Fix menu bar height calculation on macOS in #4917
- Fix ActivityItem activityHover error in #4921
- Fix add account window text clipping, enlarge text in #4910
- Accept valid lsColJob reply XML content types in #4919
- Fix low-resolution file changed overlay icons in activities in #4930
- Refactor ActivityListModel population mechanisms in #4736
- Make account setup wizard's adjustWizardSize resize to current page
size instead of largest wizard page in #4911
- Deallocate call notification dialog objects when closed by @claucambra
in #4939
- Ensure that the file being processed has had its etag properly
sanitised, log etag more in #4940
- Feature/syncjournaldb handle errors in #4819
- Do not format text in QML components as HTML in #4944
- Fix two factor auth notification: activity item was disabled. in #4961
- Add a placeholder item for empty activity list in #4959
- Ensure strings in main window QML are presented as plain text and not
HTML by @claucambra in #4972
- Improve handling of file name clashes by @claucambra in #4970
- Add a QSortFilterProxyModel-based SortedActivityListModel by
@claucambra in #4933
- Bring back .lnk files on Windows and always treat them as non-virtual
files. by @allexzander in #4968
- Fix two factor authentication notification by @camilasan in #4967
- Ensure placeholder message in emoji picker wraps correctly in #4960
- Make activity action button an actual button, clean up contents in
#4784
- Improve the error box QML component in #4976
- Fix 'Reply' primary property. in #4985
- Fix sync progress bar colours in dark mode in #4986
- Fix predefined status text formatting in #4987
- Don't set up tray context menu on macOS, even if not building app
bundle in #4988
- Ci/check clang tidy in ci in #4995
- check our code with clang-tidy in #4999
- alway use constexpr for all text constants in #4996
- avoid possibly crashing static_cast in #4994
- switch AppImage CI to latest tag: client-appimage-6 in #5003
- configure a list of checks for clang-tidy in #5004
- Fix link shares default expire date being enforced as maximum expire
date even when maximum date enforcement is disabled on the server in
#4982
- apply modernize-use-using via clang-tidy in #4993
- Ci/use no discard in #4992
- Fix files not unlocking after lock time expired in #4962
- Update client image in #5002
- let's check the format via some github action in #4991
- Feature/vfs windows sharing and lock state in #4942
- Update after tx migrate in #5019
- Improve 'Handle local file editing' feature. Add loading popup. Add
force sync before opening a file. in #4990
- Command-line client. Do not trust SSL certificates by default, unless
'--trust' option is set. in #5022
- Bugfix/files lock fail metadata in #5024
- do not ignore return value in #4998
- improve logs when adding sync errors in activity list of main dialog
in #5032
- Fix invisible user status selector button not being checked when user
is in Offline mode in #5012
- use correct version copmparison on NSIS updater: fix update from rc in
#4979
- Bugfix/check token for edit locally requests in #5039
- Fix the dismiss button: display it whenever possible. in #4989
- Fix account not found when doing local file editing. in #5040
- Improve "pretty user name"-related strings, display in webflow
credentials in #5013
- Update CHANGELOG with 3.6.1 changes. in #5066
- Fix call notification dialog buttons in #5074
- validate certificate for E2EE against private key in #4949
- emit missing signal to update folder sync status icon in #5087
- Update CMake usage in README build instructions in #5086
- Clean up methods in sync engine in #5071
- Make Systray's void methods slots in #5042
- Remove unneeded parameter from CleanupPollsJob constructor in #5070
- Add a 'Sync now' button to the sync status header in the tray window
in #5018
- Modernise and improve code in AccountManager in #5026
- Fix macOS autoupdater settings in #5102
- Validate and sanitise edit locally token and relpath before sending to
server in #5093
- Refactor FolderMan's "Edit Locally" capabilities as separate class in
#5107
- Modernise and improve code in AccountSettings in #5027
- Fix compatibility with newer python3-nautilus in #5105
- Only show Sync Now button if account is connected in #5097
- use new public API to open an edit locally URL in #5116
- Add a new file details window, unify file activity and sharing in #4929
- E2EE. Do not generate keypair without user request. in #5067
- Fix incorrect current user index when adding or removing a user
account. Also fix incorrect user avatar lookup by id. in #5092
- Remove unused internal link widget from old share dialog in #5123
- Use separate variable for cfg file name in CMAKE. in #5136
- Bugfix/delete folders during propagation even when propagation has
errors in #5104
- Remove unused app pointer in CocoaInitializer in #5127
- Ensure 'Sync now' button doesn't have its text elided in #5129
- Fix share delegate button icon colors in dark mode in #5132
