SUSE 5180 Published by

A nextcloud security update has been released for openSUSE Leap 15.2, SUSE Linux Enterprise 15 SP1, SUSE Linux Enterprise 15 SP2, and SUSE Linux Enterprise 15 SP3.



openSUSE-SU-2021:1068-1: important: Security update for nextcloud


openSUSE Security Update: Security update for nextcloud
______________________________________________________________________________

Announcement ID: openSUSE-SU-2021:1068-1
Rating: important
References: #1181445 #1181803 #1181804 #1188247 #1188248
#1188249 #1188250 #1188251 #1188252 #1188253
#1188254 #1188255 #1188256
Cross-References: CVE-2020-8293 CVE-2020-8294 CVE-2020-8295
CVE-2021-32678 CVE-2021-32679 CVE-2021-32680
CVE-2021-32688 CVE-2021-32703 CVE-2021-32705
CVE-2021-32725 CVE-2021-32726 CVE-2021-32734
CVE-2021-32741
CVSS scores:
CVE-2020-8293 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2020-8294 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2021-32680 (NVD) : 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE-2021-32688 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Leap 15.2
openSUSE Backports SLE-15-SP3
openSUSE Backports SLE-15-SP2
openSUSE Backports SLE-15-SP1
SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________

An update that fixes 13 vulnerabilities is now available.

Description:

This update for nextcloud fixes the following issues:

nextcloud was updated to 20.0.11:

- Fix boo#1188247 - CVE-2021-32678: OCS API response ratelimits are not
applied
- Fix boo#1188248 - CVE-2021-32679: filenames where not escaped by default
in controllers using DownloadResponse
- Fix boo#1188249 - CVE-2021-32680: share expiration date wasn't properly
logged
- Fix boo#1188250 - CVE-2021-32688: lacking permission check with
application specific tokens
- Fix boo#1188251 - CVE-2021-32703: lack of ratelimiting on the shareinfo
endpoint
- Fix boo#1188252 - CVE-2021-32705: lack of ratelimiting on the public DAV
endpoint
- Fix boo#1188253 - CVE-2021-32725: default share permissions were not
being respected for federated reshares of files and folders
- Fix boo#1188254 - CVE-2021-32726: webauthn tokens were not deleted after
a user has been deleted
- Fix boo#1188255 - CVE-2021-32734: possible full path disclosure on
shared files
- Fix boo#1188256 - CVE-2021-32741: lack of ratelimiting on the public
share link mount endpoint
- Bump handlebars from 4.7.6 to 4.7.7 (server#26900)
- Bump lodash from 4.17.20 to 4.17.21 (server#26909)
- Bump hosted-git-info from 2.8.8 to 2.8.9 (server#26920)
- Don't break OCC if an app is breaking in it's Application class
(server#26954)
- Add bruteforce protection to the shareinfo endpoint (server#26956)
- Ignore readonly flag for directories (server#26965)
- Throttle MountPublicLinkController when share is not found (server#26971)
- Respect default share permissions for federated reshares (server#27001)
- Harden apptoken check (server#27014)
- Use parent wrapper to properly handle moves on the same source/target
storage (server#27016)
- Fix error when using CORS with no auth credentials (server#27027)
- Fix return value of getStorageInfo when 'quota_include_external_storage'
is enabled (server#27108)
- Bump patch dependencies (server#27183)
- Use noreply@ as email address for share emails (server#27209)
- Bump p-queue from 6.6.1 to 6.6.2 (server#27226)
- Bump browserslist from 4.14.0 to 4.16.6 (server#27247)
- Bump webpack from 4.44.1 to 4.44.2 (server#27297)
- Properly use limit and offset for search in Jail wrapper (server#27308)
- Make user:report command scale (server#27319)
- Properly log expiration date removal in audit log (server#27325)
- Propagate throttling on OCS response (server#27337)
- Set umask before operations that create local files (server#27349)
- Escape filename in Content-Disposition (server#27360)
- Don't update statuses to offline again and again (server#27412)
- Header must contain a colon (server#27456)
- Activate constraint check for oracle / pqsql also for 20 (server#27523)
- Only allow removing existing shares that would not be allowed due to
reshare restrictions (server#27552)
- Bump ws from 7.3.1 to 7.5.0 (server#27570)
- Properly cleanup entries of WebAuthn on user deletion (server#27596)
- Throttle on public DAV endpoint (server#27617)
- Bump vue-loader from 15.9.3 to 15.9.7 (server#27639)
- Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (server#27651)
- Validate the theming color also on CLI (server#27680)
- Downstream encryption:fix-encrypted-version for repairing bad signature
errors (server#27728)
- Remove encodeURI code (files_pdfviewer#396)
- Only ask for permissions on HTTPS (notifications#998)
- Fix sorting if one of the file name is only composed with number
(photos#785)
- Backport 20 fix Photos not shown in large browser windows #630 (#686)
(photos#810)
- Update File.vue (photos#813)
- Update chart.js (serverinfo#309)
- Only return workspace property for top node in a propfind request
(text#1611)
- ViewerComponent: pass on autofocus to EditorWrapper (text#1647)
- Use text/plain as content type for fetching the document (text#1692)
- Log exceptions that happen on unknown exception and return generic
messages (text#1698)
- Add fixup (viewer#924)
- Fix: fullscreen for Firefox (viewer#929)

Update to 20.0.7

- Catch NotFoundException when querying quota (server#25315)
- CalDAV] Validate notified emails (server#25324)
- Fix/app fetcher php compat comparison (server#25347)
- Show the actual error on share requests (server#25352)
- Fix parameter provided as string not array (server#25366)
- The objectid is a string (server#25374)
- 20.0.7 final (server#25387)
- Properly handle SMB ACL blocking scanning a directory (server#25421)
- Don't break completely when creating the digest fail for one user
(activity#556)
- Only attempt to use a secure view if hide download is actually set
(files_pdfviewer#296)
- Fix opening PDF files with special characters in their name
(files_pdfviewer#298)
- Fix PDF viewer failing on Edge (not based on Chromium)
(files_pdfviewer#299)
- Cannot unfold plain text notifications (notifications#846)
- Remove EPUB mimetype (text#1391)

