openSUSE-SU-2021:1068-1: important: Security update for nextcloud
openSUSE Security Update: Security update for nextcloud ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:1068-1 Rating: important References: #1181445 #1181803 #1181804 #1188247 #1188248 #1188249 #1188250 #1188251 #1188252 #1188253 #1188254 #1188255 #1188256 Cross-References: CVE-2020-8293 CVE-2020-8294 CVE-2020-8295 CVE-2021-32678 CVE-2021-32679 CVE-2021-32680 CVE-2021-32688 CVE-2021-32703 CVE-2021-32705 CVE-2021-32725 CVE-2021-32726 CVE-2021-32734 CVE-2021-32741 CVSS scores: CVE-2020-8293 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2020-8294 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVE-2021-32680 (NVD) : 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2021-32688 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: openSUSE Leap 15.2 openSUSE Backports SLE-15-SP3 openSUSE Backports SLE-15-SP2 openSUSE Backports SLE-15-SP1 ______________________________________________________________________________ An update that fixes 13 vulnerabilities is now available. Description: This update for nextcloud fixes the following issues: nextcloud was updated to 20.0.11: - Fix boo#1188247 - CVE-2021-32678: OCS API response ratelimits are not applied - Fix boo#1188248 - CVE-2021-32679: filenames where not escaped by default in controllers using DownloadResponse - Fix boo#1188249 - CVE-2021-32680: share expiration date wasn't properly logged - Fix boo#1188250 - CVE-2021-32688: lacking permission check with application specific tokens - Fix boo#1188251 - CVE-2021-32703: lack of ratelimiting on the shareinfo endpoint - Fix boo#1188252 - CVE-2021-32705: lack of ratelimiting on the public DAV endpoint - Fix boo#1188253 - CVE-2021-32725: default share permissions were not being respected for federated reshares of files and folders - Fix boo#1188254 - CVE-2021-32726: webauthn tokens were not deleted after a user has been deleted - Fix boo#1188255 - CVE-2021-32734: possible full path disclosure on shared files - Fix boo#1188256 - CVE-2021-32741: lack of ratelimiting on the public share link mount endpoint - Bump handlebars from 4.7.6 to 4.7.7 (server#26900) - Bump lodash from 4.17.20 to 4.17.21 (server#26909) - Bump hosted-git-info from 2.8.8 to 2.8.9 (server#26920) - Don't break OCC if an app is breaking in it's Application class (server#26954) - Add bruteforce protection to the shareinfo endpoint (server#26956) - Ignore readonly flag for directories (server#26965) - Throttle MountPublicLinkController when share is not found (server#26971) - Respect default share permissions for federated reshares (server#27001) - Harden apptoken check (server#27014) - Use parent wrapper to properly handle moves on the same source/target storage (server#27016) - Fix error when using CORS with no auth credentials (server#27027) - Fix return value of getStorageInfo when 'quota_include_external_storage' is enabled (server#27108) - Bump patch dependencies (server#27183) - Use noreply@ as email address for share emails (server#27209) - Bump p-queue from 6.6.1 to 6.6.2 (server#27226) - Bump browserslist from 4.14.0 to 4.16.6 (server#27247) - Bump webpack from 4.44.1 to 4.44.2 (server#27297) - Properly use limit and offset for search in Jail wrapper (server#27308) - Make user:report command scale (server#27319) - Properly log expiration date removal in audit log (server#27325) - Propagate throttling on OCS response (server#27337) - Set umask before operations that create local files (server#27349) - Escape filename in Content-Disposition (server#27360) - Don't update statuses to offline again and again (server#27412) - Header must contain a colon (server#27456) - Activate constraint check for oracle / pqsql also for 20 (server#27523) - Only allow removing existing shares that would not be allowed due to reshare restrictions (server#27552) - Bump ws from 7.3.1 to 7.5.0 (server#27570) - Properly cleanup entries of WebAuthn on user deletion (server#27596) - Throttle on public DAV endpoint (server#27617) - Bump vue-loader from 15.9.3 to 15.9.7 (server#27639) - Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (server#27651) - Validate the theming color also on CLI (server#27680) - Downstream encryption:fix-encrypted-version for repairing bad signature errors (server#27728) - Remove encodeURI code (files_pdfviewer#396) - Only ask for permissions on HTTPS (notifications#998) - Fix sorting if one of the file name is only composed with number (photos#785) - Backport 20 fix Photos not shown in large browser windows #630 (#686) (photos#810) - Update File.vue (photos#813) - Update chart.js (serverinfo#309) - Only return workspace property for top node in a propfind request (text#1611) - ViewerComponent: pass on autofocus to EditorWrapper (text#1647) - Use text/plain as content type for fetching the document (text#1692) - Log exceptions that happen on unknown exception and return generic messages (text#1698) - Add fixup (viewer#924) - Fix: fullscreen for Firefox (viewer#929) Update to 20.0.7 - Catch NotFoundException when querying quota (server#25315) - CalDAV] Validate notified emails (server#25324) - Fix/app fetcher php compat comparison (server#25347) - Show the actual error on share requests (server#25352) - Fix parameter provided as string not array (server#25366) - The objectid is a string (server#25374) - 20.0.7 final (server#25387) - Properly handle SMB ACL blocking scanning a directory (server#25421) - Don't break completely when creating the digest fail for one user (activity#556) - Only attempt to use a secure view if hide download is actually set (files_pdfviewer#296) - Fix opening PDF files with special characters in their name (files_pdfviewer#298) - Fix PDF viewer failing on Edge (not based on Chromium) (files_pdfviewer#299) - Cannot unfold plain text notifications (notifications#846) - Remove EPUB mimetype (text#1391) Update to 20.0.6 - Make sure to do priority app upgrades first (server#25077) - Respect DB restrictions on number of arguments in statements and queries (server#25120) - Add a hint about the direction of priority (server#25143) - Do not redirect to logout after login (server#25146) - Fix comparison of PHP versions (server#25152) - Add "composer.lock" for