- Do not use copy-assignment of QDialog. in #5148
- Remove unused remotePath in User::processCompletedSyncItem in #5118
- Make user status selector modal, show user header in #5145
- properly escape a path when creating a test file during tests in #5151
- Add support cmake unity build in #5109
- Fix typo of connector in #5157
- fully qualify types in signals and slots in #5088
- Remove reference to inexistent property in NCCustomButton in #5173
- Fix ActivityList delegate warnings in #5172
- Ensure forcing a folder to be synced unpauses syncing on said folder
in #5152
- switch back to upstream craft in #5178
- fix renaming of folders with a deep hierarchy inside them in #5182
- fix instances of: c++11 range-loop might detach Qt container warnings
in #5089
- Implement context menu entry "Leave this share" in #5081
- check that we update local file mtime on changes from server in #5188
- Add end-to-end tests to our CI in #5124
- Modernize the Dolphin action plugin in #5192
- Ci/do not modify configuration file duringtests in #5200
- cmake: Use FindPkgConfig's pkg_get_variable instead of custom macro in
#5199
- Fix tray window margins, stop cutting into window border in #5202
- fix regressions on pinState management when doing renames in #520
- Fix bad custom button alignments, sizings, etc. in #5189
- Ci/do not override configuration file in #5206
- Clearly tell user that E2EE has been enabled for an account in #5164
- Fix CfApiShellExtensionsIPCTest in #5209
- l10n: Fixed grammar in #5220
- Prevent bad encrypting of folder if E2EE has not been correctly set up
in #5223
- Remove close/dismiss button from encryption message in #5163
- Update macOS shell integration deployment targets in #5227
- Bugfix/case cash conflicts should not terminate sync in #5224
- Differentiate between E2EE not being enabled at all vs. E2EE being
enabled already through another device in account settings message in
#5179
- Ensure more QML text components are rendering things as plain text in
#5231
- l10n: Correct spelling in #5221
- Make use of plain text-enforcing qml labels in #5233
- Feature/edit file locally restart sync in #5175
- Fix CI errors for Edit Locally. in #5241
- Lock file when editing locally in #5226
- Format some QLabels as plain text in #5247
- do not create GUI from a random thread and show error on real error in
#5253
- Fix BasicComboBox internal layout in #5216
- Explicitly size and align user status selector text input to avoid
bugs with alternate QtQuick styles in #5214
- do not use bulk upload for e2ee files in #5256
- Only show mnemonic request dialog when user explicitly wants to enable
E2EE in #5181
- Replace share settings popup with a page on a StackView in #5194
- Add interactive NC Talk notifications on macOS in #5143
- Show file details within the tray dialog, rather than in a separate
dialog in #5139
- Silence sync termination errors when running EditLocallyJob. in #5261
- Fix typo in #5257
- Add an "Encrypt" menu entry in file browser context menu for folders
in #5263
- Add a nix flake for easy building and dev environments in #5007
- Add an internal link share to the share dialog in #5131
- Avoid the Get-Task-Allow Entitlement (macOS Notarization) in #5274
- sets a fixed version for pixman when buildign desktop client via Craft
in #5269
- Fix SyncEngineTest failure when localstate is destroyed. in #5273
- Feature/remove obsolete names in #5271
- Remove unused HeaderBanner component in #5245
- Feature/do not sync enc folders if e2ee is not setup in #5258
- fix migration from old settings configuration files in #5141
- Use QFileInfo::exists where we are only creating a QFileInfo to check
if file exists in #5291
- Make correct use of Qt signal 'emit' keyword in #5287
- Remove unused variables in #5290
- Declare all QRegularExpressions statically in #5289
- l10n: Remove space in #5297
- Feature/move shellextensions to root installdir in #5295
- Improve backup dark mode palette for Windows in #5298
- Allow setting up an account with apppasword and folder via
command-line arguments. For deployment. in #5296
- Update file's metadata in the local database when the etag changes
while file remains unchanged. Fix subsequent conflict when locking and
unlocking. in #5293
- Fix warnings on QPROPERTY-s in #5286
- Replace now deprecated FSEventStreamScheduleWithRunLoop with
FSEventStreamSetDispatchQueue in #5272
- Fix macOS shell integration class inits in #5299
- Drop dependency on Qt Quick Controls 1 in #5309
- Fix full-text search results not being opened in browser in #5279
- Feature/allow forceoverrideurl via command line in #5329
- Bugfix/e2ee vulnerability empty metadatakeys in #5323
- Always generate random initialization vector when uploading encrypted
file in #5324
- Fix bad string for translation. in #5358
- Update legal notice to 2023 in #5361
- Fix migration from legacy client when override server url is set in
#5322
- Don't try to lock folders when editing locally in #5317