Update to 20.0.6

- Make sure to do priority app upgrades first (server#25077)
- Respect DB restrictions on number of arguments in statements and queries
(server#25120)
- Add a hint about the direction of priority (server#25143)
- Do not redirect to logout after login (server#25146)
- Fix comparison of PHP versions (server#25152)
- Add "composer.lock" for acceptance tests to git (server#25178)
- Update CRL due to revoked gravatar.crl (server#25190)
- Don't log keys on checkSignature (server#25193)
- Update 3rdparty after Archive_Tar (server#25199)
- Bump CA bundle (server#25219)
- Update handling of user credentials (server#25225)
- Fix encoding issue with OC.Notification.show (server#25244)
- Also use storage copy when dav copying directories (server#25261)
- Silence log message (server#25263)
- Extend ILDAPProvider to allow reading arbitrairy ldap attributes for
users (server#25276)
- Do not obtain userFolder of a federated user (server#25278)
- Bump pear/archive_tar from 1.4.11 to 1.4.12 (3rdparty#603)
- Add gitignore entry for .github folder of dependencies (3rdparty#604)
- Clear event array on getting them (activity#551)

Update to 20.0.5

- Don't log params of imagecreatefromstring (server#24546)
- Use storage copy implementation when doing dav copy (server#24590)
- Use in objectstore copy (server#24592)
- Add tel, note, org and title search (server#24697)
- Check php compatibility of app store app releases (server#24698)
- Fix #24682]: ensure federation cloud id is retruned if FN property not
found (server#24709)
- Do not include non-required scripts on the upgrade page (server#24714)
- LDAP: fix inGroup for memberUid type of group memberships (server#24716)
- Cancel user search requests to avoid duplicate results being added
(server#24728)
- Also unset the other possible unused paramters (server#24751)
- Enables the file name check also to match name of mountpoints
(server#24760)
- Fixes sharing to group ids with characters that are being url encoded
(server#24763)
- Limit getIncomplete query to one row (server#24791)
- Fix Argon2 descriptions (server#24792)
- Actually set the TTL on redis set (server#24798)
- Allow to force rename a conflicting calendar (server#24806)
- Fix IPv6 localhost regex (server#24823)
- Catch the error on heartbeat update (server#24826)
- Make oc_files_trash.auto_id a bigint (server#24853)
- Fix total upload size overwritten by next upload (server#24854)
- Avoid huge exception argument logging (server#24876)
- Make share results distinguishable if there are more than one with the
exact same display name (server#24878)
- Add migration for oc_share_external columns (server#24963)
- Don't throw a 500 when importing a broken ics reminder file
(server#24972)
- Fix unreliable ViewTest (server#24976)
- Update root.crl due to revocation of transmission.crt (server#24990)
- Set the JSCombiner cache if needed (server#24997)
- Fix column name to check prior to deleting (server#25009)
- Catch throwable instead of exception (server#25013)
- Set the user language when adding the footer (server#25019)
- Change defaultapp in config.sample.php to dashboard to improve docs and
align it to source code (server#25030)
- Fix clearing the label of a share (server#25035)
- Update psalm-baseline.xml (server#25066)
- Don't remove assignable column for now (server#25074)
- Add setup check to verify that the used DB version is still supported???
(server#25076)
- Correctly set the user for activity parsing when preparing a notifica???
(activity#542)
- Bump vue-virtual-grid from 2.2.1 to 2.3.0 (photos#597)
- Catch possible database exceptions when fetching document data
(text#1221)
- Make sure we have the proper PHP version installed before running
composer (text#1234)
- Revert removal of transformResponse (text#1235)
- Bump prosemirror-view from 1.16.1 to 1.16.5 (text#1255)
- Bump @babel/preset-env from 7.12.1 to 7.12.11 (text#1257)
- Bump babel-loader from 8.1.0 to 8.2.2 (text#1259)
- Bump eslint-plugin-standard from 4.0.2 to 4.1.0 (text#1261)
- Bump vue-loader from 15.9.5 to 15.9.6 (text#1263)
- Bump prosemirror-model from 1.12.0 to 1.13.1 (text#1265)
- Bump core-js from 3.7.0 to 3.8.1 (text#1266)
- Bump stylelint from 13.7.2 to 13.8.0 (text#1269)
- Bump @babel/plugin-transform-runtime from 7.12.1 to 7.12.10 (text#1271)
- Bump sass-loader from 10.0.5 to 10.1.0 (text#1273)
- Bump webpack-merge from 5.3.0 to 5.7.2 (text#1274)
- Bump @babel/core from 7.12.3 to 7.12.10 (text#1277)
- Bump cypress from 5.1.0 to 5.6.0 (text#1278)
- Bump @vue/test-utils from 1.1.1 to 1.1.2 (text#1279)
- Bump webpack-merge from 5.7.2 to 5.7.3 (text#1303)

- The apache subpackage must require the main package, otherwise it will
not be uninstalled when the main package is uninstalled.

Update to 20.0.4

- Avoid dashboard crash when accessibility app is not installed
(server#24636)
- Bump ini from 1.3.5 to 1.3.7 (server#24649)
- Handle owncloud migration to latest release (server#24653)
- Use string for storing a OCM remote id (server#24654)
- Fix MySQL database size calculation (serverinfo#262)
- Bump cypress-io/github-action@v2 (viewer#722)
- Fix] sidebar opening animation (viewer#723)
- Fix not.exist cypress and TESTING checks (viewer#725)

- Put apache configuration files in separate subpackage.

- Use apache-rpm-macros for SUSE.
- Change oc_* macros to nc_* macros.
- Insert macro apache_serverroot also in cron files.

