Update Info

openSUSE-2019-640


Security update for nextcloud


Type: security
Severity: moderate
Issued: 2019-03-23
Description:
This update for nextcloud to version 13.0.5 fixes the following issues:

Security issues fixed:

- CVE-2018-3780: Fixed a missing sanitization of search results for an
  autocomplete field that could lead to a stored XSS requiring
  user-interaction. The missing sanitization only affected user names, hence
  malicious search results could only be crafted by authenticated users.
  (boo#1105598)


Other bugs fixed:

- Fix highlighting of the upload drop zone
- Apply ldapUserFilter on members of group
- Make the DELETION of groups match greedy on the groupID
- Add parent index to share table
- Log full exception in cron instead of only the message
- Properly lock the target file on dav upload when not using part files
- LDAP backup server should not be queried when auth fails
- Fix filenames in sharing integration tests
- Lower log level for quota manipulation cases
- Let user set avatar in nextcloud if LDAP provides invalid image data
- Improved logging of smb connection errors
- Allow admin to disable fetching of avatars as well as a specific attribute
- Allow to disable encryption
- Update message shown when unsharing a file
- Fixed English grammatical error on Settings page.
- Request a valid property for DAV opendir
- Allow updating the token on session regeneration
- Prevent lock values from going negative with memcache backend
- Correctly handle users with numeric user ids
- Correctly parse the subject parameters for link (un)shares of calendars
- Fix "parsing" of email-addresses in comments and chat messages
- Sanitize parameters in createSessionToken() while logging
- Also retry rename operation on InvalidArgumentException
- Improve url detection in comments
- Only bind to ldap if configuration for the first server is set
- Use download manager from PDF.js to download the file
- Fix trying to load removed scripts
- Only pull for new messages if the session is allowed to be kept alive
- Always push object data
- Add prioritization for Talk


              

Packages


  • nextcloud-13.0.5-bp150.2.3.1