- Fix fetch more unified search result item not being clickable in #5266
- Add ability to disable E2EE in #5167
- Remove unused monochrome icons setting in #5366
- Feature/sync with case clash names in #5232
- Edit locally. Do not lock if locking is disabled on the server. in
#5371
- Revert "Merge pull request #5366 from
nextcloud/bugfix/remove-mono-icons-setting" in #5372
- Open calendar notifications in the browser. in #4684
- Migrate old configs in #5362
- Always unlock E2EE folders, even when network failure or crash. in
#5370
- Fix displaying of file details button for local syncfileitem
activities in #5380
- Improve config upgrade warning dialog in #5386
- Backport/5385/stable 3.7 in #5388
- Update to 3.6.6
- Revert "Fix(l10n): capital_abcd Update translations from Transifex"
33f3975
- Update to 3.6.5
- do not assert when sharing to a circle in #5310
- Fix macOS shell integration class inits in #5311
- Drop dependency on Qt Quick Controls 1 in #5312
- Feature/allow forceoverrideurl via command line in #5332
- Fix typo in #5270
- check that we update local file mtime on changes from server in #5321
- fix regressions on pinState management when doing renames in #5333
- Always generate random initialization vector when uploading encrypted
file in #5334
- Fix SyncEngineTest failure when localstate is destroyed. in #5336
- Bugfix/e2ee vulnerability empty metadatakeys in #5335
- Update to 3.6.4
- do not create GUI from a random thread and show error on real error
- Update to 3.6.3
- Fix typo of connector
- fix renaming of folders with a deep hierarchy inside them
- Make user status selector modal, show user header
- Prevent bad encrypting of folder if E2EE has not been correctly set up
- Feature/edit file locally restart sync
- Add forcefoldersync method to folder manager
- Make use of plain text-enforcing qml labels
- Lock file when editing locally
- Format some QLabels as plain text
- Update to 3.6.2
- Fix call notification dialog buttons by @backportbot-nextcloud in #5075
- emit missing signal to update folder sync status icon by
@backportbot-nextcloud in #5090
- Fix macOS autoupdater settings by @backportbot-nextcloud in #5103
- Validate and sanitise edit locally token and relpath before sending to
server by @backportbot-nextcloud in #5106
- Fix compatibility with newer python3-nautilus by
@backportbot-nextcloud in #5112
- Refactor FolderMan's "Edit Locally" capabilities as separate class by
@backportbot-nextcloud in #5111
- use new public API to open an edit locally URL by
@backportbot-nextcloud in #5117
- Use separate variable for cfg file name in CMAKE. by
@backportbot-nextcloud in #5140
- Fix stable-3.6 compile on macOS by @claucambra in #5154
- Fix bad backport of CustomButton changes in Stable-3.6 by @claucambra
in #5155
- Backport/5067/stable 3.6 by @allexzander in #5153
- Backport/5092/stable 3.6 by @allexzander in #5156
- properly escape a path when creating a test file during tests by
@backportbot-nextcloud in #5158
- Split out the dbus service related files that provides libcloudproviders
integration for nextcloud desktop client into a separate package; when
this is installed, launching any app supporting libowncloudproviders
(e.g. nautilus on GNOME) will automatically launch the desktop client --
which is rather annoying to happen by default, esp. in cases where a
user does not even have a nextcloud account (gh#nextcloud/desktop#1982,
gh#nextcloud/desktop#2622).
- Make the extension working again on Nautilus 43. This patch also support
previous Nautilus versions.
- Update to 3.6.1
- Fix wrong estimated time when doing sync.
- Bugfix/selective sync abort error
- Bugfix/conflict resolution when selecting folder
- Fix menu bar height calculation on macOS
- Fix add account window text clipping, enlarge text
- Accept valid lsColJob reply XML content types
- Fix low-resolution file changed overlay icons in activities
- Deallocate call notification dialog objects when closed
- Ensure that the file being processed has had its etag properly
sanitised, log etag more
- Ensure strings in main window QML are presented as plain text and not
HTML
- Do not format text in QML components as HTML
- Fix two factor authentication notification
- Bring back .lnk files on Windows and always treat them as non-virtual
files.
- Fix 'Reply' primary property.
- Update after tx migrate
- Command-line client. Do not trust SSL certificates by default, unless
'--trust' option is set.
- Fix invisible user status selector button not being checked when user
is in Offline mode
- Fix link shares default expire date being enforced as maximum expire
date even when maximum date enforcement is disabled on the server
- Backport/4989/stable 3.6
- use correct version copmparison on NSIS updater: fix update from rc
- Improve 'Handle local file editing' feature. Add loading popup. Add
f���
- Backport/5039/bugfix/check token for edit locally requests
- Fix account not found when doing local file editing.
