SUSE 5150 Published by

A nextcloud-desktop security update has been released for SUSE Linux Enterprise 15 SP4.



openSUSE-SU-2023:0090-1: important: Security update for nextcloud-desktop


openSUSE Security Update: Security update for nextcloud-desktop
______________________________________________________________________________

Announcement ID: openSUSE-SU-2023:0090-1
Rating: important
References: #1201070 #1205798 #1205799 #1205800 #1205801
#1207976
Cross-References: CVE-2022-39331 CVE-2022-39332 CVE-2022-39333
CVE-2022-39334 CVE-2023-23942
CVSS scores:
CVE-2022-39331 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-39332 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-39333 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2022-39334 (NVD) : 3.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CVE-2023-23942 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Affected Products:
openSUSE Backports SLE-15-SP4
______________________________________________________________________________

An update that solves 5 vulnerabilities and has one errata
is now available.

Description:

This update for nextcloud-desktop fixes the following issues:

nextcloud-desktop was updated to 3.8.0:

- Resize WebView widget once the loginpage rendered
- Feature/secure file drop
- Check German translation for wrong wording
- L10n: Correct word
- Fix displaying of file details button for local syncfileitem activities
- Improve config upgrade warning dialog
- Only accept folder setup page if overrideLocalDir is set
- Update CHANGELOG.
- Prevent ShareModel crash from accessing bad pointers
- Bugfix/init value for pointers
- Log to stdout when built in Debug config
- Clean up account creation and deletion code
- L10n: Added dot to end of sentence
- L10n: Fixed grammar
- Fix "Create new folder" menu entries in settings not working correctly
on macOS
- Ci/clang tidy checks init variables
- Fix share dialog infinite loading
- Fix edit locally job not finding the user account: wrong user id
- Skip e2e encrypted files with empty filename in metadata
- Use new connect syntax
- Fix avatars not showing up in settings dialog account actions until
clicked on
- Always discover blacklisted folders to avoid data loss when modifying
selectivesync list.
- Fix infinite loading in the share dialog when public link shares are
disabled on the server
- With cfapi when dehydrating files add missing flag
- Fix text labels in Sync Status component
- Display 'Search globally' as the last sharees list element
- Fix display of 2FA notification.
- Bugfix/do not restore virtual files
- Show server name in tray main window
- Add Ubuntu Lunar
- Debian build classification 'beta' cannot override 'release'.
- Update changelog
- Follow shouldNotify flag to hide notifications when needed
- Bugfix/stop after creating config file
- E2EE cut extra zeroes from derypted byte array.
- When local sync folder is overriden, respect this choice
- Feature/e2ee fixes

- This also fix security issues:

- (boo#1205798, CVE-2022-39331)
- Arbitrary HyperText Markup Language injection in notifications
- (boo#1205799, CVE-2022-39332)
- Arbitrary HyperText Markup Language injection in user status and
information
- (boo#1205800, CVE-2022-39333)
- Arbitrary HyperText Markup Language injection in desktop client
application
- (boo#1205801, CVE-2022-39334)
- Client incorrectly trusts invalid TLS certificates
- (boo#1207976, CVE-2023-23942)
- missing sanitisation on qml labels leading to javascript injection

- Update to 3.7.4

- check German translation for wrong wording
- Fix "Create new folder" menu entries in settings not working correctly
on macOS
- Clean up account creation and deletion code
- Fix share dialog infinite loading
- fix edit locally job not finding the user account: wrong user id
- skip e2e encrypted files with empty filename in metadata
- Always discover blacklisted folders to avoid data loss when modifying
selectivesync list.
- use new connect syntax
- with cfapi when dehydrating files add missing flag
- Fix avatars not showing up in settings dialog account actions until
clicked on
- Fix text labels in Sync Status component
- Fix infinite loading in the share dialog when public link shares are
disabled on the server
- Ci/clang tidy checks init variables
- Display 'Search globally' as the last sharees list element
- Resize WebView widget once the loginpage rendered
- Bugfix/do not restore virtual files
- Fix display of 2FA notification.