acceptance tests to git (server#25178) - Update CRL due to revoked gravatar.crl (server#25190) - Don't log keys on checkSignature (server#25193) - Update 3rdparty after Archive_Tar (server#25199) - Bump CA bundle (server#25219) - Update handling of user credentials (server#25225) - Fix encoding issue with OC.Notification.show (server#25244) - Also use storage copy when dav copying directories (server#25261) - Silence log message (server#25263) - Extend ILDAPProvider to allow reading arbitrairy ldap attributes for users (server#25276) - Do not obtain userFolder of a federated user (server#25278) - Bump pear/archive_tar from 1.4.11 to 1.4.12 (3rdparty#603) - Add gitignore entry for .github folder of dependencies (3rdparty#604) - Clear event array on getting them (activity#551) Update to 20.0.5 - Don't log params of imagecreatefromstring (server#24546) - Use storage copy implementation when doing dav copy (server#24590) - Use in objectstore copy (server#24592) - Add tel, note, org and title search (server#24697) - Check php compatibility of app store app releases (server#24698) - Fix #24682]: ensure federation cloud id is retruned if FN property not found (server#24709) - Do not include non-required scripts on the upgrade page (server#24714) - LDAP: fix inGroup for memberUid type of group memberships (server#24716) - Cancel user search requests to avoid duplicate results being added (server#24728) - Also unset the other possible unused paramters (server#24751) - Enables the file name check also to match name of mountpoints (server#24760) - Fixes sharing to group ids with characters that are being url encoded (server#24763) - Limit getIncomplete query to one row (server#24791) - Fix Argon2 descriptions (server#24792) - Actually set the TTL on redis set (server#24798) - Allow to force rename a conflicting calendar (server#24806) - Fix IPv6 localhost regex (server#24823) - Catch the error on heartbeat update (server#24826) - Make oc_files_trash.auto_id a bigint (server#24853) - Fix total upload size overwritten by next upload (server#24854) - Avoid huge exception argument logging (server#24876) - Make share results distinguishable if there are more than one with the exact same display name (server#24878) - Add migration for oc_share_external columns (server#24963) - Don't throw a 500 when importing a broken ics reminder file (server#24972) - Fix unreliable ViewTest (server#24976) - Update root.crl due to revocation of transmission.crt (server#24990) - Set the JSCombiner cache if needed (server#24997) - Fix column name to check prior to deleting (server#25009) - Catch throwable instead of exception (server#25013) - Set the user language when adding the footer (server#25019) - Change defaultapp in config.sample.php to dashboard to improve docs and align it to source code (server#25030) - Fix clearing the label of a share (server#25035) - Update psalm-baseline.xml (server#25066) - Don't remove assignable column for now (server#25074) - Add setup check to verify that the used DB version is still supported��� (server#25076) - Correctly set the user for activity parsing when preparing a notifica��� (activity#542) - Bump vue-virtual-grid from 2.2.1 to 2.3.0 (photos#597) - Catch possible database exceptions when fetching document data (text#1221) - Make sure we have the proper PHP version installed before running composer (text#1234) - Revert removal of transformResponse (text#1235) - Bump prosemirror-view from 1.16.1 to 1.16.5 (text#1255) - Bump @babel/preset-env from 7.12.1 to 7.12.11 (text#1257) - Bump babel-loader from 8.1.0 to 8.2.2 (text#1259) - Bump eslint-plugin-standard from 4.0.2 to 4.1.0 (text#1261) - Bump vue-loader from 15.9.5 to 15.9.6 (text#1263) - Bump prosemirror-model from 1.12.0 to 1.13.1 (text#1265) - Bump core-js from 3.7.0 to 3.8.1 (text#1266) - Bump stylelint from 13.7.2 to 13.8.0 (text#1269) - Bump @babel/plugin-transform-runtime from 7.12.1 to 7.12.10 (text#1271) - Bump sass-loader from 10.0.5 to 10.1.0 (text#1273) - Bump webpack-merge from 5.3.0 to 5.7.2 (text#1274) - Bump @babel/core from 7.12.3 to 7.12.10 (text#1277) - Bump cypress from 5.1.0 to 5.6.0 (text#1278) - Bump @vue/test-utils from 1.1.1 to 1.1.2 (text#1279) - Bump webpack-merge from 5.7.2 to 5.7.3 (text#1303) - The apache subpackage must require the main package, otherwise it will not be uninstalled when the main package is uninstalled. Update to 20.0.4 - Avoid dashboard crash when accessibility app is not installed (server#24636) - Bump ini from 1.3.5 to 1.3.7 (server#24649) - Handle owncloud migration to latest release (server#24653) - Use string for storing a OCM remote id (server#24654) - Fix MySQL database size calculation (serverinfo#262) - Bump cypress-io/github-action@v2 (viewer#722) - Fix] sidebar opening animation (viewer#723) - Fix not.exist cypress and TESTING checks (viewer#725) - Put apache configuration files in separate subpackage. - Use apache-rpm-macros for SUSE. - Change oc_* macros to nc_* macros. - Insert macro apache_serverroot also in cron files. Update to 20.0.3 * Check quota of subdirectories when uploading to them (server#24181) * CircleId too short in some request (server#24196) * Missing level in ScopedPsrLogger (server#24212) * Fix nextcloud logo in email notifications misalignment (server#24228) * Allow selecting multiple columns with SELECT DISTINCT (server#24230) * Use file name instead of path in 'not allowed to share' message (server#24231) * Fix setting images through occ for theming (server#24232) * Use regex when searching on single file shares (server#24239) * Harden EncryptionLegacyCipher a bit (server#24249) * Update ScanLegacyFormat.php (server#24258) * Simple typo in comments (server#24259) * Use correct year for generated birthdays events (server#24263) * Delete files that exceed trashbin size immediately (server#24297) * Update sabre/xml to fix XML parsing errors (server#24311) * Only check path for being accessible when the storage is a object home (server#24325) * Avoid empty null default with value that will be inserted anyways (server#24333) * Fix contacts menu position and show uid as a tooltip (server#24342) * Fix the config key on the sharing expire checkbox (server#24346) * Set the