- Fix two factor auth notification: activity item was disabled.
- Fix predefined status text formatting
- Fix sync progress bar colours in dark mode
- Improve handling of file name clashes
- Ensure placeholder message in emoji picker wraps correctly
- Update to 3.6.0
- Fix crash in cldapi.dll
- Updating command-rebase.yml workflow from template
- Reply button size should be same as the input field, smaller + text
color
- Fix crashing when selecting user status and predefined statuses not
appearing
- Make user status dialog look in line with the rest of the desktop
client tray and Nextcloud
- Add a placeholder message for the recents tab of the emoji picker
- Add SVG icon styled for macOS Big Sur
- Ensure the dispatch source only gets deallocated after the
dispatch_source_cancel is done, avoiding crashing of the Finder Sync
Extension on macOS
- Properly adapt the UserStatusSelectorModel to QML, eliminate hacks,
make code more declarative
- Fix the system tray menu not being correctly replaced in
setupContextMenu on GNOME
- Make the share dialog resizeable
- Make client language gender-neutral and more clear
- Use an en-dash for the userstatus panel
- Close call notifications when the call has been joined by the user, or
the call has ended
- Correct spelling
- Print sync direction in SyncFileStatusTracker::slotAboutToPropagate
- Windows CI. Use specific Craft revision.
- Add 'db/local/remote' reference to log string.
- Work around issues with window positioning on Linux DEs, hardcode tray
window to screen center when new account added
- Add a custom back button to the account wizard's advanced setup page
- Clean up systray methods, make more QML-friendly
- Refactor tray window opening code for clarity and efficiency
- Increase the call state checking interval to not overload the server
- Fix bad quote in CMakeLists PNG generation message
- Only set _FORTIFY_SOURCE when a higher level of this flag has not been
set
- Switch to using the main client CI image based on ubuntu 22.04
- Limit concurrent notifications
- Use macOS-specific application icon
- QML-ify the UserModel, use properties rather than setter methods
- Take ints by value rather than reference in UserModel methods
- Feature/vfs windows thumbnails
- Respect skipAutoUpdateCheck in nextcloud.cfg with Sparkle on macOS
- Restyle unified search skeleton items animation and simplify their code
- Stop styling QML unified search items hierarchically, use global Style
constants
- Use preprocessor directive rather than normal 'if' for UNNotification
types
- Make apps menu scrollable when content taller than available vertical
space, preventing borking of layout
- Ensure that throttled notifications still appear in tray activity model
- Stop clearing notifications when new notifications are received
- Fix ActivityItemContent QML paintedWidth errors
- Clicking on an activity list item for a file opens the local file if
available
- Replace unified search text field busy indicator with custom indicator
- Update macOS Info.plist
- Ensure debug archive contents are readable by any user
- Remove Ubuntu Impish, add Kinetic
- Make UserStatusSelector a dismissible page pushed onto the tray window
- Feature/handle edit locally
- Add Debian Bullseye build
- Double-clicking tray icon opens currently-selected user's local folder
(if available)
- Clean up TalkReplyTextField, remove unnecessary parent Item
- Refactor user line
- Do not reboot PC when running an MSI via autoupdate.
- Always run MSI with full UI.
- Eliminate padding around the menu separator in the account menu
- Feature/enable more warnings also for gcc
- Move CFAPI shell extensions variables to root CMakeLists.
- Move URI scheme variable from Nextcloud.cmake to root CMakeListsts.
- Ensure SyncEngine use an initialized instance of SyncOptions
- Fix QML warnings
- I18n: Spelling unification
- Fix crash: 'Failed to create OpenGL context'.
- Fix bugs with setting 'Away' user status
- Fix greek translation for application name in menu
- Align, resize, and layout everything uniformly in the unified search
view
- Remove libglib-2.0.so.0 and libgobject-2.0.so.0 from Appimage.
- Fix unified search item placeholder image source
- Use same tooltip component everywhere, fix tooltip clipping bugs
- Fix account switching and hover issues with UserLine component
- Remove Ubuntu Focal
- Add a ScrollView to the predefined statuses area of the
UserStatusSelector
- Prevent the 'Cancel' button of the user status selector getting
squashed
- Ensure that clear status message combo box is at least implicit width
- Fix alignment of predefined status contents regardless of emoji fonts
- Prevent crashing when trying to create error-ing QML component in
systray.cpp, output error to log
- Add CHANGELOG.md.
- Ensure file activity dialog is centered on screen and appears at top
of window stack
- Build script for AppImage should not assume Nextcloud is the name
- Fix File Activities dialog not showing up.
