SUSE 5182 Published by

A nextcloud security update has been released for SUSE Linux Enterprise 15 SP3.



openSUSE-SU-2021:1255-1: important: Security update for nextcloud


openSUSE Security Update: Security update for nextcloud
______________________________________________________________________________

Announcement ID: openSUSE-SU-2021:1255-1
Rating: important
References: #1190291
Cross-References: CVE-2021-32766 CVE-2021-32800 CVE-2021-32801
CVE-2021-32802
CVSS scores:
CVE-2021-32800 (NVD) : 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVE-2021-32801 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2021-32802 (NVD) : 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Affected Products:
openSUSE Backports SLE-15-SP3
______________________________________________________________________________

An update that fixes four vulnerabilities is now available.

Description:

This update for nextcloud fixes the following issues:

Update to 20.0.12

Fix boo#1190291

- CVE-2021-32766 (CWE-209): Generation of Error Message Containing
Sensitive Information
- CVE-2021-32800 (CWE-306): Missing Authentication for Critical Function
- CVE-2021-32801 (CWE-532): Insertion of Sensitive Information into Log
File
- CVE-2021-32802 (CWE-829): Inclusion of Functionality from Untrusted
Control Sphere

Changes

- Bump vue-router from 3.4.3 to 3.4.9 (server#27224)
- Bump v-click-outside from 3.1.1 to 3.1.2 (server#27232)
- Bump url-search-params-polyfill from 8.1.0 to 8.1.1 (server#27236)
- Bump debounce from 1.2.0 to 1.2.1 (server#27646)
- Bump vue and vue-template-compiler (server#27701)
- Design fixes to app-settings button (server#27745)
- Reset checksum when writing files to object store (server#27754)
- Run s3 tests again (server#27804)
- Fix in locking cache check (server#27829)
- Bump dompurify from 2.2.8 to 2.2.9 (server#27836)
- Make search popup usable on mobile, too (server#27858)
- Cache images on browser (server#27863)
- Fix dark theme on public link shares (server#27895)
- Make user status usable on mobile (server#27897)
- Do not escape display name in dashboard welcome text (server#27913)
- Bump moment-timezone from 0.5.31 to 0.5.33 (server#27924)
- Fix newfileMenu on public page (server#27941)
- Fix svg icons disapearing in app navigation when text overflows
(server#27955)
- Bump bootstrap from 4.5.2 to 4.5.3 (server#27965)
- Show registered breadcrumb detail views in breadcrumb menu (server#27970)
- Fix regression in file sidebar (server#27976)
- Bump exports-loader from 1.1.0 to 1.1.1 (server#27984)
- Bump @nextcloud/capabilities from 1.0.2 to 1.0.4 (server#27985)
- Bump @nextcloud/vue-dashboard from 1.0.0 to 1.0.1 (server#27988)
- Improve notcreatable permissions hint (server#28006)
- Update CRL due to revoked twofactor_nextcloud_notification.crt
(server#28018)
- Bump sass-loader from 10.0.2 to 10.0.5 (server#28032)
- Increase footer height for longer menus (server#28045)
- Mask password for Redis and RedisCluster on connection failure
(server#28054)
- Fix missing theming for login button (server#28065)
- Fix overlapping of elements in certain views (server#28072)
- Disable HEIC image preview provider for performance concerns
(server#28081)
- Improve provider check (server#28087)
- Sanitize more functions from the encryption app (server#28091)
- Hide download button for public preview of audio files (server#28096)
- L10n: HTTP in capital letters (server#28107)
- Fix dark theme in file exists dialog (server#28111)
- Let memory limit set in tests fit the used amount (server#28125)
- User management - Add icon to user groups (server#28172)
- Bump marked from 1.1.1 to 1.1.2 (server#28187)
- Fix variable override in file view (server#28191)
- Bump regenerator-runtime from 0.13.7 to 0.13.9 (server#28207)
- Bump url-loader from 4.1.0 to 4.1.1 (server#28208)
- Fix Files breadcrumbs being hidden even if there is enough space
(server#28224)
- Dont apply jail search filter is on the root (server#28241)
- Check that php was compiled with argon2 support or that the php-sodium
extensions is installed (server#28289)
- Fix preference name when generating notifications (activity#603)
- Fix monochrome icon detection for correct dark mode invert (activity#607)
- Fix "Enable notification emails" (activity#613)
- Show add, del and restored files within by and self filter (activity#616)
- Link from app-navigation-settings to personal settings (activity#625)
- Fix pdfviewer design (files_pdfviewer#446)
- Include version number in firstrunwizard (firstrunwizard#570)
- Use notification main link if no parameter has a link
(notifications#1040)
- Bump sass-loader from 10.1.0 to 10.1.1 (text#1360)
- Bump @babel/plugin-transform-runtime from 7.13.9 to 7.13.15 (text#1548)
- Bump @babel/preset-env from 7.13.9 to 7.13.15 (text#1550)
- Bump vue-loader from 15.9.6 to 15.9.7 (text#1592)
- Unify error responses and add logging where appropriate (text#1719)
- Disable header timeout on mobile (viewer#978)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP3:

zypper in -t patch openSUSE-2021-1255=1


Package List:

- openSUSE Backports SLE-15-SP3 (noarch):

nextcloud-20.0.12-bp153.2.6.1
nextcloud-apache-20.0.12-bp153.2.6.1

References:

  https://www.suse.com/security/cve/CVE-2021-32766.html
  https://www.suse.com/security/cve/CVE-2021-32800.html
  https://www.suse.com/security/cve/CVE-2021-32801.html
  https://www.suse.com/security/cve/CVE-2021-32802.html
  https://bugzilla.suse.com/1190291