Update to 20.0.3

* Check quota of subdirectories when uploading to them (server#24181)
* CircleId too short in some request (server#24196)
* Missing level in ScopedPsrLogger (server#24212)
* Fix nextcloud logo in email notifications misalignment (server#24228)
* Allow selecting multiple columns with SELECT DISTINCT (server#24230)
* Use file name instead of path in 'not allowed to share' message
(server#24231)
* Fix setting images through occ for theming (server#24232)
* Use regex when searching on single file shares (server#24239)
* Harden EncryptionLegacyCipher a bit (server#24249)
* Update ScanLegacyFormat.php (server#24258)
* Simple typo in comments (server#24259)
* Use correct year for generated birthdays events (server#24263)
* Delete files that exceed trashbin size immediately (server#24297)
* Update sabre/xml to fix XML parsing errors (server#24311)
* Only check path for being accessible when the storage is a object home
(server#24325)
* Avoid empty null default with value that will be inserted anyways
(server#24333)
* Fix contacts menu position and show uid as a tooltip (server#24342)
* Fix the config key on the sharing expire checkbox (server#24346)
* Set the display name of federated sharees from addressbook (server#24353)
* Catch storage not available in versions expire command (server#24367)
* Use proper bundles for files client and fileinfo (server#24377)
* Properly encode path when fetching inherited shares (server#24387)
* Formatting remote sharer should take protocol, path into account
(server#24391)
* Make sure we add new line between vcf groups exports (server#24443)
* Fix public calendars shared to circles (server#24446)
* Store scss variables under a different prefix for each theming config
version (server#24453)
* External storages: save group ids not display names in configuration
(server#24455)
* Use correct l10n source in files_sharing JS code (server#24462)
* Set frame-ancestors to none if none are filled (server#24477)
* Move the password fiels of chaging passwords to post (server#24478)
* Move the global password for files external to post (server#24479)
* Only attempt to move to trash if a file is not in appdata (server#24483)
* Fix loading mtime of new file in conflict dialog in firefox
(server#24491)
* Harden setup check for TLS version if host is not reachable
(server#24502)
* Fix file size computation on 32bit platforms (server#24509)
* Allow subscription to indicate that a userlimit is reached (server#24511)
* Set mountid for personal external storage mounts (server#24513)
* Only execute plain mimetype check for directories and do the fallback???
(server#24517)
* Fix vsprint parameter (server#24527)
* Replace abandoned log normalizer with our fork (server#24530)
* Add icon to user limit notification (server#24531)
* Also run repair steps when encryption is disabled but a legacy key is
present (server#24532)
* [3rdparty][security] Archive TAR to 1.4.11 (server#24534)
* Generate a new session id if the decrypting the session data fails
(server#24553)
* Revert "Do not read certificate bundle from data dir by default"
(server#24556)
* Dont use system composer for autoload checker (server#24557)
* Remember me is not an app_password (server#24563)
* Do not load nonexisting setup.js (server#24582)
* Update sabre/xml to fix XML parsing errors (3rdparty#529)
* Use composer v1 on CI (3rdparty#532)
* Bump pear/archive_tar from 1.4.9 to 1.4.11 (3rdparty#536)
* Replace abandoned log normalizer with our fork (3rdparty#543)
* Allow nullable values as subject params (activity#535)
* Don't log when unknown array is null (notifications#803)
* Feat/virtual grid (photos#550)
* Make sure we have a string to localecompare to (photos#583)
* Always get recommendations for dashboard if enabled (recommendations#336)
* Properly fetch oracle database information (serverinfo#258)
* Also register to urlChanged event to update RichWorkspace (text#1181)
* Move away from GET (text#1214)

Update to 20.0.2

* CVE-2020-8293: Fixed input validation which allowed users to store
unlimited data in workflow rules (boo#1181445).
* CVE-2020-8294: Fixed a missing link validation (boo#1181803).
* Inidicate preview availability in share api responses (server#23419)
* CalDavBackend: check if timerange is array before accessing
(server#23563)
* Some emojis are in CHAR_CATEGORY_GENERAL_OTHER_TYPES (server#23575)
* Also expire share type email (server#23583)
* Only use index of mount point when it is there (server#23611)
* Only retry fetching app store data once every 5 minutes in case it fails
(server#23633)
* Bring back the restore share button (server#23636)
* Fix updates of NULL appconfig values (server#23641)
* Fix sharing input placeholder for emails (server#23646)
* Use bigint for fileid in filecache_extended (server#23690)
* Enable theming background transparency (server#23699)
* Fix sharer flag on ldap:show-remnants when user owned more than a single
share (server#23702)
* Make sure the function signatures of the backgroundjob match
(server#23710)
* Check if array elements exist before using them (server#23713)
* Fix default quota display value in user row (server#23726)
* Use lib instead if core as l10n module in OC_Files (server#23727)
* Specify accept argument to avatar upload input field (server#23732)
* Save email as lower case (server#23733)
* Reset avatar cropper before showing (server#23736)
* Also run the SabreAuthInitEvent for the main server (server#23745)
* Type the \OCP\IUserManager::callForAllUsers closure with Psalm
(server#23749)
* Type the \OCP\AppFramework\Services\IInitialState::provideLazyInitial???
(server#23751)
* Don't overwrite the event if we use it later (server#23753)
* Inform the user when flow config data exceeds thresholds (server#23759)
* Type the \OCP\IUserManager::callForSeenUsers closure with Psalm
(server#23763)
* Catch errors when closing file conflict dialog (server#23774)
* Document the backend registered events of LDAP (server#23779)
* Fetch the logger and system config once for all query builder instances
(server#23787)
* Type the event dispatcher listener callables with Psalm (server#23789)
* Only run phpunit when "php" changed (server#23794)
* Remove bold font-weight and lower font-size for empty search box
(server#23829)
* No need to check if there is an avatar available, because it is gener???
(server#23846)
* Ensure filepicker list is empty before populating (server#23850)
* UserStatus: clear status message if message is null (server#23858)
* Fix grid view toggle in tags view (server#23874)
* Restrict query when searching for versions of trashbin files
(server#23884)
* Fix potentially passing null to events where IUser is expected
(server#23894)
* Make user status styles scoped (server#23899)
* Move help to separate stylesheet (server#23900)
* Add default font size (server#23902)
* Do not emit UserCreatedEvent twice (server#23917)
* Bearer must be in the start of the auth header (server#23924)
* Fix casting of integer and boolean on Oracle (server#23935)
* Skip already loaded apps in loadApps (server#23948)
* Fix repair mimetype step to not leave stray cursors (server#23950)
* Improve query type detection (server#23951)
* Fix iLike() falsely turning escaped % and _ into wildcards (server#23954)
* Replace some usages of OC_DB in OC\Share\* with query builder
(server#23955)
* Use query builder instead of OC_DB in trashbin (server#23971)
* Fix greatest/least order for oracle (server#23975)
* Fix link share label placeholder not showing (server#23992)
* Unlock when promoting to exclusive lock fails (server#23995)
* Make sure root storage is valid before checking its size (server#23996)
* Use query builder instead of OC_DB in OC\Files\* (server#23998)
* Shortcut to avoid file system setup when generating the logo URL
(server#24001)
* Remove old legacy scripts references (server#24004)
* Fix js search in undefined ocs response (server#24012)
* Don't leave cursors open (server#24033)
* Fix sharing tab state not matching resharing admin settings
(server#24044)
* Run unit tests against oracle (server#24049)
* Use png icons in caldav reminder emails (server#24050)
* Manually iterate over calendardata when oracle is used (server#24058)
* Make is_user_defined nullable so we can store false on oracle
(server#24079)
* Fix default internal expiration date enforce (server#24081)
* Register new command db:add-missing-primary-keys (server#24106)
* Convert the card resource to a string if necessary (server#24114)
* Don't throw on SHOW VERSION query (server#24147)
* Bump dompurify to 2.2.2 (server#24153)
* Set up FS before querying storage info in settings (server#24156)
* Fix default internal expiration date (server#24159)
* CircleId too short in some request (server#24178)
* Revert "circleId too short in some request" (server#24183)
* Missing level in ScopedPsrLogger (server#24212)
* Fix activity spinner on empty activity (activity#523)
* Add OCI github action (activity#528)
* Disable download button by default (files_pdfviewer#257)
* Feat/dependabot ga/stable20 (firstrunwizard#442)
* Fix loading notifications without a message on oracle (notifications#796)
* Do not setup appdata in constructor to avoid errors causing the whole
instance to stop working (text#1105)
* Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (text#1125)
* Bump sass-loader from 10.0.1 to 10.0.5 (text#1134)
* Bump webpack from 4.44.1 to 4.44.2 (text#1140)
* Bump dependencies to version in range (text#1164)
* Validate link on click (text#1166)
* Add migration to fix oracle issues with the database schema (text#1177)
* Bump cypress from 4.12.1 to 5.1.0 (text#1179)
* Fix URL escaping of shared files (viewer#681)
* Fix component click outside and cleanup structure (viewer#684)