- Reads and store fileId and remote permissions during bulk upload
- Do not build qt keychain already included in the CI images
- Bugfix/web engine on win11
- Update CHANGELOG for the 3.6.0 release.
- Fix script that upload AppImage to go in correct path
- Update to 3.5.4
- Add and use DO_NOT_REBOOT_IN_SILENT=1 parameter for MSI to not reboot
during the auto-update.
- Update to 3.5.3
- Fix the system tray menu not being correctly replaced in
setupContextMenu on GNOME
- Ensure call notification stays on top of other windows
- Work around issues with window positioning on Linux DEs, hardcode tray
window to screen center when new account added
- Clean up systray methods, make more QML-friendly
- Refactor tray window opening code for clarity and efficiency
- Only set _FORTIFY_SOURCE when a higher level of this flag has not been
set
- Limit concurrent notifications
- Take ints by value rather than reference in UserModel methods
- Respect skipAutoUpdateCheck in nextcloud.cfg with Sparkle on macOS
- Use preprocessor directive rather than normal 'if' for UNNotification
types
- QML-ify the UserModel, use properties rather than setter methods
- Fix ActivityItemContent QML paintedWidth errors
- Stop clearing notifications when new notifications are received
- Ensure debug archive contents are readable by any user
- Stop styling QML unified search items hierarchically, use global Style
constants
- Update macOS Info.plist
- print sync direction in SyncFileStatusTracker::slotAboutToPropagate
- Remove Ubuntu Impish, add Kinetic
- Ensure that throttled notifications still appear in tray activity model
- Make apps menu scrollable when content taller than available vertical
space, preventing borking of layout
- Update to 3.5.2
- Explicitly ask user for notification authorisation on launch (macOS)
- Fix crash caused by overflow in FinderSyncExtension
- add new fixup workflow from nextcloud org
- Display chat message inside the OS notification.
- Fix 'TypeError: Cannot readproperty 'messageSent' of undefined'.
- Add a transparent background to the send reply button.
- Fix build on macOS versions pre-11 (down to 10.14)
- Ignore Office temp folders on Mac ('.sb-' in folder name).
- Remove assert, it is no longer useful.
- Add contrast to the text/icon of buttons if the server defined color
is light.
- fix general section
- Remove tooltip because it is only repeating the label of the link.
- bugfix/share-dialog
- Updating command-rebase.yml workflow from template
- Reply button size should be same as the input field, smaller + text
color
- Close call notifications when the call has been joined by the user, or
the call has ended
- Increase the call state checking interval to not overload the server
- Ensure the dispatch source only gets deallocated after the
dispatch_source_cancel is done, avoiding crashing of the Finder Sync
Extension on macOS
* A more future-proof and distribution friendly fix for boo#1201070
- Fix Tumbleweed build and install error boo#1201070. Use own CFLAGS for
Tumblweed with -D_FORTIFY_SOURCE=2 instead of -D_FORTIFY_SOURCE=3.
- Update to 3.5.1
- Add new and correct sparkle update signature
- l10n: Remove string from translation
- l10n: Changed triple dot to ellipsis
- Ensure cache is stored in default cache location
- Updating command-rebase.yml workflow from template
- Remove "���" from "Create Debug Archive" button
- docs: Replace "preceded" with "followed"
- only add OCS-APIREQUEST header for 1st request of webflow v1
- Make the make_universal.py script more verbose for easier debugging
- Revamp notifications for macOS and add support for actionable update
notifications
- Use proper online status for user ('dnd', 'online', 'invisible', etc.)
to enable or disable desktop notifications.
- Bugfix. Take root folder's files size into account when displaying the
total size in selective sync dialog.
- Fix activity list item issues with colours/layout/etc.
- Bugfix/allow manual rename files with spaces
- Fixed share link expiration box being ineditable and always attempting
to set invalid date
- Fix crashing of finder sync extension caused by dispatch_source_cancel
of nullptr
- Simplify and remove the notification "cache"
- Fix tray icon not displaying "Open main dialog"
- if an exclude file is deleted, skip it and remove it from internal list
- Bugfix/two factor notification
- Fix visual borking in the share dialog
- add explicit capture for lambda
- Update to 3.5.0
- Require cmake 3.16
- Add testing for ActivityListModel
- Check for dbus-1 when building with cloudproviders
- Add ability to copy internal link from share dialog
- Feature/improve activity buttons
- Add thumbnails for files in the activity view
- Use proper API to dehydrate a placeholder file
- Feature/Talk Reply v1
- Ensure we emit a rename command for renamed files
- Remove Hirsute, add Jammy
- Allow account menu to scroll when content height is larger than menu
height
- Always build with updater. Use 'beta/stable' channel selector in
'General Settins' dialog with default 'stable'.