- Update to 3.7.3

- Revert "Fix(l10n): capital_abcd Update translations from Transifex"
- Revert "Fix(l10n): capital_abcd Update translations from Transifex"
- Revert "Fix(l10n): capital_abcd Update translations from Transifex"

- Update to 3.7.2

- No regular changelog from upstream. See instead:
  https://github.com/nextcloud/desktop/compare/v3.7.1...v3.7.2

- Update to 3.7.1

- Backport/5393/stable 3.7 by @mgallien in #5403
- Fix wrong estimated time when doing sync. in #4902
- Bugfix/selective sync abort error in #4903
- Set UnifiedSearchResultNothingFound visibility less messily in #4751
- Clean up QML type and singleton registration in #4817
- Simplify activity list delegates by making them ItemDelegates, clean
up in #4786
- Improve activity list highlighting/keyboard item selection in #4781
- Replace private API QZipWriter with KArchive in #4768
- makes Qt WebEngine optional only on macOS in #4875
- Bugfix/conflict resolution when selecting folder in #4914
- Fix fileactivitylistmodel QML registration in #4920
- Updated link to documentation in #4792
- Fix menu bar height calculation on macOS in #4917
- Fix ActivityItem activityHover error in #4921
- Fix add account window text clipping, enlarge text in #4910
- Accept valid lsColJob reply XML content types in #4919
- Fix low-resolution file changed overlay icons in activities in #4930
- Refactor ActivityListModel population mechanisms in #4736
- Make account setup wizard's adjustWizardSize resize to current page
size instead of largest wizard page in #4911
- Deallocate call notification dialog objects when closed by @claucambra
in #4939
- Ensure that the file being processed has had its etag properly
sanitised, log etag more in #4940
- Feature/syncjournaldb handle errors in #4819
- Do not format text in QML components as HTML in #4944
- Fix two factor auth notification: activity item was disabled. in #4961
- Add a placeholder item for empty activity list in #4959
- Ensure strings in main window QML are presented as plain text and not
HTML by @claucambra in #4972
- Improve handling of file name clashes by @claucambra in #4970
- Add a QSortFilterProxyModel-based SortedActivityListModel by
@claucambra in #4933
- Bring back .lnk files on Windows and always treat them as non-virtual
files. by @allexzander in #4968
- Fix two factor authentication notification by @camilasan in #4967
- Ensure placeholder message in emoji picker wraps correctly in #4960
- Make activity action button an actual button, clean up contents in
#4784
- Improve the error box QML component in #4976
- Fix 'Reply' primary property. in #4985
- Fix sync progress bar colours in dark mode in #4986
- Fix predefined status text formatting in #4987
- Don't set up tray context menu on macOS, even if not building app
bundle in #4988
- Ci/check clang tidy in ci in #4995
- check our code with clang-tidy in #4999
- alway use constexpr for all text constants in #4996
- avoid possibly crashing static_cast in #4994
- switch AppImage CI to latest tag: client-appimage-6 in #5003
- configure a list of checks for clang-tidy in #5004
- Fix link shares default expire date being enforced as maximum expire
date even when maximum date enforcement is disabled on the server in
#4982
- apply modernize-use-using via clang-tidy in #4993
- Ci/use no discard in #4992
- Fix files not unlocking after lock time expired in #4962
- Update client image in #5002
- let's check the format via some github action in #4991
- Feature/vfs windows sharing and lock state in #4942
- Update after tx migrate in #5019
- Improve 'Handle local file editing' feature. Add loading popup. Add
force sync before opening a file. in #4990
- Command-line client. Do not trust SSL certificates by default, unless
'--trust' option is set. in #5022
- Bugfix/files lock fail metadata in #5024
- do not ignore return value in #4998
- improve logs when adding sync errors in activity list of main dialog