Update to 20.0.1

No changelog from upstream at this time.

Update to 20.0.0

* Changes The three biggest features we introduce with Nextcloud 20 are:
- Our new dashboard provides a great starting point for the day with
over a dozen widgets ranging from Twitter and Github to Moodle and
Zammad already available
- Search was unified, bringing search results of Nextcloud apps as well
as external services like Gitlab, Jira and Discourse in one place
- Talk introduced bridging to other platforms including MS Teams, Slack,
IRC, Matrix and a dozen others
* Some other improvements we want to highlight include:
- Notifications and Activities were brought together, making sure you
won???t miss anything important
- We added a ???status??? setting so you can communicate to other
users what you are up to
- Talk also brings dashboard and search integration, emoji picker,
upload view, camera and microphone settings, mute and more
- Calendar integrates in dashboard and search, introduced a list view
and design improvements
- Mail introduces threaded view, mailbox management and more
- Deck integrates with dashboard and search, introduces Calendar
integration, modal view for card editing and series of smaller
improvements
- Flow adds push notification and webhooks so other web apps can
easily integrate with Nextcloud
- Text introduced direct linking to files in Nextcloud
- Files lets you add a description to public link shares
+ Read the full announcement on our blog
- NC-SA-2020-037
- CVE-2020-8295: Fixed Denial of service attack when resetting the
password for a user(boo#1181804)
- Update to 20.0.11
- Fix boo#1188247 - CVE-2021-32678: OCS API response ratelimits are not
applied
- Fix boo#1188248 - CVE-2021-32679: filenames where not escaped by default
in controllers using DownloadResponse
- Fix boo#1188249 - CVE-2021-32680: share expiration date wasn't properly
logged
- Fix boo#1188250 - CVE-2021-32688: lacking permission check with
application specific tokens
- Fix boo#1188251 - CVE-2021-32703: lack of ratelimiting on the shareinfo
endpoint
- Fix boo#1188252 - CVE-2021-32705: lack of ratelimiting on the public DAV
endpoint
- Fix boo#1188253 - CVE-2021-32725: default share permissions were not
being respected for federated reshares of files and folders
- Fix boo#1188254 - CVE-2021-32726: webauthn tokens were not deleted after
a user has been deleted
- Fix boo#1188255 - CVE-2021-32734: possible full path disclosure on
shared files
- Fix boo#1188256 - CVE-2021-32741: lack of ratelimiting on the public
share link mount endpoint
- Bump handlebars from 4.7.6 to 4.7.7 (server#26900)
- Bump lodash from 4.17.20 to 4.17.21 (server#26909)
- Bump hosted-git-info from 2.8.8 to 2.8.9 (server#26920)
- Don't break OCC if an app is breaking in it's Application class
(server#26954)
- Add bruteforce protection to the shareinfo endpoint (server#26956)
- Ignore readonly flag for directories (server#26965)
- Throttle MountPublicLinkController when share is not found (server#26971)
- Respect default share permissions for federated reshares (server#27001)
- Harden apptoken check (server#27014)
- Use parent wrapper to properly handle moves on the same source/target
storage (server#27016)
- Fix error when using CORS with no auth credentials (server#27027)
- Fix return value of getStorageInfo when 'quota_include_external_storage'
is enabled (server#27108)
- Bump patch dependencies (server#27183)
- Use noreply@ as email address for share emails (server#27209)
- Bump p-queue from 6.6.1 to 6.6.2 (server#27226)
- Bump browserslist from 4.14.0 to 4.16.6 (server#27247)
- Bump webpack from 4.44.1 to 4.44.2 (server#27297)
- Properly use limit and offset for search in Jail wrapper (server#27308)
- Make user:report command scale (server#27319)
- Properly log expiration date removal in audit log (server#27325)
- Propagate throttling on OCS response (server#27337)
- Set umask before operations that create local files (server#27349)
- Escape filename in Content-Disposition (server#27360)
- Don't update statuses to offline again and again (server#27412)
- Header must contain a colon (server#27456)
- Activate constraint check for oracle / pqsql also for 20 (server#27523)
- Only allow removing existing shares that would not be allowed due to
reshare restrictions (server#27552)
- Bump ws from 7.3.1 to 7.5.0 (server#27570)
- Properly cleanup entries of WebAuthn on user deletion (server#27596)
- Throttle on public DAV endpoint (server#27617)
- Bump vue-loader from 15.9.3 to 15.9.7 (server#27639)
- Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (server#27651)
- Validate the theming color also on CLI (server#27680)
- Downstream encryption:fix-encrypted-version for repairing bad signature
errors (server#27728)
- Remove encodeURI code (files_pdfviewer#396)
- Only ask for permissions on HTTPS (notifications#998)
- Fix sorting if one of the file name is only composed with number
(photos#785)
- Backport 20 fix Photos not shown in large browser windows #630 (#686)
(photos#810)
- Update File.vue (photos#813)
- Update chart.js (serverinfo#309)
- Only return workspace property for top node in a propfind request
(text#1611)
- ViewerComponent: pass on autofocus to EditorWrapper (text#1647)
- Use text/plain as content type for fetching the document (text#1692)
- Log exceptions that happen on unknown exception and return generic
messages (text#1698)
- Add fixup (viewer#924)
- Fix: fullscreen for Firefox (viewer#929)