- Cmake option to disable proxy
- Add support for server color theming
- No longer assume status bar height, calculate, fixing notch borking on
new MacBook Pro
- Add a dark mode
- Generates pot files automatically.
- Add headers in cmake files to get them properly detected
- Ensure that bulk upload network job errors are handled
- Do not remove a folder that has files that were not uploaded yet
during propagation
- L10n: Change to lowercase
- Simplify currentScreen in systray.cpp
- Fix warn colour in dark mode
- Do not remove files from a Group folder and its nested folders when it
is renamed or removed while not allowed.
- Rollback local move on server move failure
- Implement local socket to communicate with finder extension
- Bugfix/prevent overflow with mtime
- L10n: Changed spelling
- Add 'Help' action back.
- Ensure file activity dialog appears in centre of screen
- Increase maximum text line count in tray activity items to two lines
- Fix file activity dialog
- Properly ask Qt to create qml opengl surface with proper options
- Old submodule url does not work anylonger
- Old submodule url does not work anylonger
- Prepare for 3.5.0-rc1
- Fix icon color and highlight color issues
- Fix for VFS crashes due to mimetype checking for thumbnails
- Fix various dark mode bugs
- Add a new yml github issue template for bug reports.
- Ensure we only store update channel not localized in settings
- Improve talk reply
- Prepare for 3.5.0-rc2
- Bugfix/talk reply part 2
- Darkmode. Fix crash on exit.
- Avoid deleting renamed file with spaces in name
- More dark mode fixes
- Ensure we do properly failed hydration jobs
- Fix build of appimage for branded clients
- Prepare for 3.5.0-rc3
- Feature/files lock
- Add call notification dialog.
- Fix thumbnails for new files made while client open
- Increase time between connection tries
- Improve contrast on server color themed elements
- Fix positioning of activities in the activities list
- Bugfix/activities fetch server overload
- Realigned and resized thumbnails
- Add user avatars in talk notifications in activity list
- Fix sparkle implementation in the desktop client
- Prepare 3.5.0-rc4
- Prepare final 3.5.0 release
- Update to 3.4.4
- Do not remove files from a Group folder and its nested folders when it
is renamed or removed while not allowed.
- Bugfix/prevent overflow with mtime
- Old submodule url does not work anylonger
- Update to 3.4.3
- Remove Hirsute, add Jammy
- Cmake option to disable proxy
- ensure we emit a rename command for renamed files
- Makes sure that sync engine terminates when an error happen
- ensure that bulk upload network job errors are handled
- Rollback local move on server move failure
- Do not remove a folder that has files that were not uploaded yet
during propagation
- Update to 3.4.2
- Bugfix/force re-login on SSL Handshake error
- Do not display 'Conflict when uploading some files to a folder
- Windows. MSI. Unregister Nextcloud folders in SyncRootManager on
uninstall.
- Unbreak loading translations
- Hide share button for deleted files and ignored files in tray activity
- Display error message when creating a link share with compromised
password.
- Bugfix. Re-init sharing manager to enable link sharing UI when
receivng sharing permissions.
- Show only filenames in tray activity items, with full path in tooltip
- use proper API to dehydrate a placeholder file
- Add macOS *.textClipping files to ignore list
- Updatete to 3.4.1
- fix random error when updating CfApi metadata
- do not forget the path when renaming files with invalid names
- Bugfix/assert invalid modtime
- Feature/folder logo variations
- Always prefill username from Windows login name based on server version
- Bugfix/3.4.1 rc1
- Bugfix/sync stuck on error
- Bugfix/force download local invalid files
- Enforce VFS. Disable 'Make always available locally'.