in #5032
- Fix invisible user status selector button not being checked when user
is in Offline mode in #5012
- use correct version copmparison on NSIS updater: fix update from rc in
#4979
- Bugfix/check token for edit locally requests in #5039
- Fix the dismiss button: display it whenever possible. in #4989
- Fix account not found when doing local file editing. in #5040
- Improve "pretty user name"-related strings, display in webflow
credentials in #5013
- Update CHANGELOG with 3.6.1 changes. in #5066
- Fix call notification dialog buttons in #5074
- validate certificate for E2EE against private key in #4949
- emit missing signal to update folder sync status icon in #5087
- Update CMake usage in README build instructions in #5086
- Clean up methods in sync engine in #5071
- Make Systray's void methods slots in #5042
- Remove unneeded parameter from CleanupPollsJob constructor in #5070
- Add a 'Sync now' button to the sync status header in the tray window
in #5018
- Modernise and improve code in AccountManager in #5026
- Fix macOS autoupdater settings in #5102
- Validate and sanitise edit locally token and relpath before sending to
server in #5093
- Refactor FolderMan's "Edit Locally" capabilities as separate class in
#5107
- Modernise and improve code in AccountSettings in #5027
- Fix compatibility with newer python3-nautilus in #5105
- Only show Sync Now button if account is connected in #5097
- use new public API to open an edit locally URL in #5116
- Add a new file details window, unify file activity and sharing in #4929
- E2EE. Do not generate keypair without user request. in #5067
- Fix incorrect current user index when adding or removing a user
account. Also fix incorrect user avatar lookup by id. in #5092
- Remove unused internal link widget from old share dialog in #5123
- Use separate variable for cfg file name in CMAKE. in #5136
- Bugfix/delete folders during propagation even when propagation has
errors in #5104
- Remove unused app pointer in CocoaInitializer in #5127
- Ensure 'Sync now' button doesn't have its text elided in #5129
- Fix share delegate button icon colors in dark mode in #5132
- Do not use copy-assignment of QDialog. in #5148
- Remove unused remotePath in User::processCompletedSyncItem in #5118
- Make user status selector modal, show user header in #5145
- properly escape a path when creating a test file during tests in #5151
- Add support cmake unity build in #5109
- Fix typo of connector in #5157
- fully qualify types in signals and slots in #5088
- Remove reference to inexistent property in NCCustomButton in #5173
- Fix ActivityList delegate warnings in #5172
- Ensure forcing a folder to be synced unpauses syncing on said folder
in #5152
- switch back to upstream craft in #5178
- fix renaming of folders with a deep hierarchy inside them in #5182
- fix instances of: c++11 range-loop might detach Qt container warnings
in #5089
- Implement context menu entry "Leave this share" in #5081
- check that we update local file mtime on changes from server in #5188
- Add end-to-end tests to our CI in #5124
- Modernize the Dolphin action plugin in #5192
- Ci/do not modify configuration file duringtests in #5200
- cmake: Use FindPkgConfig's pkg_get_variable instead of custom macro in
#5199
- Fix tray window margins, stop cutting into window border in #5202
- fix regressions on pinState management when doing renames in #520
- Fix bad custom button alignments, sizings, etc. in #5189
- Ci/do not override configuration file in #5206
- Clearly tell user that E2EE has been enabled for an account in #5164
- Fix CfApiShellExtensionsIPCTest in #5209
- l10n: Fixed grammar in #5220
- Prevent bad encrypting of folder if E2EE has not been correctly set up
in #5223
- Remove close/dismiss button from encryption message in #5163
- Update macOS shell integration deployment targets in #5227
- Bugfix/case cash conflicts should not terminate sync in #5224