Update to 20.0.7

- Catch NotFoundException when querying quota (server#25315)
- CalDAV] Validate notified emails (server#25324)
- Fix/app fetcher php compat comparison (server#25347)
- Show the actual error on share requests (server#25352)
- Fix parameter provided as string not array (server#25366)
- The objectid is a string (server#25374)
- 20.0.7 final (server#25387)
- Properly handle SMB ACL blocking scanning a directory (server#25421)
- Don't break completely when creating the digest fail for one user
(activity#556)
- Only attempt to use a secure view if hide download is actually set
(files_pdfviewer#296)
- Fix opening PDF files with special characters in their name
(files_pdfviewer#298)
- Fix PDF viewer failing on Edge (not based on Chromium)
(files_pdfviewer#299)
- Cannot unfold plain text notifications (notifications#846)
- Remove EPUB mimetype (text#1391)

Update to 20.0.6

- Make sure to do priority app upgrades first (server#25077)
- Respect DB restrictions on number of arguments in statements and queries
(server#25120)
- Add a hint about the direction of priority (server#25143)
- Do not redirect to logout after login (server#25146)
- Fix comparison of PHP versions (server#25152)
- Add "composer.lock" for acceptance tests to git (server#25178)
- Update CRL due to revoked gravatar.crl (server#25190)
- Don't log keys on checkSignature (server#25193)
- Update 3rdparty after Archive_Tar (server#25199)
- Bump CA bundle (server#25219)
- Update handling of user credentials (server#25225)
- Fix encoding issue with OC.Notification.show (server#25244)
- Also use storage copy when dav copying directories (server#25261)
- Silence log message (server#25263)
- Extend ILDAPProvider to allow reading arbitrairy ldap attributes for
users (server#25276)
- Do not obtain userFolder of a federated user (server#25278)
- Bump pear/archive_tar from 1.4.11 to 1.4.12 (3rdparty#603)
- Add gitignore entry for .github folder of dependencies (3rdparty#604)
- Clear event array on getting them (activity#551)

Update to 20.0.5

- Don't log params of imagecreatefromstring (server#24546)
- Use storage copy implementation when doing dav copy (server#24590)
- Use in objectstore copy (server#24592)
- Add tel, note, org and title search (server#24697)
- Check php compatibility of app store app releases (server#24698)
- Fix #24682]: ensure federation cloud id is retruned if FN property not
found (server#24709)
- Do not include non-required scripts on the upgrade page (server#24714)
- LDAP: fix inGroup for memberUid type of group memberships (server#24716)
- Cancel user search requests to avoid duplicate results being added
(server#24728)
- Also unset the other possible unused paramters (server#24751)
- Enables the file name check also to match name of mountpoints
(server#24760)
- Fixes sharing to group ids with characters that are being url encoded
(server#24763)
- Limit getIncomplete query to one row (server#24791)
- Fix Argon2 descriptions (server#24792)
- Actually set the TTL on redis set (server#24798)
- Allow to force rename a conflicting calendar (server#24806)
- Fix IPv6 localhost regex (server#24823)
- Catch the error on heartbeat update (server#24826)
- Make oc_files_trash.auto_id a bigint (server#24853)
- Fix total upload size overwritten by next upload (server#24854)
- Avoid huge exception argument logging (server#24876)
- Make share results distinguishable if there are more than one with the
exact same display name (server#24878)
- Add migration for oc_share_external columns (server#24963)
- Don't throw a 500 when importing a broken ics reminder file
(server#24972)
- Fix unreliable ViewTest (server#24976)
- Update root.crl due to revocation of transmission.crt (server#24990)
- Set the JSCombiner cache if needed (server#24997)
- Fix column name to check prior to deleting (server#25009)
- Catch throwable instead of exception (server#25013)
- Set the user language when adding the footer (server#25019)
- Change defaultapp in config.sample.php to dashboard to improve docs and
align it to source code (server#25030)
- Fix clearing the label of a share (server#25035)
- Update psalm-baseline.xml (server#25066)
- Don't remove assignable column for now (server#25074)
- Add setup check to verify that the used DB version is still supported???
(server#25076)
- Correctly set the user for activity parsing when preparing a notifica???
(activity#542)
- Bump vue-virtual-grid from 2.2.1 to 2.3.0 (photos#597)
- Catch possible database exceptions when fetching document data
(text#1221)
- Make sure we have the proper PHP version installed before running
composer (text#1234)
- Revert removal of transformResponse (text#1235)
- Bump prosemirror-view from 1.16.1 to 1.16.5 (text#1255)
- Bump @babel/preset-env from 7.12.1 to 7.12.11 (text#1257)
- Bump babel-loader from 8.1.0 to 8.2.2 (text#1259)
- Bump eslint-plugin-standard from 4.0.2 to 4.1.0 (text#1261)
- Bump vue-loader from 15.9.5 to 15.9.6 (text#1263)
- Bump prosemirror-model from 1.12.0 to 1.13.1 (text#1265)
- Bump core-js from 3.7.0 to 3.8.1 (text#1266)
- Bump stylelint from 13.7.2 to 13.8.0 (text#1269)
- Bump @babel/plugin-transform-runtime from 7.12.1 to 7.12.10 (text#1271)
- Bump sass-loader from 10.0.5 to 10.1.0 (text#1273)
- Bump webpack-merge from 5.3.0 to 5.7.2 (text#1274)
- Bump @babel/core from 7.12.3 to 7.12.10 (text#1277)
- Bump cypress from 5.1.0 to 5.6.0 (text#1278)
- Bump @vue/test-utils from 1.1.1 to 1.1.2 (text#1279)
- Bump webpack-merge from 5.7.2 to 5.7.3 (text#1303)

- The apache subpackage must require the main package, otherwise it will
not be uninstalled when the main package is uninstalled.