- Bugfix/avoid sync getting stuck
- Fix CMake error in ECMAddAppIcon for mac
- Do not crash on findAndCancelDeletedJob
- ensure any errors after calling FileSystem::getModTime are handled
- Skiped version 3.4.0 because of modtime bug: See:
https://github.com/nextcloud/desktop/pull/4049 Please read the following
wiki page How to fix files invalid modification date:
https://github.com/nextcloud/desktop/wiki/Fix-bug-invalid-modification-date
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2023-90=1
Package List:
- openSUSE Backports SLE-15-SP4 (aarch64 x86_64):
libnextcloudsync-devel-3.8.0-bp154.2.3.1
libnextcloudsync0-3.8.0-bp154.2.3.1
nextcloud-desktop-3.8.0-bp154.2.3.1
nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1
- openSUSE Backports SLE-15-SP4 (noarch):
caja-extension-nextcloud-3.8.0-bp154.2.3.1
cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1
nautilus-extension-nextcloud-3.8.0-bp154.2.3.1
nemo-extension-nextcloud-3.8.0-bp154.2.3.1
nextcloud-desktop-doc-3.8.0-bp154.2.3.1
nextcloud-desktop-lang-3.8.0-bp154.2.3.1
References:
https://www.suse.com/security/cve/CVE-2022-39331.html
https://www.suse.com/security/cve/CVE-2022-39332.html
https://www.suse.com/security/cve/CVE-2022-39333.html
https://www.suse.com/security/cve/CVE-2022-39334.html
https://www.suse.com/security/cve/CVE-2023-23942.html
https://bugzilla.suse.com/1201070
https://bugzilla.suse.com/1205798
https://bugzilla.suse.com/1205799
https://bugzilla.suse.com/1205800
https://bugzilla.suse.com/1205801
https://bugzilla.suse.com/1207976
1
0

openSUSE-SU-2023:0087-1: important: Security update for seamonkey
by opensuse-security@opensuse.org 11 Apr '23
by opensuse-security@opensuse.org 11 Apr '23
11 Apr '23
openSUSE Security Update: Security update for seamonkey
______________________________________________________________________________
Announcement ID: openSUSE-SU-2023:0087-1
Rating: important
References:
Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________
An update that contains security fixes can now be installed.
Description:
SeaMonkey was updated to 2.53.16:
* No throbber in plaintext editor bug 85498.
* Remove unused gridlines class from EdAdvancedEdit bug 1806632.
* Remove ESR 91 links from debugQA bug 1804534.
* Rename devtools/shim to devtools/startup bug 1812367.
* Remove unused seltype=text|cell css bug 1806653.
* Implement new shared tree styling bug 1807802.
* Use `win.focus()` in macWindowMenu.js bug 1807817.
* Remove WCAP provider bug 1579020.
* Remove ftp/file tree view support bug 1239239.
* Change calendar list tree to a list bug 1561530.
* Various other updates to the calendar code.
* Continue the switch from Python 2 to Python 3 in the build system.
* Verified compatibility with Rust 1.66.1.
* SeaMonkey 2.53.16 uses the same backend as Firefox and contains the
relevant Firefox 60.8 security fixes.
* SeaMonkey 2.53.16 shares most parts of the mail and news code with
Thunderbird. Please read the Thunderbird 60.8.0 release notes for
specific security fixes in this release.
* Additional important security fixes up to Current Firefox 102.9 and
Thunderbird 102.9 ESR plus many enhancements have been backported. We
will continue to enhance SeaMonkey security in subsequent 2.53.x beta
and release versions as fast as we are able to.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2023-87=1
Package List:
- openSUSE Backports SLE-15-SP4 (aarch64 i586 x86_64):
seamonkey-2.53.16-bp154.2.6.2
seamonkey-debuginfo-2.53.16-bp154.2.6.2
seamonkey-debugsource-2.53.16-bp154.2.6.2
seamonkey-dom-inspector-2.53.16-bp154.2.6.2
seamonkey-irc-2.53.16-bp154.2.6.2
References:
1
0

openSUSE-SU-2023:0088-1: important: Security update for upx
by opensuse-security@opensuse.org 11 Apr '23
by opensuse-security@opensuse.org 11 Apr '23
11 Apr '23
openSUSE Security Update: Security update for upx
______________________________________________________________________________
Announcement ID: openSUSE-SU-2023:0088-1
Rating: important
References: #1183510 #1184701 #1184702 #1207121 #1207122
#1209765 #1209766 #1209767 #1209768 #1209769
#1209770 #1209771
Cross-References: CVE-2021-20285 CVE-2021-30500 CVE-2021-30501
CVE-2021-43311 CVE-2021-43312 CVE-2021-43313
CVE-2021-43314 CVE-2021-43315 CVE-2021-43316
CVE-2021-43317 CVE-2023-23456 CVE-2023-23457
CVSS scores:
CVE-2021-20285 (NVD) : 6.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
CVE-2021-30500 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2021-30501 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVE-2021-43311 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-43312 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-43313 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-43314 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-43315 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-43316 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-43317 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2023-23456 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVE-2023-23457 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________
An update that fixes 12 vulnerabilities is now available.