display name of federated sharees from addressbook (server#24353) * Catch storage not available in versions expire command (server#24367) * Use proper bundles for files client and fileinfo (server#24377) * Properly encode path when fetching inherited shares (server#24387) * Formatting remote sharer should take protocol, path into account (server#24391) * Make sure we add new line between vcf groups exports (server#24443) * Fix public calendars shared to circles (server#24446) * Store scss variables under a different prefix for each theming config version (server#24453) * External storages: save group ids not display names in configuration (server#24455) * Use correct l10n source in files_sharing JS code (server#24462) * Set frame-ancestors to none if none are filled (server#24477) * Move the password fiels of chaging passwords to post (server#24478) * Move the global password for files external to post (server#24479) * Only attempt to move to trash if a file is not in appdata (server#24483) * Fix loading mtime of new file in conflict dialog in firefox (server#24491) * Harden setup check for TLS version if host is not reachable (server#24502) * Fix file size computation on 32bit platforms (server#24509) * Allow subscription to indicate that a userlimit is reached (server#24511) * Set mountid for personal external storage mounts (server#24513) * Only execute plain mimetype check for directories and do the fallback��� (server#24517) * Fix vsprint parameter (server#24527) * Replace abandoned log normalizer with our fork (server#24530) * Add icon to user limit notification (server#24531) * Also run repair steps when encryption is disabled but a legacy key is present (server#24532) * [3rdparty][security] Archive TAR to 1.4.11 (server#24534) * Generate a new session id if the decrypting the session data fails (server#24553) * Revert "Do not read certificate bundle from data dir by default" (server#24556) * Dont use system composer for autoload checker (server#24557) * Remember me is not an app_password (server#24563) * Do not load nonexisting setup.js (server#24582) * Update sabre/xml to fix XML parsing errors (3rdparty#529) * Use composer v1 on CI (3rdparty#532) * Bump pear/archive_tar from 1.4.9 to 1.4.11 (3rdparty#536) * Replace abandoned log normalizer with our fork (3rdparty#543) * Allow nullable values as subject params (activity#535) * Don't log when unknown array is null (notifications#803) * Feat/virtual grid (photos#550) * Make sure we have a string to localecompare to (photos#583) * Always get recommendations for dashboard if enabled (recommendations#336) * Properly fetch oracle database information (serverinfo#258) * Also register to urlChanged event to update RichWorkspace (text#1181) * Move away from GET (text#1214) Update to 20.0.2 * CVE-2020-8293: Fixed input validation which allowed users to store unlimited data in workflow rules (boo#1181445). * CVE-2020-8294: Fixed a missing link validation (boo#1181803). * Inidicate preview availability in share api responses (server#23419) * CalDavBackend: check if timerange is array before accessing (server#23563) * Some emojis are in CHAR_CATEGORY_GENERAL_OTHER_TYPES (server#23575) * Also expire share type email (server#23583) * Only use index of mount point when it is there (server#23611) * Only retry fetching app store data once every 5 minutes in case it fails (server#23633) * Bring back the restore share button (server#23636) * Fix updates of NULL appconfig values (server#23641) * Fix sharing input placeholder for emails (server#23646) * Use bigint for fileid in filecache_extended (server#23690) * Enable theming background transparency (server#23699) * Fix sharer flag on ldap:show-remnants when user owned more than a single share (server#23702) * Make sure the function signatures of the backgroundjob match (server#23710) * Check if array elements exist before using them (server#23713) * Fix default quota display value in user row (server#23726) * Use lib instead if core as l10n module in OC_Files (server#23727) * Specify accept argument to avatar upload input field (server#23732) * Save email as lower case (server#23733) * Reset avatar cropper before showing (server#23736) * Also run the SabreAuthInitEvent for the main server (server#23745) * Type the \OCP\IUserManager::callForAllUsers closure with Psalm (server#23749) * Type the \OCP\AppFramework\Services\IInitialState::provideLazyInitial��� (server#23751) * Don't overwrite the event if we use it later (server#23753) * Inform the user when flow config data exceeds thresholds (server#23759) * Type the \OCP\IUserManager::callForSeenUsers closure with Psalm (server#23763) * Catch errors when closing file conflict dialog (server#23774) * Document the backend registered events of LDAP (server#23779) * Fetch the logger and system config once for all query builder instances (server#23787) * Type the event dispatcher listener callables with Psalm (server#23789) * Only run phpunit when "php" changed (server#23794) * Remove bold font-weight and lower font-size for empty search box (server#23829) * No need to check if there is an avatar available, because it is gener��� (server#23846) * Ensure filepicker list is empty before populating (server#23850) * UserStatus: clear status message if message is null (server#23858) * Fix grid view toggle in tags view (server#23874) * Restrict query when searching for versions of trashbin files (server#23884) * Fix potentially passing null to events where IUser is expected (server#23894) * Make user status styles scoped (server#23899) * Move help to separate stylesheet (server#23900) * Add default font size (server#23902) * Do not emit UserCreatedEvent twice (server#23917) * Bearer must be in the start of the auth header (server#23924) * Fix casting of integer and boolean on Oracle (server#23935) * Skip already loaded apps in loadApps (server#23948) * Fix repair mimetype step to not leave stray cursors (server#23950) * Improve query type detection (server#23951) * Fix iLike() falsely turning escaped % and _ into wildcards (server#23954) * Replace some usages of OC_DB in OC\Share\* with query builder (server#23955) * Use query builder instead of OC_DB in trashbin (server#23971) * Fix