Update to 20.0.4

- Avoid dashboard crash when accessibility app is not installed
(server#24636)
- Bump ini from 1.3.5 to 1.3.7 (server#24649)
- Handle owncloud migration to latest release (server#24653)
- Use string for storing a OCM remote id (server#24654)
- Fix MySQL database size calculation (serverinfo#262)
- Bump cypress-io/github-action@v2 (viewer#722)
- Fix] sidebar opening animation (viewer#723)
- Fix not.exist cypress and TESTING checks (viewer#725)

- Put apache configuration files in separate subpackage.

- Use apache-rpm-macros for SUSE.
- Change oc_* macros to nc_* macros.
- Insert macro apache_serverroot also in cron files.

Update to 20.0.3

* Check quota of subdirectories when uploading to them (server#24181)
* CircleId too short in some request (server#24196)
* Missing level in ScopedPsrLogger (server#24212)
* Fix nextcloud logo in email notifications misalignment (server#24228)
* Allow selecting multiple columns with SELECT DISTINCT (server#24230)
* Use file name instead of path in 'not allowed to share' message
(server#24231)
* Fix setting images through occ for theming (server#24232)
* Use regex when searching on single file shares (server#24239)
* Harden EncryptionLegacyCipher a bit (server#24249)
* Update ScanLegacyFormat.php (server#24258)
* Simple typo in comments (server#24259)
* Use correct year for generated birthdays events (server#24263)
* Delete files that exceed trashbin size immediately (server#24297)
* Update sabre/xml to fix XML parsing errors (server#24311)
* Only check path for being accessible when the storage is a object home
(server#24325)
* Avoid empty null default with value that will be inserted anyways
(server#24333)
* Fix contacts menu position and show uid as a tooltip (server#24342)
* Fix the config key on the sharing expire checkbox (server#24346)
* Set the display name of federated sharees from addressbook (server#24353)
* Catch storage not available in versions expire command (server#24367)
* Use proper bundles for files client and fileinfo (server#24377)
* Properly encode path when fetching inherited shares (server#24387)
* Formatting remote sharer should take protocol, path into account
(server#24391)
* Make sure we add new line between vcf groups exports (server#24443)
* Fix public calendars shared to circles (server#24446)
* Store scss variables under a different prefix for each theming config
version (server#24453)
* External storages: save group ids not display names in configuration
(server#24455)
* Use correct l10n source in files_sharing JS code (server#24462)
* Set frame-ancestors to none if none are filled (server#24477)
* Move the password fiels of chaging passwords to post (server#24478)
* Move the global password for files external to post (server#24479)
* Only attempt to move to trash if a file is not in appdata (server#24483)
* Fix loading mtime of new file in conflict dialog in firefox
(server#24491)
* Harden setup check for TLS version if host is not reachable
(server#24502)
* Fix file size computation on 32bit platforms (server#24509)
* Allow subscription to indicate that a userlimit is reached (server#24511)
* Set mountid for personal external storage mounts (server#24513)
* Only execute plain mimetype check for directories and do the fallback???
(server#24517)
* Fix vsprint parameter (server#24527)
* Replace abandoned log normalizer with our fork (server#24530)
* Add icon to user limit notification (server#24531)
* Also run repair steps when encryption is disabled but a legacy key is
present (server#24532)
* [3rdparty][security] Archive TAR to 1.4.11 (server#24534)
* Generate a new session id if the decrypting the session data fails
(server#24553)
* Revert "Do not read certificate bundle from data dir by default"
(server#24556)
* Dont use system composer for autoload checker (server#24557)
* Remember me is not an app_password (server#24563)
* Do not load nonexisting setup.js (server#24582)
* Update sabre/xml to fix XML parsing errors (3rdparty#529)
* Use composer v1 on CI (3rdparty#532)
* Bump pear/archive_tar from 1.4.9 to 1.4.11 (3rdparty#536)
* Replace abandoned log normalizer with our fork (3rdparty#543)
* Allow nullable values as subject params (activity#535)
* Don't log when unknown array is null (notifications#803)
* Feat/virtual grid (photos#550)
* Make sure we have a string to localecompare to (photos#583)
* Always get recommendations for dashboard if enabled (recommendations#336)
* Properly fetch oracle database information (serverinfo#258)
* Also register to urlChanged event to update RichWorkspace (text#1181)
* Move away from GET (text#1214)