- Differentiate between E2EE not being enabled at all vs. E2EE being
enabled already through another device in account settings message in
#5179
- Ensure more QML text components are rendering things as plain text in
#5231
- l10n: Correct spelling in #5221
- Make use of plain text-enforcing qml labels in #5233
- Feature/edit file locally restart sync in #5175
- Fix CI errors for Edit Locally. in #5241
- Lock file when editing locally in #5226
- Format some QLabels as plain text in #5247
- do not create GUI from a random thread and show error on real error in
#5253
- Fix BasicComboBox internal layout in #5216
- Explicitly size and align user status selector text input to avoid
bugs with alternate QtQuick styles in #5214
- do not use bulk upload for e2ee files in #5256
- Only show mnemonic request dialog when user explicitly wants to enable
E2EE in #5181
- Replace share settings popup with a page on a StackView in #5194
- Add interactive NC Talk notifications on macOS in #5143
- Show file details within the tray dialog, rather than in a separate
dialog in #5139
- Silence sync termination errors when running EditLocallyJob. in #5261
- Fix typo in #5257
- Add an "Encrypt" menu entry in file browser context menu for folders
in #5263
- Add a nix flake for easy building and dev environments in #5007
- Add an internal link share to the share dialog in #5131
- Avoid the Get-Task-Allow Entitlement (macOS Notarization) in #5274
- sets a fixed version for pixman when buildign desktop client via Craft
in #5269
- Fix SyncEngineTest failure when localstate is destroyed. in #5273
- Feature/remove obsolete names in #5271
- Remove unused HeaderBanner component in #5245
- Feature/do not sync enc folders if e2ee is not setup in #5258
- fix migration from old settings configuration files in #5141
- Use QFileInfo::exists where we are only creating a QFileInfo to check
if file exists in #5291
- Make correct use of Qt signal 'emit' keyword in #5287
- Remove unused variables in #5290
- Declare all QRegularExpressions statically in #5289
- l10n: Remove space in #5297
- Feature/move shellextensions to root installdir in #5295
- Improve backup dark mode palette for Windows in #5298
- Allow setting up an account with apppasword and folder via
command-line arguments. For deployment. in #5296
- Update file's metadata in the local database when the etag changes
while file remains unchanged. Fix subsequent conflict when locking and
unlocking. in #5293
- Fix warnings on QPROPERTY-s in #5286
- Replace now deprecated FSEventStreamScheduleWithRunLoop with
FSEventStreamSetDispatchQueue in #5272
- Fix macOS shell integration class inits in #5299
- Drop dependency on Qt Quick Controls 1 in #5309
- Fix full-text search results not being opened in browser in #5279
- Feature/allow forceoverrideurl via command line in #5329
- Bugfix/e2ee vulnerability empty metadatakeys in #5323
- Always generate random initialization vector when uploading encrypted
file in #5324
- Fix bad string for translation. in #5358
- Update legal notice to 2023 in #5361
- Fix migration from legacy client when override server url is set in
#5322
- Don't try to lock folders when editing locally in #5317
- Fix fetch more unified search result item not being clickable in #5266
- Add ability to disable E2EE in #5167
- Remove unused monochrome icons setting in #5366
- Feature/sync with case clash names in #5232
- Edit locally. Do not lock if locking is disabled on the server. in
#5371
- Revert "Merge pull request #5366 from
nextcloud/bugfix/remove-mono-icons-setting" in #5372
- Open calendar notifications in the browser. in #4684
- Migrate old configs in #5362
- Always unlock E2EE folders, even when network failure or crash. in
#5370
- Fix displaying of file details button for local syncfileitem
activities in #5380
- Improve config upgrade warning dialog in #5386
- Backport/5385/stable 3.7 in #5388