greatest/least order for oracle (server#23975) * Fix link share label placeholder not showing (server#23992) * Unlock when promoting to exclusive lock fails (server#23995) * Make sure root storage is valid before checking its size (server#23996) * Use query builder instead of OC_DB in OC\Files\* (server#23998) * Shortcut to avoid file system setup when generating the logo URL (server#24001) * Remove old legacy scripts references (server#24004) * Fix js search in undefined ocs response (server#24012) * Don't leave cursors open (server#24033) * Fix sharing tab state not matching resharing admin settings (server#24044) * Run unit tests against oracle (server#24049) * Use png icons in caldav reminder emails (server#24050) * Manually iterate over calendardata when oracle is used (server#24058) * Make is_user_defined nullable so we can store false on oracle (server#24079) * Fix default internal expiration date enforce (server#24081) * Register new command db:add-missing-primary-keys (server#24106) * Convert the card resource to a string if necessary (server#24114) * Don't throw on SHOW VERSION query (server#24147) * Bump dompurify to 2.2.2 (server#24153) * Set up FS before querying storage info in settings (server#24156) * Fix default internal expiration date (server#24159) * CircleId too short in some request (server#24178) * Revert "circleId too short in some request" (server#24183) * Missing level in ScopedPsrLogger (server#24212) * Fix activity spinner on empty activity (activity#523) * Add OCI github action (activity#528) * Disable download button by default (files_pdfviewer#257) * Feat/dependabot ga/stable20 (firstrunwizard#442) * Fix loading notifications without a message on oracle (notifications#796) * Do not setup appdata in constructor to avoid errors causing the whole instance to stop working (text#1105) * Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (text#1125) * Bump sass-loader from 10.0.1 to 10.0.5 (text#1134) * Bump webpack from 4.44.1 to 4.44.2 (text#1140) * Bump dependencies to version in range (text#1164) * Validate link on click (text#1166) * Add migration to fix oracle issues with the database schema (text#1177) * Bump cypress from 4.12.1 to 5.1.0 (text#1179) * Fix URL escaping of shared files (viewer#681) * Fix component click outside and cleanup structure (viewer#684) Update to 20.0.1 No changelog from upstream at this time. Update to 20.0.0 * Changes The three biggest features we introduce with Nextcloud 20 are: - Our new dashboard provides a great starting point for the day with over a dozen widgets ranging from Twitter and Github to Moodle and Zammad already available - Search was unified, bringing search results of Nextcloud apps as well as external services like Gitlab, Jira and Discourse in one place - Talk introduced bridging to other platforms including MS Teams, Slack, IRC, Matrix and a dozen others * Some other improvements we want to highlight include: - Notifications and Activities were brought together, making sure you won���t miss anything important - We added a ���status��� setting so you can communicate to other users what you are up to - Talk also brings dashboard and search integration, emoji picker, upload view, camera and microphone settings, mute and more - Calendar integrates in dashboard and search, introduced a list view and design improvements - Mail introduces threaded view, mailbox management and more - Deck integrates with dashboard and search, introduces Calendar integration, modal view for card editing and series of smaller improvements - Flow adds push notification and webhooks so other web apps can easily integrate with Nextcloud - Text introduced direct linking to files in Nextcloud - Files lets you add a description to public link shares + Read the full announcement on our blog - NC-SA-2020-037 - CVE-2020-8295: Fixed Denial of service attack when resetting the password for a user(boo#1181804) - Update to 20.0.11 - Fix boo#1188247 - CVE-2021-32678: OCS API response ratelimits are not applied - Fix boo#1188248 - CVE-2021-32679: filenames where not escaped by default in controllers using DownloadResponse - Fix boo#1188249 - CVE-2021-32680: share expiration date wasn't properly logged - Fix boo#1188250 - CVE-2021-32688: lacking permission check with application specific tokens - Fix boo#1188251 - CVE-2021-32703: lack of ratelimiting on the shareinfo endpoint - Fix boo#1188252 - CVE-2021-32705: lack of ratelimiting on the public DAV endpoint - Fix boo#1188253 - CVE-2021-32725: default share permissions were not being respected for federated reshares of files and folders - Fix boo#1188254 - CVE-2021-32726: webauthn tokens were not deleted after a user has been deleted - Fix boo#1188255 - CVE-2021-32734: possible full path disclosure on shared files - Fix boo#1188256 - CVE-2021-32741: lack of ratelimiting on the public share link mount endpoint - Bump handlebars from 4.7.6 to 4.7.7 (server#26900) - Bump lodash from 4.17.20 to 4.17.21 (server#26909) - Bump hosted-git-info from 2.8.8 to 2.8.9 (server#26920) - Don't break OCC if an app is breaking in it's Application class (server#26954) - Add bruteforce protection to the shareinfo endpoint (server#26956) - Ignore readonly flag for directories (server#26965) - Throttle MountPublicLinkController when share is not found (server#26971) - Respect default share permissions for federated reshares (server#27001) - Harden apptoken check (server#27014) - Use parent wrapper to properly handle moves on the same source/target storage (server#27016) - Fix error when using CORS with no auth credentials (server#27027) - Fix return value of getStorageInfo when 'quota_include_external_storage' is enabled (server#27108) - Bump patch dependencies (server#27183) - Use noreply@ as email address for share emails (server#27209) - Bump p-queue from 6.6.1 to 6.6.2 (server#27226) - Bump browserslist from 4.14.0 to 4.16.6 (server#27247) - Bump webpack from 4.44.1 to 4.44.2 (server#27297) - Properly use limit and offset for search in Jail wrapper (server#27308) - Make user:report command scale (server#27319) - Properly log expiration date removal in audit log (server#27325) - Propagate throttling on OCS response (server#27337) - Set umask before