Update to 20.0.2

* CVE-2020-8293: Fixed input validation which allowed users to store
unlimited data in workflow rules (boo#1181445).
* CVE-2020-8294: Fixed a missing link validation (boo#1181803).
* Inidicate preview availability in share api responses (server#23419)
* CalDavBackend: check if timerange is array before accessing
(server#23563)
* Some emojis are in CHAR_CATEGORY_GENERAL_OTHER_TYPES (server#23575)
* Also expire share type email (server#23583)
* Only use index of mount point when it is there (server#23611)
* Only retry fetching app store data once every 5 minutes in case it fails
(server#23633)
* Bring back the restore share button (server#23636)
* Fix updates of NULL appconfig values (server#23641)
* Fix sharing input placeholder for emails (server#23646)
* Use bigint for fileid in filecache_extended (server#23690)
* Enable theming background transparency (server#23699)
* Fix sharer flag on ldap:show-remnants when user owned more than a single
share (server#23702)
* Make sure the function signatures of the backgroundjob match
(server#23710)
* Check if array elements exist before using them (server#23713)
* Fix default quota display value in user row (server#23726)
* Use lib instead if core as l10n module in OC_Files (server#23727)
* Specify accept argument to avatar upload input field (server#23732)
* Save email as lower case (server#23733)
* Reset avatar cropper before showing (server#23736)
* Also run the SabreAuthInitEvent for the main server (server#23745)
* Type the \OCP\IUserManager::callForAllUsers closure with Psalm
(server#23749)
* Type the \OCP\AppFramework\Services\IInitialState::provideLazyInitial???
(server#23751)
* Don't overwrite the event if we use it later (server#23753)
* Inform the user when flow config data exceeds thresholds (server#23759)
* Type the \OCP\IUserManager::callForSeenUsers closure with Psalm
(server#23763)
* Catch errors when closing file conflict dialog (server#23774)
* Document the backend registered events of LDAP (server#23779)
* Fetch the logger and system config once for all query builder instances
(server#23787)
* Type the event dispatcher listener callables with Psalm (server#23789)
* Only run phpunit when "php" changed (server#23794)
* Remove bold font-weight and lower font-size for empty search box
(server#23829)
* No need to check if there is an avatar available, because it is gener???
(server#23846)
* Ensure filepicker list is empty before populating (server#23850)
* UserStatus: clear status message if message is null (server#23858)
* Fix grid view toggle in tags view (server#23874)
* Restrict query when searching for versions of trashbin files
(server#23884)
* Fix potentially passing null to events where IUser is expected
(server#23894)
* Make user status styles scoped (server#23899)
* Move help to separate stylesheet (server#23900)
* Add default font size (server#23902)
* Do not emit UserCreatedEvent twice (server#23917)
* Bearer must be in the start of the auth header (server#23924)
* Fix casting of integer and boolean on Oracle (server#23935)
* Skip already loaded apps in loadApps (server#23948)
* Fix repair mimetype step to not leave stray cursors (server#23950)
* Improve query type detection (server#23951)
* Fix iLike() falsely turning escaped % and _ into wildcards (server#23954)
* Replace some usages of OC_DB in OC\Share\* with query builder
(server#23955)
* Use query builder instead of OC_DB in trashbin (server#23971)
* Fix greatest/least order for oracle (server#23975)
* Fix link share label placeholder not showing (server#23992)
* Unlock when promoting to exclusive lock fails (server#23995)
* Make sure root storage is valid before checking its size (server#23996)
* Use query builder instead of OC_DB in OC\Files\* (server#23998)
* Shortcut to avoid file system setup when generating the logo URL
(server#24001)
* Remove old legacy scripts references (server#24004)
* Fix js search in undefined ocs response (server#24012)
* Don't leave cursors open (server#24033)
* Fix sharing tab state not matching resharing admin settings
(server#24044)
* Run unit tests against oracle (server#24049)
* Use png icons in caldav reminder emails (server#24050)
* Manually iterate over calendardata when oracle is used (server#24058)
* Make is_user_defined nullable so we can store false on oracle
(server#24079)
* Fix default internal expiration date enforce (server#24081)
* Register new command db:add-missing-primary-keys (server#24106)
* Convert the card resource to a string if necessary (server#24114)
* Don't throw on SHOW VERSION query (server#24147)
* Bump dompurify to 2.2.2 (server#24153)
* Set up FS before querying storage info in settings (server#24156)
* Fix default internal expiration date (server#24159)
* CircleId too short in some request (server#24178)
* Revert "circleId too short in some request" (server#24183)
* Missing level in ScopedPsrLogger (server#24212)
* Fix activity spinner on empty activity (activity#523)
* Add OCI github action (activity#528)
* Disable download button by default (files_pdfviewer#257)
* Feat/dependabot ga/stable20 (firstrunwizard#442)
* Fix loading notifications without a message on oracle (notifications#796)
* Do not setup appdata in constructor to avoid errors causing the whole
instance to stop working (text#1105)
* Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (text#1125)
* Bump sass-loader from 10.0.1 to 10.0.5 (text#1134)
* Bump webpack from 4.44.1 to 4.44.2 (text#1140)
* Bump dependencies to version in range (text#1164)
* Validate link on click (text#1166)
* Add migration to fix oracle issues with the database schema (text#1177)
* Bump cypress from 4.12.1 to 5.1.0 (text#1179)
* Fix URL escaping of shared files (viewer#681)
* Fix component click outside and cleanup structure (viewer#684)

Update to 20.0.1

No changelog from upstream at this time.