- Update to 3.6.6

- Revert "Fix(l10n): capital_abcd Update translations from Transifex"
33f3975

- Update to 3.6.5

- do not assert when sharing to a circle in #5310
- Fix macOS shell integration class inits in #5311
- Drop dependency on Qt Quick Controls 1 in #5312
- Feature/allow forceoverrideurl via command line in #5332
- Fix typo in #5270
- check that we update local file mtime on changes from server in #5321
- fix regressions on pinState management when doing renames in #5333
- Always generate random initialization vector when uploading encrypted
file in #5334
- Fix SyncEngineTest failure when localstate is destroyed. in #5336
- Bugfix/e2ee vulnerability empty metadatakeys in #5335

- Update to 3.6.4

- do not create GUI from a random thread and show error on real error

- Update to 3.6.3

- Fix typo of connector
- fix renaming of folders with a deep hierarchy inside them
- Make user status selector modal, show user header
- Prevent bad encrypting of folder if E2EE has not been correctly set up
- Feature/edit file locally restart sync
- Add forcefoldersync method to folder manager
- Make use of plain text-enforcing qml labels
- Lock file when editing locally
- Format some QLabels as plain text

- Update to 3.6.2

- Fix call notification dialog buttons by @backportbot-nextcloud in #5075
- emit missing signal to update folder sync status icon by
@backportbot-nextcloud in #5090
- Fix macOS autoupdater settings by @backportbot-nextcloud in #5103
- Validate and sanitise edit locally token and relpath before sending to
server by @backportbot-nextcloud in #5106
- Fix compatibility with newer python3-nautilus by
@backportbot-nextcloud in #5112
- Refactor FolderMan's "Edit Locally" capabilities as separate class by
@backportbot-nextcloud in #5111
- use new public API to open an edit locally URL by
@backportbot-nextcloud in #5117
- Use separate variable for cfg file name in CMAKE. by
@backportbot-nextcloud in #5140
- Fix stable-3.6 compile on macOS by @claucambra in #5154
- Fix bad backport of CustomButton changes in Stable-3.6 by @claucambra
in #5155
- Backport/5067/stable 3.6 by @allexzander in #5153
- Backport/5092/stable 3.6 by @allexzander in #5156
- properly escape a path when creating a test file during tests by
@backportbot-nextcloud in #5158

- Split out the dbus service related files that provides libcloudproviders
integration for nextcloud desktop client into a separate package; when
this is installed, launching any app supporting libowncloudproviders
(e.g. nautilus on GNOME) will automatically launch the desktop client --
which is rather annoying to happen by default, esp. in cases where a
user does not even have a nextcloud account (gh#nextcloud/desktop#1982,
gh#nextcloud/desktop#2622).

- Make the extension working again on Nautilus 43. This patch also support
previous Nautilus versions.

- Update to 3.6.1

- Fix wrong estimated time when doing sync.
- Bugfix/selective sync abort error
- Bugfix/conflict resolution when selecting folder
- Fix menu bar height calculation on macOS
- Fix add account window text clipping, enlarge text
- Accept valid lsColJob reply XML content types
- Fix low-resolution file changed overlay icons in activities
- Deallocate call notification dialog objects when closed
- Ensure that the file being processed has had its etag properly
sanitised, log etag more
- Ensure strings in main window QML are presented as plain text and not
HTML
- Do not format text in QML components as HTML
- Fix two factor authentication notification
- Bring back .lnk files on Windows and always treat them as non-virtual
files.
- Fix 'Reply' primary property.
- Update after tx migrate
- Command-line client. Do not trust SSL certificates by default, unless
'--trust' option is set.
- Fix invisible user status selector button not being checked when user
is in Offline mode
- Fix link shares default expire date being enforced as maximum expire
date even when maximum date enforcement is disabled on the server
- Backport/4989/stable 3.6
- use correct version copmparison on NSIS updater: fix update from rc
- Improve 'Handle local file editing' feature. Add loading popup. Add
f…
- Backport/5039/bugfix/check token for edit locally requests
- Fix account not found when doing local file editing.
- Fix two factor auth notification: activity item was disabled.
- Fix predefined status text formatting
- Fix sync progress bar colours in dark mode
- Improve handling of file name clashes
- Ensure placeholder message in emoji picker wraps correctly