operations that create local files (server#27349) - Escape filename in Content-Disposition (server#27360) - Don't update statuses to offline again and again (server#27412) - Header must contain a colon (server#27456) - Activate constraint check for oracle / pqsql also for 20 (server#27523) - Only allow removing existing shares that would not be allowed due to reshare restrictions (server#27552) - Bump ws from 7.3.1 to 7.5.0 (server#27570) - Properly cleanup entries of WebAuthn on user deletion (server#27596) - Throttle on public DAV endpoint (server#27617) - Bump vue-loader from 15.9.3 to 15.9.7 (server#27639) - Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (server#27651) - Validate the theming color also on CLI (server#27680) - Downstream encryption:fix-encrypted-version for repairing bad signature errors (server#27728) - Remove encodeURI code (files_pdfviewer#396) - Only ask for permissions on HTTPS (notifications#998) - Fix sorting if one of the file name is only composed with number (photos#785) - Backport 20 fix Photos not shown in large browser windows #630 (#686) (photos#810) - Update File.vue (photos#813) - Update chart.js (serverinfo#309) - Only return workspace property for top node in a propfind request (text#1611) - ViewerComponent: pass on autofocus to EditorWrapper (text#1647) - Use text/plain as content type for fetching the document (text#1692) - Log exceptions that happen on unknown exception and return generic messages (text#1698) - Add fixup (viewer#924) - Fix: fullscreen for Firefox (viewer#929) Update to 20.0.7 - Catch NotFoundException when querying quota (server#25315) - CalDAV] Validate notified emails (server#25324) - Fix/app fetcher php compat comparison (server#25347) - Show the actual error on share requests (server#25352) - Fix parameter provided as string not array (server#25366) - The objectid is a string (server#25374) - 20.0.7 final (server#25387) - Properly handle SMB ACL blocking scanning a directory (server#25421) - Don't break completely when creating the digest fail for one user (activity#556) - Only attempt to use a secure view if hide download is actually set (files_pdfviewer#296) - Fix opening PDF files with special characters in their name (files_pdfviewer#298) - Fix PDF viewer failing on Edge (not based on Chromium) (files_pdfviewer#299) - Cannot unfold plain text notifications (notifications#846) - Remove EPUB mimetype (text#1391) Update to 20.0.6 - Make sure to do priority app upgrades first (server#25077) - Respect DB restrictions on number of arguments in statements and queries (server#25120) - Add a hint about the direction of priority (server#25143) - Do not redirect to logout after login (server#25146) - Fix comparison of PHP versions (server#25152) - Add "composer.lock" for acceptance tests to git (server#25178) - Update CRL due to revoked gravatar.crl (server#25190) - Don't log keys on checkSignature (server#25193) - Update 3rdparty after Archive_Tar (server#25199) - Bump CA bundle (server#25219) - Update handling of user credentials (server#25225) - Fix encoding issue with OC.Notification.show (server#25244) - Also use storage copy when dav copying directories (server#25261) - Silence log message (server#25263) - Extend ILDAPProvider to allow reading arbitrairy ldap attributes for users (server#25276) - Do not obtain userFolder of a federated user (server#25278) - Bump pear/archive_tar from 1.4.11 to 1.4.12 (3rdparty#603) - Add gitignore entry for .github folder of dependencies (3rdparty#604) - Clear event array on getting them (activity#551) Update to 20.0.5 - Don't log params of imagecreatefromstring (server#24546) - Use storage copy implementation when doing dav copy (server#24590) - Use in objectstore copy (server#24592) - Add tel, note, org and title search (server#24697) - Check php compatibility of app store app releases (server#24698) - Fix #24682]: ensure federation cloud id is retruned if FN property not found (server#24709) - Do not include non-required scripts on the upgrade page (server#24714) - LDAP: fix inGroup for memberUid type of group memberships (server#24716) - Cancel user search requests to avoid duplicate results being added (server#24728) - Also unset the other possible unused paramters (server#24751) - Enables the file name check also to match name of mountpoints (server#24760) - Fixes sharing to group ids with characters that are being url encoded (server#24763) - Limit getIncomplete query to one row (server#24791) - Fix Argon2 descriptions (server#24792) - Actually set the TTL on redis set (server#24798) - Allow to force rename a conflicting calendar (server#24806) - Fix IPv6 localhost regex (server#24823) - Catch the error on heartbeat update (server#24826) - Make oc_files_trash.auto_id a bigint (server#24853) - Fix total upload size overwritten by next upload (server#24854) - Avoid huge exception argument logging (server#24876) - Make share results distinguishable if there are more than one with the exact same display name (server#24878) - Add migration for oc_share_external columns (server#24963) - Don't throw a 500 when importing a broken ics reminder file (server#24972) - Fix unreliable ViewTest (server#24976) - Update root.crl due to revocation of transmission.crt (server#24990) - Set the JSCombiner cache if needed (server#24997) - Fix column name to check prior to deleting (server#25009) - Catch throwable instead of exception (server#25013) - Set the user language when adding the footer (server#25019) - Change defaultapp in config.sample.php to dashboard to improve docs and align it to source code (server#25030) - Fix clearing the label of a share (server#25035) - Update psalm-baseline.xml (server#25066) - Don't remove assignable column for now (server#25074) - Add setup check to verify that the used DB version is still supported��� (server#25076) - Correctly set the user for activity parsing when preparing a notifica��� (activity#542) - Bump vue-virtual-grid from 2.2.1 to 2.3.0 (photos#597) - Catch possible database exceptions when fetching document data (text#1221) - Make sure we have the proper PHP version installed before running composer (text#1234) - Revert removal of transformResponse (text#1235) - Bump prosemirror-view