Update to 20.0.0

* Changes The three biggest features we introduce with Nextcloud 20 are:
- Our new dashboard provides a great starting point for the day with
over a dozen widgets ranging from Twitter and Github to Moodle and
Zammad already available
- Search was unified, bringing search results of Nextcloud apps as well
as external services like Gitlab, Jira and Discourse in one place
- Talk introduced bridging to other platforms including MS Teams, Slack,
IRC, Matrix and a dozen others
* Some other improvements we want to highlight include:
- Notifications and Activities were brought together, making sure you
won???t miss anything important
- We added a ???status??? setting so you can communicate to other
users what you are up to
- Talk also brings dashboard and search integration, emoji picker,
upload view, camera and microphone settings, mute and more
- Calendar integrates in dashboard and search, introduced a list view
and design improvements
- Mail introduces threaded view, mailbox management and more
- Deck integrates with dashboard and search, introduces Calendar
integration, modal view for card editing and series of smaller
improvements
- Flow adds push notification and webhooks so other web apps can
easily integrate with Nextcloud
- Text introduced direct linking to files in Nextcloud
- Files lets you add a description to public link shares
+ Read the full announcement on our blog
- NC-SA-2020-037
- CVE-2020-8295: Fixed Denial of service attack when resetting the
password for a user(boo#1181804)
- Update to 20.0.11
- Fix boo#1188247 - CVE-2021-32678: OCS API response ratelimits are not
applied
- Fix boo#1188248 - CVE-2021-32679: filenames where not escaped by default
in controllers using DownloadResponse
- Fix boo#1188249 - CVE-2021-32680: share expiration date wasn't properly
logged
- Fix boo#1188250 - CVE-2021-32688: lacking permission check with
application specific tokens
- Fix boo#1188251 - CVE-2021-32703: lack of ratelimiting on the shareinfo
endpoint
- Fix boo#1188252 - CVE-2021-32705: lack of ratelimiting on the public DAV
endpoint
- Fix boo#1188253 - CVE-2021-32725: default share permissions were not
being respected for federated reshares of files and folders
- Fix boo#1188254 - CVE-2021-32726: webauthn tokens were not deleted after
a user has been deleted
- Fix boo#1188255 - CVE-2021-32734: possible full path disclosure on
shared files
- Fix boo#1188256 - CVE-2021-32741: lack of ratelimiting on the public
share link mount endpoint
- Bump handlebars from 4.7.6 to 4.7.7 (server#26900)
- Bump lodash from 4.17.20 to 4.17.21 (server#26909)
- Bump hosted-git-info from 2.8.8 to 2.8.9 (server#26920)
- Don't break OCC if an app is breaking in it's Application class
(server#26954)
- Add bruteforce protection to the shareinfo endpoint (server#26956)
- Ignore readonly flag for directories (server#26965)
- Throttle MountPublicLinkController when share is not found (server#26971)
- Respect default share permissions for federated reshares (server#27001)
- Harden apptoken check (server#27014)
- Use parent wrapper to properly handle moves on the same source/target
storage (server#27016)
- Fix error when using CORS with no auth credentials (server#27027)
- Fix return value of getStorageInfo when 'quota_include_external_storage'
is enabled (server#27108)
- Bump patch dependencies (server#27183)
- Use noreply@ as email address for share emails (server#27209)
- Bump p-queue from 6.6.1 to 6.6.2 (server#27226)
- Bump browserslist from 4.14.0 to 4.16.6 (server#27247)
- Bump webpack from 4.44.1 to 4.44.2 (server#27297)
- Properly use limit and offset for search in Jail wrapper (server#27308)
- Make user:report command scale (server#27319)
- Properly log expiration date removal in audit log (server#27325)
- Propagate throttling on OCS response (server#27337)
- Set umask before operations that create local files (server#27349)
- Escape filename in Content-Disposition (server#27360)
- Don't update statuses to offline again and again (server#27412)
- Header must contain a colon (server#27456)
- Activate constraint check for oracle / pqsql also for 20 (server#27523)
- Only allow removing existing shares that would not be allowed due to
reshare restrictions (server#27552)
- Bump ws from 7.3.1 to 7.5.0 (server#27570)
- Properly cleanup entries of WebAuthn on user deletion (server#27596)
- Throttle on public DAV endpoint (server#27617)
- Bump vue-loader from 15.9.3 to 15.9.7 (server#27639)
- Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (server#27651)
- Validate the theming color also on CLI (server#27680)
- Downstream encryption:fix-encrypted-version for repairing bad signature
errors (server#27728)
- Remove encodeURI code (files_pdfviewer#396)
- Only ask for permissions on HTTPS (notifications#998)
- Fix sorting if one of the file name is only composed with number
(photos#785)
- Backport 20 fix Photos not shown in large browser windows #630 (#686)
(photos#810)
- Update File.vue (photos#813)
- Update chart.js (serverinfo#309)
- Only return workspace property for top node in a propfind request
(text#1611)
- ViewerComponent: pass on autofocus to EditorWrapper (text#1647)
- Use text/plain as content type for fetching the document (text#1692)
- Log exceptions that happen on unknown exception and return generic
messages (text#1698)
- Add fixup (viewer#924)
- Fix: fullscreen for Firefox (viewer#929)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.2:

zypper in -t patch openSUSE-2021-1068=1

- openSUSE Backports SLE-15-SP3:

zypper in -t patch openSUSE-2021-1068=1

- openSUSE Backports SLE-15-SP2:

zypper in -t patch openSUSE-2021-1068=1

- openSUSE Backports SLE-15-SP1:

zypper in -t patch openSUSE-2021-1068=1

- SUSE Package Hub for SUSE Linux Enterprise 12:

zypper in -t patch openSUSE-2021-1068=1


Package List:

- openSUSE Leap 15.2 (noarch):

nextcloud-20.0.11-lp152.3.9.1
nextcloud-apache-20.0.11-lp152.3.9.1

- openSUSE Backports SLE-15-SP3 (noarch):

nextcloud-20.0.11-bp153.2.3.1
nextcloud-apache-20.0.11-bp153.2.3.1

- openSUSE Backports SLE-15-SP2 (noarch):

nextcloud-20.0.11-bp152.2.9.1
nextcloud-apache-20.0.11-bp152.2.9.1

- openSUSE Backports SLE-15-SP1 (noarch):

nextcloud-20.0.11-bp151.3.15.1
nextcloud-apache-20.0.11-bp151.3.15.1

- SUSE Package Hub for SUSE Linux Enterprise 12 (noarch):

nextcloud-20.0.11-28.1
nextcloud-apache-20.0.11-28.1

References:

  https://www.suse.com/security/cve/CVE-2020-8293.html
  https://www.suse.com/security/cve/CVE-2020-8294.html
  https://www.suse.com/security/cve/CVE-2020-8295.html
  https://www.suse.com/security/cve/CVE-2021-32678.html
  https://www.suse.com/security/cve/CVE-2021-32679.html
  https://www.suse.com/security/cve/CVE-2021-32680.html
  https://www.suse.com/security/cve/CVE-2021-32688.html
  https://www.suse.com/security/cve/CVE-2021-32703.html
  https://www.suse.com/security/cve/CVE-2021-32705.html
  https://www.suse.com/security/cve/CVE-2021-32725.html
  https://www.suse.com/security/cve/CVE-2021-32726.html
  https://www.suse.com/security/cve/CVE-2021-32734.html
  https://www.suse.com/security/cve/CVE-2021-32741.html
  https://bugzilla.suse.com/1181445
  https://bugzilla.suse.com/1181803
  https://bugzilla.suse.com/1181804
  https://bugzilla.suse.com/1188247
  https://bugzilla.suse.com/1188248
  https://bugzilla.suse.com/1188249
  https://bugzilla.suse.com/1188250
  https://bugzilla.suse.com/1188251
  https://bugzilla.suse.com/1188252
  https://bugzilla.suse.com/1188253
  https://bugzilla.suse.com/1188254
  https://bugzilla.suse.com/1188255
  https://bugzilla.suse.com/1188256