- Update to 3.6.0
- Fix crash in cldapi.dll
- Updating command-rebase.yml workflow from template
- Reply button size should be same as the input field, smaller + text
color
- Fix crashing when selecting user status and predefined statuses not
appearing
- Make user status dialog look in line with the rest of the desktop
client tray and Nextcloud
- Add a placeholder message for the recents tab of the emoji picker
- Add SVG icon styled for macOS Big Sur
- Ensure the dispatch source only gets deallocated after the
dispatch_source_cancel is done, avoiding crashing of the Finder Sync
Extension on macOS
- Properly adapt the UserStatusSelectorModel to QML, eliminate hacks,
make code more declarative
- Fix the system tray menu not being correctly replaced in
setupContextMenu on GNOME
- Make the share dialog resizeable
- Make client language gender-neutral and more clear
- Use an en-dash for the userstatus panel
- Close call notifications when the call has been joined by the user, or
the call has ended
- Correct spelling
- Print sync direction in SyncFileStatusTracker::slotAboutToPropagate
- Windows CI. Use specific Craft revision.
- Add 'db/local/remote' reference to log string.
- Work around issues with window positioning on Linux DEs, hardcode tray
window to screen center when new account added
- Add a custom back button to the account wizard's advanced setup page
- Clean up systray methods, make more QML-friendly
- Refactor tray window opening code for clarity and efficiency
- Increase the call state checking interval to not overload the server
- Fix bad quote in CMakeLists PNG generation message
- Only set _FORTIFY_SOURCE when a higher level of this flag has not been
set
- Switch to using the main client CI image based on ubuntu 22.04
- Limit concurrent notifications
- Use macOS-specific application icon
- QML-ify the UserModel, use properties rather than setter methods
- Take ints by value rather than reference in UserModel methods
- Feature/vfs windows thumbnails
- Respect skipAutoUpdateCheck in nextcloud.cfg with Sparkle on macOS
- Restyle unified search skeleton items animation and simplify their code
- Stop styling QML unified search items hierarchically, use global Style
constants
- Use preprocessor directive rather than normal 'if' for UNNotification
types
- Make apps menu scrollable when content taller than available vertical
space, preventing borking of layout
- Ensure that throttled notifications still appear in tray activity model
- Stop clearing notifications when new notifications are received
- Fix ActivityItemContent QML paintedWidth errors
- Clicking on an activity list item for a file opens the local file if
available
- Replace unified search text field busy indicator with custom indicator
- Update macOS Info.plist
- Ensure debug archive contents are readable by any user
- Remove Ubuntu Impish, add Kinetic
- Make UserStatusSelector a dismissible page pushed onto the tray window
- Feature/handle edit locally
- Add Debian Bullseye build
- Double-clicking tray icon opens currently-selected user's local folder
(if available)
- Clean up TalkReplyTextField, remove unnecessary parent Item
- Refactor user line
- Do not reboot PC when running an MSI via autoupdate.
- Always run MSI with full UI.
- Eliminate padding around the menu separator in the account menu
- Feature/enable more warnings also for gcc
- Move CFAPI shell extensions variables to root CMakeLists.
- Move URI scheme variable from Nextcloud.cmake to root CMakeListsts.
- Ensure SyncEngine use an initialized instance of SyncOptions
- Fix QML warnings
- I18n: Spelling unification
- Fix crash: 'Failed to create OpenGL context'.
- Fix bugs with setting 'Away' user status
- Fix greek translation for application name in menu
- Align, resize, and layout everything uniformly in the unified search
view
- Remove libglib-2.0.so.0 and libgobject-2.0.so.0 from Appimage.
- Fix unified search item placeholder image source
- Use same tooltip component everywhere, fix tooltip clipping bugs
- Fix account switching and hover issues with UserLine component
- Remove Ubuntu Focal
- Add a ScrollView to the predefined statuses area of the
UserStatusSelector
- Prevent the 'Cancel' button of the user status selector getting
squashed
- Ensure that clear status message combo box is at least implicit width
- Fix alignment of predefined status contents regardless of emoji fonts
- Prevent crashing when trying to create error-ing QML component in
systray.cpp, output error to log
- Add CHANGELOG.md.
- Ensure file activity dialog is centered on screen and appears at top
of window stack
- Build script for AppImage should not assume Nextcloud is the name
- Fix File Activities dialog not showing up.
- Reads and store fileId and remote permissions during bulk upload
- Do not build qt keychain already included in the CI images
- Bugfix/web engine on win11
- Update CHANGELOG for the 3.6.0 release.
- Fix script that upload AppImage to go in correct path

- Update to 3.5.4

- Add and use DO_NOT_REBOOT_IN_SILENT=1 parameter for MSI to not reboot
during the auto-update.

- Update to 3.5.3
- Fix the system tray menu not being correctly replaced in
setupContextMenu on GNOME
- Ensure call notification stays on top of other windows
- Work around issues with window positioning on Linux DEs, hardcode tray
window to screen center when new account added
- Clean up systray methods, make more QML-friendly
- Refactor tray window opening code for clarity and efficiency
- Only set _FORTIFY_SOURCE when a higher level of this flag has not been
set
- Limit concurrent notifications
- Take ints by value rather than reference in UserModel methods
- Respect skipAutoUpdateCheck in nextcloud.cfg with Sparkle on macOS
- Use preprocessor directive rather than normal 'if' for UNNotification
types
- QML-ify the UserModel, use properties rather than setter methods
- Fix ActivityItemContent QML paintedWidth errors
- Stop clearing notifications when new notifications are received
- Ensure debug archive contents are readable by any user
- Stop styling QML unified search items hierarchically, use global Style
constants
- Update macOS Info.plist
- print sync direction in SyncFileStatusTracker::slotAboutToPropagate
- Remove Ubuntu Impish, add Kinetic
- Ensure that throttled notifications still appear in tray activity model
- Make apps menu scrollable when content taller than available vertical
space, preventing borking of layout