from 1.16.1 to 1.16.5 (text#1255) - Bump @babel/preset-env from 7.12.1 to 7.12.11 (text#1257) - Bump babel-loader from 8.1.0 to 8.2.2 (text#1259) - Bump eslint-plugin-standard from 4.0.2 to 4.1.0 (text#1261) - Bump vue-loader from 15.9.5 to 15.9.6 (text#1263) - Bump prosemirror-model from 1.12.0 to 1.13.1 (text#1265) - Bump core-js from 3.7.0 to 3.8.1 (text#1266) - Bump stylelint from 13.7.2 to 13.8.0 (text#1269) - Bump @babel/plugin-transform-runtime from 7.12.1 to 7.12.10 (text#1271) - Bump sass-loader from 10.0.5 to 10.1.0 (text#1273) - Bump webpack-merge from 5.3.0 to 5.7.2 (text#1274) - Bump @babel/core from 7.12.3 to 7.12.10 (text#1277) - Bump cypress from 5.1.0 to 5.6.0 (text#1278) - Bump @vue/test-utils from 1.1.1 to 1.1.2 (text#1279) - Bump webpack-merge from 5.7.2 to 5.7.3 (text#1303) - The apache subpackage must require the main package, otherwise it will not be uninstalled when the main package is uninstalled. Update to 20.0.4 - Avoid dashboard crash when accessibility app is not installed (server#24636) - Bump ini from 1.3.5 to 1.3.7 (server#24649) - Handle owncloud migration to latest release (server#24653) - Use string for storing a OCM remote id (server#24654) - Fix MySQL database size calculation (serverinfo#262) - Bump cypress-io/github-action@v2 (viewer#722) - Fix] sidebar opening animation (viewer#723) - Fix not.exist cypress and TESTING checks (viewer#725) - Put apache configuration files in separate subpackage. - Use apache-rpm-macros for SUSE. - Change oc_* macros to nc_* macros. - Insert macro apache_serverroot also in cron files. Update to 20.0.3 * Check quota of subdirectories when uploading to them (server#24181) * CircleId too short in some request (server#24196) * Missing level in ScopedPsrLogger (server#24212) * Fix nextcloud logo in email notifications misalignment (server#24228) * Allow selecting multiple columns with SELECT DISTINCT (server#24230) * Use file name instead of path in 'not allowed to share' message (server#24231) * Fix setting images through occ for theming (server#24232) * Use regex when searching on single file shares (server#24239) * Harden EncryptionLegacyCipher a bit (server#24249) * Update ScanLegacyFormat.php (server#24258) * Simple typo in comments (server#24259) * Use correct year for generated birthdays events (server#24263) * Delete files that exceed trashbin size immediately (server#24297) * Update sabre/xml to fix XML parsing errors (server#24311) * Only check path for being accessible when the storage is a object home (server#24325) * Avoid empty null default with value that will be inserted anyways (server#24333) * Fix contacts menu position and show uid as a tooltip (server#24342) * Fix the config key on the sharing expire checkbox (server#24346) * Set the display name of federated sharees from addressbook (server#24353) * Catch storage not available in versions expire command (server#24367) * Use proper bundles for files client and fileinfo (server#24377) * Properly encode path when fetching inherited shares (server#24387) * Formatting remote sharer should take protocol, path into account (server#24391) * Make sure we add new line between vcf groups exports (server#24443) * Fix public calendars shared to circles (server#24446) * Store scss variables under a different prefix for each theming config version (server#24453) * External storages: save group ids not display names in configuration (server#24455) * Use correct l10n source in files_sharing JS code (server#24462) * Set frame-ancestors to none if none are filled (server#24477) * Move the password fiels of chaging passwords to post (server#24478) * Move the global password for files external to post (server#24479) * Only attempt to move to trash if a file is not in appdata (server#24483) * Fix loading mtime of new file in conflict dialog in firefox (server#24491) * Harden setup check for TLS version if host is not reachable (server#24502) * Fix file size computation on 32bit platforms (server#24509) * Allow subscription to indicate that a userlimit is reached (server#24511) * Set mountid for personal external storage mounts (server#24513) * Only execute plain mimetype check for directories and do the fallback��� (server#24517) * Fix vsprint parameter (server#24527) * Replace abandoned log normalizer with our fork (server#24530) * Add icon to user limit notification (server#24531) * Also run repair steps when encryption is disabled but a legacy key is present (server#24532) * [3rdparty][security] Archive TAR to 1.4.11 (server#24534) * Generate a new session id if the decrypting the session data fails (server#24553) * Revert "Do not read certificate bundle from data dir by default" (server#24556) * Dont use system composer for autoload checker (server#24557) * Remember me is not an app_password (server#24563) * Do not load nonexisting setup.js (server#24582) * Update sabre/xml to fix XML parsing errors (3rdparty#529) * Use composer v1 on CI (3rdparty#532) * Bump pear/archive_tar from 1.4.9 to 1.4.11 (3rdparty#536) * Replace abandoned log normalizer with our fork (3rdparty#543) * Allow nullable values as subject params (activity#535) * Don't log when unknown array is null (notifications#803) * Feat/virtual grid (photos#550) * Make sure we have a string to localecompare to (photos#583) * Always get recommendations for dashboard if enabled (recommendations#336) * Properly fetch oracle database information (serverinfo#258) * Also register to urlChanged event to update RichWorkspace (text#1181) * Move away from GET (text#1214) Update to 20.0.2 * CVE-2020-8293: Fixed input validation which allowed users to store unlimited data in workflow rules (boo#1181445). * CVE-2020-8294: Fixed a missing link validation (boo#1181803). * Inidicate preview availability in share api responses (server#23419) * CalDavBackend: check if timerange is array before accessing (server#23563) * Some emojis are in CHAR_CATEGORY_GENERAL_OTHER_TYPES (server#23575) * Also expire share type email (server#23583) * Only use index of mount point when it is there (server#23611) * Only retry fetching app store data once every 5 minutes in case it fails (server#23633) * Bring back the restore share button (server#23636) * Fix updates of NULL