SUSE Package Hub - openSUSE-2021-1602

Update Info

openSUSE-2021-1602

Security update for nextcloud

Type: security

Severity: important

Issued: 2021-12-20

Description:

This update for nextcloud fixes the following issues:

Update to 20.0.14

Security issues fixed:

* CVE-2021-41179: Fix boo#1192028 - (CWE-304): Two-Factor Authentication not enforced for pages marked as public
* CVE-2021-41178: Fix boo#1192030 - (CWE-434): File Traversal affecting SVG files on Nextcloud Server
* CVE-2021-41177: Fix boo#1192031 - (CWE-799): Rate-limits not working on instances without configured memory cache backend

Changes:

- Add command to repair broken filesystem trees (server#26630)
- Ensure that user and group IDs in LDAP's tables are also max 64chars (server#28971)
- Change output format of Psalm to Github (server#29048)
- File-upload: Correctly handle error responses for HTTP2 (server#29069)
- Allow "TwoFactor Nextcloud Notifications" to pull the state of the 2F… (server#29072)
- Add a few sensitive config keys (server#29085)
- Fix path of file_get_contents (server#29095)
- Update the certificate bundle (server#29098)
- Keep pw based auth tokens valid when pw-less login happens (server#29131)
- Properly handle folder deletion on external s3 storage (server#29158)
- Tokens without password should not trigger changed password invalidation (server#29166)
- Don't further setup disabled users when logging in with apache (server#29167)
- Add 'supported'-label to all supported apps (server#29181)
- 21] generate a better optimized query for path prefix search filters (server#29192)
- Keep group restrictions when reenabling apps after an update (server#29198)
- Add proper message to created share not found (server#29205)
- Add documentation for files_no_background_scan (server#29219)
- Don't setup the filesystem to check for a favicon we don't use anyway (server#29223)
- Fix background scan doc in config (server#29253)
- Get `filesize()` if `file_exists()` (server#29290)
- Fix unable to login errors due to file system not being initialized (server#29291)
- Update 3rdparty ref (server#29297)
- Bump icewind/streams from 0.7.3 to 0.7.5 in files_external (server#29298)
- Fix app upgrade (server#29303)
- Avoid PHP errors when the LDAP attribute is not found (server#29314)
- Fix security issues when copying groupfolder with advanced ACL (server#29366)
- Scheduling plugin not updating responding attendee status (server#29387)
- Make calendar schedule options translatable (server#29388)
- Add whitelist for apps inside of the server repo (server#29396)
- Handle files with `is_file` instead of `file_exists` (server#29417)
- Fixes an undefined index when getAccessList returns an empty array (server#29421)
- Extra fixes needed for icewind/streams update to 0.7.2 (server#29426)
- Backport #29260: Respect user enumeration settings in user status lists (server#29429)
- Implement local filtering in file list (server#29441)
- Detect mimetype by content only with content (server#29457)
- Update CRL (server#29505)
- Update update-psalm-baseline workflow (server#29548)
- Bump icewind/streams from 0.7.1 to 0.7.5 (3rdparty#855)
- Bump version (files_pdfviewer#512)
- Fix deleting notifications with numeric user ID (notifications#1090)
- Add integration tests for push registration (notifications#1097)
- Restore old device signature so the proxy works again (notifications#1105)
- Bump vue and vue-template-compiler (photos#864)
- Bump prosemirror-schema-list from 1.1.5 to 1.1.6 (text#1868)
- Additional checks for workspace controller (text#1887)

References

CVE: CVE-2021-41179
CVE: CVE-2021-41178
CVE: CVE-2021-41177
Bugzilla: 1192031 https://bugzilla.opensuse.org/show_bug.cgi?id=1192031
Bugzilla: 1192030 https://bugzilla.opensuse.org/show_bug.cgi?id=1192030
Bugzilla: 1192028 https://bugzilla.opensuse.org/show_bug.cgi?id=1192028

Packages

nextcloud-20.0.14-bp153.2.9.1