A nextcloud security update has been released for SUSE Linux Enterprise 12.

openSUSE-SU-2021:1602-1: important: Security update for nextcloud

openSUSE Security Update: Security update for nextcloud
______________________________________________________________________________

Announcement ID: openSUSE-SU-2021:1602-1
Rating: important
References: #1192028 #1192030 #1192031
Cross-References: CVE-2021-41177 CVE-2021-41178 CVE-2021-41179

CVSS scores:
CVE-2021-41177 (NVD) : 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CVE-2021-41178 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-41179 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected Products:
SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for nextcloud fixes the following issues:

Update to 20.0.14

Security issues fixed:

* CVE-2021-41179: Fix boo#1192028 - (CWE-304): Two-Factor Authentication
not enforced for pages marked as public
* CVE-2021-41178: Fix boo#1192030 - (CWE-434): File Traversal affecting
SVG files on Nextcloud Server
* CVE-2021-41177: Fix boo#1192031 - (CWE-799): Rate-limits not working on
instances without configured memory cache backend

Changes:

- Add command to repair broken filesystem trees (server#26630)
- Ensure that user and group IDs in LDAP's tables are also max 64chars
(server#28971)
- Change output format of Psalm to Github (server#29048)
- File-upload: Correctly handle error responses for HTTP2 (server#29069)
- Allow "TwoFactor Nextcloud Notifications" to pull the state of the 2F???
(server#29072)
- Add a few sensitive config keys (server#29085)
- Fix path of file_get_contents (server#29095)
- Update the certificate bundle (server#29098)
- Keep pw based auth tokens valid when pw-less login happens (server#29131)
- Properly handle folder deletion on external s3 storage (server#29158)
- Tokens without password should not trigger changed password invalidation
(server#29166)
- Don't further setup disabled users when logging in with apache
(server#29167)
- Add 'supported'-label to all supported apps (server#29181)
- 21] generate a better optimized query for path prefix search filters
(server#29192)
- Keep group restrictions when reenabling apps after an update
(server#29198)
- Add proper message to created share not found (server#29205)
- Add documentation for files_no_background_scan (server#29219)
- Don't setup the filesystem to check for a favicon we don't use anyway
(server#29223)
- Fix background scan doc in config (server#29253)
- Get `filesize()` if `file_exists()` (server#29290)
- Fix unable to login errors due to file system not being initialized
(server#29291)
- Update 3rdparty ref (server#29297)
- Bump icewind/streams from 0.7.3 to 0.7.5 in files_external (server#29298)
- Fix app upgrade (server#29303)
- Avoid PHP errors when the LDAP attribute is not found (server#29314)
- Fix security issues when copying groupfolder with advanced ACL
(server#29366)
- Scheduling plugin not updating responding attendee status (server#29387)
- Make calendar schedule options translatable (server#29388)
- Add whitelist for apps inside of the server repo (server#29396)
- Handle files with `is_file` instead of `file_exists` (server#29417)
- Fixes an undefined index when getAccessList returns an empty array
(server#29421)
- Extra fixes needed for icewind/streams update to 0.7.2 (server#29426)
- Backport #29260: Respect user enumeration settings in user status lists
(server#29429)
- Implement local filtering in file list (server#29441)
- Detect mimetype by content only with content (server#29457)
- Update CRL (server#29505)
- Update update-psalm-baseline workflow (server#29548)
- Bump icewind/streams from 0.7.1 to 0.7.5 (3rdparty#855)
- Bump version (files_pdfviewer#512)
- Fix deleting notifications with numeric user ID (notifications#1090)
- Add integration tests for push registration (notifications#1097)
- Restore old device signature so the proxy works again
(notifications#1105)
- Bump vue and vue-template-compiler (photos#864)
- Bump prosemirror-schema-list from 1.1.5 to 1.1.6 (text#1868)
- Additional checks for workspace controller (text#1887)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- SUSE Package Hub for SUSE Linux Enterprise 12:

zypper in -t patch openSUSE-2021-1602=1


Package List:

- SUSE Package Hub for SUSE Linux Enterprise 12 (noarch):

nextcloud-20.0.14-34.1
nextcloud-apache-20.0.14-34.1

References:

  https://www.suse.com/security/cve/CVE-2021-41177.html
  https://www.suse.com/security/cve/CVE-2021-41178.html
  https://www.suse.com/security/cve/CVE-2021-41179.html
  https://bugzilla.suse.com/1192028
  https://bugzilla.suse.com/1192030
  https://bugzilla.suse.com/1192031