appconfig values (server#23641) * Fix sharing input placeholder for emails (server#23646) * Use bigint for fileid in filecache_extended (server#23690) * Enable theming background transparency (server#23699) * Fix sharer flag on ldap:show-remnants when user owned more than a single share (server#23702) * Make sure the function signatures of the backgroundjob match (server#23710) * Check if array elements exist before using them (server#23713) * Fix default quota display value in user row (server#23726) * Use lib instead if core as l10n module in OC_Files (server#23727) * Specify accept argument to avatar upload input field (server#23732) * Save email as lower case (server#23733) * Reset avatar cropper before showing (server#23736) * Also run the SabreAuthInitEvent for the main server (server#23745) * Type the \OCP\IUserManager::callForAllUsers closure with Psalm (server#23749) * Type the \OCP\AppFramework\Services\IInitialState::provideLazyInitial��� (server#23751) * Don't overwrite the event if we use it later (server#23753) * Inform the user when flow config data exceeds thresholds (server#23759) * Type the \OCP\IUserManager::callForSeenUsers closure with Psalm (server#23763) * Catch errors when closing file conflict dialog (server#23774) * Document the backend registered events of LDAP (server#23779) * Fetch the logger and system config once for all query builder instances (server#23787) * Type the event dispatcher listener callables with Psalm (server#23789) * Only run phpunit when "php" changed (server#23794) * Remove bold font-weight and lower font-size for empty search box (server#23829) * No need to check if there is an avatar available, because it is gener��� (server#23846) * Ensure filepicker list is empty before populating (server#23850) * UserStatus: clear status message if message is null (server#23858) * Fix grid view toggle in tags view (server#23874) * Restrict query when searching for versions of trashbin files (server#23884) * Fix potentially passing null to events where IUser is expected (server#23894) * Make user status styles scoped (server#23899) * Move help to separate stylesheet (server#23900) * Add default font size (server#23902) * Do not emit UserCreatedEvent twice (server#23917) * Bearer must be in the start of the auth header (server#23924) * Fix casting of integer and boolean on Oracle (server#23935) * Skip already loaded apps in loadApps (server#23948) * Fix repair mimetype step to not leave stray cursors (server#23950) * Improve query type detection (server#23951) * Fix iLike() falsely turning escaped % and _ into wildcards (server#23954) * Replace some usages of OC_DB in OC\Share\* with query builder (server#23955) * Use query builder instead of OC_DB in trashbin (server#23971) * Fix greatest/least order for oracle (server#23975) * Fix link share label placeholder not showing (server#23992) * Unlock when promoting to exclusive lock fails (server#23995) * Make sure root storage is valid before checking its size (server#23996) * Use query builder instead of OC_DB in OC\Files\* (server#23998) * Shortcut to avoid file system setup when generating the logo URL (server#24001) * Remove old legacy scripts references (server#24004) * Fix js search in undefined ocs response (server#24012) * Don't leave cursors open (server#24033) * Fix sharing tab state not matching resharing admin settings (server#24044) * Run unit tests against oracle (server#24049) * Use png icons in caldav reminder emails (server#24050) * Manually iterate over calendardata when oracle is used (server#24058) * Make is_user_defined nullable so we can store false on oracle (server#24079) * Fix default internal expiration date enforce (server#24081) * Register new command db:add-missing-primary-keys (server#24106) * Convert the card resource to a string if necessary (server#24114) * Don't throw on SHOW VERSION query (server#24147) * Bump dompurify to 2.2.2 (server#24153) * Set up FS before querying storage info in settings (server#24156) * Fix default internal expiration date (server#24159) * CircleId too short in some request (server#24178) * Revert "circleId too short in some request" (server#24183) * Missing level in ScopedPsrLogger (server#24212) * Fix activity spinner on empty activity (activity#523) * Add OCI github action (activity#528) * Disable download button by default (files_pdfviewer#257) * Feat/dependabot ga/stable20 (firstrunwizard#442) * Fix loading notifications without a message on oracle (notifications#796) * Do not setup appdata in constructor to avoid errors causing the whole instance to stop working (text#1105) * Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (text#1125) * Bump sass-loader from 10.0.1 to 10.0.5 (text#1134) * Bump webpack from 4.44.1 to 4.44.2 (text#1140) * Bump dependencies to version in range (text#1164) * Validate link on click (text#1166) * Add migration to fix oracle issues with the database schema (text#1177) * Bump cypress from 4.12.1 to 5.1.0 (text#1179) * Fix URL escaping of shared files (viewer#681) * Fix component click outside and cleanup structure (viewer#684) Update to 20.0.1 No changelog from upstream at this time. Update to 20.0.0 * Changes The three biggest features we introduce with Nextcloud 20 are: - Our new dashboard provides a great starting point for the day with over a dozen widgets ranging from Twitter and Github to Moodle and Zammad already available - Search was unified, bringing search results of Nextcloud apps as well as external services like Gitlab, Jira and Discourse in one place - Talk introduced bridging to other platforms including MS Teams, Slack, IRC, Matrix and a dozen others * Some other improvements we want to highlight include: - Notifications and Activities were brought together, making sure you won���t miss anything important - We added a ���status��� setting so you can communicate to other users what you are up to - Talk also brings dashboard and search integration, emoji picker, upload view, camera and microphone settings, mute and more - Calendar integrates in dashboard and search, introduced a list view and design improvements - Mail introduces threaded view, mailbox management and more - Deck integrates with dashboard and search, introduces