Description:
upx was updated to fix the following issues:
Update to release 4.0.2
* Fix unpack of ELF x86-64 that failed with "CantUnpackException: corrupt
b_info"
* Resolve SEGV on PackLinuxElf64::invert_pt_dynamic
- CVE-2021-30500: Fixed Null pointer dereference in
PackLinuxElf:canUnpack() in p_lx_elf.cpp
- CVE-2021-30501: Fixed Assertion abort in function MemBuffer:alloc()
- CVE-2021-43311: Fixed Heap-based buffer overflow in
PackLinuxElf32:elf_lookup() at p_lx_elf.cpp
- CVE-2021-43312: Fixed Heap-based buffer overflow in
PackLinuxElf64:invert_pt_dynamic at p_lx_elf.cpp:5239
- CVE-2021-43313: Fixed Heap-based buffer overflow in
PackLinuxElf32:invert_pt_dynamic at p_lx_elf.cpp:1688
- CVE-2021-43314: Fixed Heap-based buffer overflows in
PackLinuxElf32:elf_lookup() at p_lx_elf.cp
- CVE-2021-43315: Fixed Heap-based buffer overflows in
PackLinuxElf32:elf_lookup() at p_lx_elf.cp
- CVE-2021-43316: Fixed Heap-based buffer overflow in func get_le64()
- CVE-2021-43317: Fixed Heap-based buffer overflows in
PackLinuxElf64:elf_lookup() at p_lx_elf.cp
- CVE-2023-23456: Fixed heap-buffer-overflow in PackTmt:pack()
- CVE-2023-23457: Fixed SEGV on PackLinuxElf64:invert_pt_dynamic() in
p_lx_elf.cpp
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2023-88=1
Package List:
- openSUSE Backports SLE-15-SP4 (aarch64 ppc64le s390x x86_64):
upx-4.0.2-bp154.4.6.1
upx-debuginfo-4.0.2-bp154.4.6.1
upx-debugsource-4.0.2-bp154.4.6.1
References:
https://www.suse.com/security/cve/CVE-2021-20285.html
https://www.suse.com/security/cve/CVE-2021-30500.html
https://www.suse.com/security/cve/CVE-2021-30501.html
https://www.suse.com/security/cve/CVE-2021-43311.html
https://www.suse.com/security/cve/CVE-2021-43312.html
https://www.suse.com/security/cve/CVE-2021-43313.html
https://www.suse.com/security/cve/CVE-2021-43314.html
https://www.suse.com/security/cve/CVE-2021-43315.html
https://www.suse.com/security/cve/CVE-2021-43316.html
https://www.suse.com/security/cve/CVE-2021-43317.html
https://www.suse.com/security/cve/CVE-2023-23456.html
https://www.suse.com/security/cve/CVE-2023-23457.html
https://bugzilla.suse.com/1183510
https://bugzilla.suse.com/1184701
https://bugzilla.suse.com/1184702
https://bugzilla.suse.com/1207121
https://bugzilla.suse.com/1207122
https://bugzilla.suse.com/1209765
https://bugzilla.suse.com/1209766
https://bugzilla.suse.com/1209767
https://bugzilla.suse.com/1209768
https://bugzilla.suse.com/1209769
https://bugzilla.suse.com/1209770
https://bugzilla.suse.com/1209771
1
0

openSUSE-SU-2023:0083-1: important: Security update for nextcloud
by opensuse-security@opensuse.org 03 Apr '23
by opensuse-security@opensuse.org 03 Apr '23
03 Apr '23
openSUSE Security Update: Security update for nextcloud
______________________________________________________________________________
Announcement ID: openSUSE-SU-2023:0083-1
Rating: important
References: #1203190 #1205802 #1208591
Cross-References: CVE-2022-35931 CVE-2022-39346 CVE-2023-25579
CVSS scores:
CVE-2022-35931 (NVD) : 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
CVE-2022-39346 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2023-25579 (NVD) : 6 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________
An update that fixes three vulnerabilities is now available.
Description:
This update for nextcloud fixes the following issues:
- Update to 23.0.12 See: https://nextcloud.com/changelog/#latest23
- This also fix security issues:
- CVE-2022-35931: Password Policy app could generate passwords that
would be block (boo#1203190)
- CVE-2022-39346: Missing length validation of user displayname allows
to generate an SQL error (boo#1205802)
- CVE-2023-25579: Potential directory traversal in
OC\Files\Node\Folder::getFullPath (boo#1208591)
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2023-83=1
Package List:
- openSUSE Backports SLE-15-SP4 (noarch):
nextcloud-23.0.12-bp154.2.3.1
nextcloud-apache-23.0.12-bp154.2.3.1
References:
https://www.suse.com/security/cve/CVE-2022-35931.html
https://www.suse.com/security/cve/CVE-2022-39346.html
https://www.suse.com/security/cve/CVE-2023-25579.html
https://bugzilla.suse.com/1203190
https://bugzilla.suse.com/1205802
https://bugzilla.suse.com/1208591
1
0