Calendar integration, modal view for card editing and series of smaller improvements - Flow adds push notification and webhooks so other web apps can easily integrate with Nextcloud - Text introduced direct linking to files in Nextcloud - Files lets you add a description to public link shares + Read the full announcement on our blog - NC-SA-2020-037 - CVE-2020-8295: Fixed Denial of service attack when resetting the password for a user(boo#1181804) - Update to 20.0.11 - Fix boo#1188247 - CVE-2021-32678: OCS API response ratelimits are not applied - Fix boo#1188248 - CVE-2021-32679: filenames where not escaped by default in controllers using DownloadResponse - Fix boo#1188249 - CVE-2021-32680: share expiration date wasn't properly logged - Fix boo#1188250 - CVE-2021-32688: lacking permission check with application specific tokens - Fix boo#1188251 - CVE-2021-32703: lack of ratelimiting on the shareinfo endpoint - Fix boo#1188252 - CVE-2021-32705: lack of ratelimiting on the public DAV endpoint - Fix boo#1188253 - CVE-2021-32725: default share permissions were not being respected for federated reshares of files and folders - Fix boo#1188254 - CVE-2021-32726: webauthn tokens were not deleted after a user has been deleted - Fix boo#1188255 - CVE-2021-32734: possible full path disclosure on shared files - Fix boo#1188256 - CVE-2021-32741: lack of ratelimiting on the public share link mount endpoint - Bump handlebars from 4.7.6 to 4.7.7 (server#26900) - Bump lodash from 4.17.20 to 4.17.21 (server#26909) - Bump hosted-git-info from 2.8.8 to 2.8.9 (server#26920) - Don't break OCC if an app is breaking in it's Application class (server#26954) - Add bruteforce protection to the shareinfo endpoint (server#26956) - Ignore readonly flag for directories (server#26965) - Throttle MountPublicLinkController when share is not found (server#26971) - Respect default share permissions for federated reshares (server#27001) - Harden apptoken check (server#27014) - Use parent wrapper to properly handle moves on the same source/target storage (server#27016) - Fix error when using CORS with no auth credentials (server#27027) - Fix return value of getStorageInfo when 'quota_include_external_storage' is enabled (server#27108) - Bump patch dependencies (server#27183) - Use noreply@ as email address for share emails (server#27209) - Bump p-queue from 6.6.1 to 6.6.2 (server#27226) - Bump browserslist from 4.14.0 to 4.16.6 (server#27247) - Bump webpack from 4.44.1 to 4.44.2 (server#27297) - Properly use limit and offset for search in Jail wrapper (server#27308) - Make user:report command scale (server#27319) - Properly log expiration date removal in audit log (server#27325) - Propagate throttling on OCS response (server#27337) - Set umask before operations that create local files (server#27349) - Escape filename in Content-Disposition (server#27360) - Don't update statuses to offline again and again (server#27412) - Header must contain a colon (server#27456) - Activate constraint check for oracle / pqsql also for 20 (server#27523) - Only allow removing existing shares that would not be allowed due to reshare restrictions (server#27552) - Bump ws from 7.3.1 to 7.5.0 (server#27570) - Properly cleanup entries of WebAuthn on user deletion (server#27596) - Throttle on public DAV endpoint (server#27617) - Bump vue-loader from 15.9.3 to 15.9.7 (server#27639) - Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (server#27651) - Validate the theming color also on CLI (server#27680) - Downstream encryption:fix-encrypted-version for repairing bad signature errors (server#27728) - Remove encodeURI code (files_pdfviewer#396) - Only ask for permissions on HTTPS (notifications#998) - Fix sorting if one of the file name is only composed with number (photos#785) - Backport 20 fix Photos not shown in large browser windows #630 (#686) (photos#810) - Update File.vue (photos#813) - Update chart.js (serverinfo#309) - Only return workspace property for top node in a propfind request (text#1611) - ViewerComponent: pass on autofocus to EditorWrapper (text#1647) - Use text/plain as content type for fetching the document (text#1692) - Log exceptions that happen on unknown exception and return generic messages (text#1698) - Add fixup (viewer#924) - Fix: fullscreen for Firefox (viewer#929) Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-1068=1 - openSUSE Backports SLE-15-SP3: zypper in -t patch openSUSE-2021-1068=1 - openSUSE Backports SLE-15-SP2: zypper in -t patch openSUSE-2021-1068=1 - openSUSE Backports SLE-15-SP1: zypper in -t patch openSUSE-2021-1068=1 Package List: - openSUSE Leap 15.2 (noarch): nextcloud-20.0.11-lp152.3.9.1 nextcloud-apache-20.0.11-lp152.3.9.1 - openSUSE Backports SLE-15-SP3 (noarch): nextcloud-20.0.11-bp153.2.3.1 nextcloud-apache-20.0.11-bp153.2.3.1 - openSUSE Backports SLE-15-SP2 (noarch): nextcloud-20.0.11-bp152.2.9.1 nextcloud-apache-20.0.11-bp152.2.9.1 - openSUSE Backports SLE-15-SP1 (noarch): nextcloud-20.0.11-bp151.3.15.1 nextcloud-apache-20.0.11-bp151.3.15.1 References: https://www.suse.com/security/cve/CVE-2020-8293.html https://www.suse.com/security/cve/CVE-2020-8294.html https://www.suse.com/security/cve/CVE-2020-8295.html https://www.suse.com/security/cve/CVE-2021-32678.html https://www.suse.com/security/cve/CVE-2021-32679.html https://www.suse.com/security/cve/CVE-2021-32680.html https://www.suse.com/security/cve/CVE-2021-32688.html https://www.suse.com/security/cve/CVE-2021-32703.html https://www.suse.com/security/cve/CVE-2021-32705.html https://www.suse.com/security/cve/CVE-2021-32725.html https://www.suse.com/security/cve/CVE-2021-32726.html https://www.suse.com/security/cve/CVE-2021-32734.html https://www.suse.com/security/cve/CVE-2021-32741.html https://bugzilla.suse.com/1181445 https://bugzilla.suse.com/1181803 https://bugzilla.suse.com/1181804 https://bugzilla.suse.com/1188247 https://bugzilla.suse.com/1188248 https://bugzilla.suse.com/1188249 https://bugzilla.suse.com/1188250 https://bugzilla.suse.com/1188251 https://bugzilla.suse.com/1188252 https://bugzilla.suse.com/1188253 https://bugzilla.suse.com/1188254 https://bugzilla.suse.com/1188255 https://bugzilla.suse.com/1188256
participants (1)
-
opensuse-security@opensuse.org