- Update to 3.5.2

- Explicitly ask user for notification authorisation on launch (macOS)
- Fix crash caused by overflow in FinderSyncExtension
- add new fixup workflow from nextcloud org
- Display chat message inside the OS notification.
- Fix 'TypeError: Cannot readproperty 'messageSent' of undefined'.
- Add a transparent background to the send reply button.
- Fix build on macOS versions pre-11 (down to 10.14)
- Ignore Office temp folders on Mac ('.sb-' in folder name).
- Remove assert, it is no longer useful.
- Add contrast to the text/icon of buttons if the server defined color
is light.
- fix general section
- Remove tooltip because it is only repeating the label of the link.
- bugfix/share-dialog
- Updating command-rebase.yml workflow from template
- Reply button size should be same as the input field, smaller + text
color
- Close call notifications when the call has been joined by the user, or
the call has ended
- Increase the call state checking interval to not overload the server
- Ensure the dispatch source only gets deallocated after the
dispatch_source_cancel is done, avoiding crashing of the Finder Sync
Extension on macOS

* A more future-proof and distribution friendly fix for boo#1201070

- Fix Tumbleweed build and install error boo#1201070. Use own CFLAGS for
Tumblweed with -D_FORTIFY_SOURCE=2 instead of -D_FORTIFY_SOURCE=3.

- Update to 3.5.1
- Add new and correct sparkle update signature
- l10n: Remove string from translation
- l10n: Changed triple dot to ellipsis
- Ensure cache is stored in default cache location
- Updating command-rebase.yml workflow from template
- Remove "…" from "Create Debug Archive" button
- docs: Replace "preceded" with "followed"
- only add OCS-APIREQUEST header for 1st request of webflow v1
- Make the make_universal.py script more verbose for easier debugging
- Revamp notifications for macOS and add support for actionable update
notifications
- Use proper online status for user ('dnd', 'online', 'invisible', etc.)
to enable or disable desktop notifications.
- Bugfix. Take root folder's files size into account when displaying the
total size in selective sync dialog.
- Fix activity list item issues with colours/layout/etc.
- Bugfix/allow manual rename files with spaces
- Fixed share link expiration box being ineditable and always attempting
to set invalid date
- Fix crashing of finder sync extension caused by dispatch_source_cancel
of nullptr
- Simplify and remove the notification "cache"
- Fix tray icon not displaying "Open main dialog"
- if an exclude file is deleted, skip it and remove it from internal list
- Bugfix/two factor notification
- Fix visual borking in the share dialog
- add explicit capture for lambda

- Update to 3.5.0
- Require cmake 3.16
- Add testing for ActivityListModel
- Check for dbus-1 when building with cloudproviders
- Add ability to copy internal link from share dialog
- Feature/improve activity buttons
- Add thumbnails for files in the activity view
- Use proper API to dehydrate a placeholder file
- Feature/Talk Reply v1
- Ensure we emit a rename command for renamed files
- Remove Hirsute, add Jammy
- Allow account menu to scroll when content height is larger than menu
height
- Always build with updater. Use 'beta/stable' channel selector in
'General Settins' dialog with default 'stable'.
- Cmake option to disable proxy
- Add support for server color theming
- No longer assume status bar height, calculate, fixing notch borking on
new MacBook Pro
- Add a dark mode
- Generates pot files automatically.
- Add headers in cmake files to get them properly detected
- Ensure that bulk upload network job errors are handled
- Do not remove a folder that has files that were not uploaded yet
during propagation
- L10n: Change to lowercase
- Simplify currentScreen in systray.cpp
- Fix warn colour in dark mode
- Do not remove files from a Group folder and its nested folders when it
is renamed or removed while not allowed.
- Rollback local move on server move failure
- Implement local socket to communicate with finder extension
- Bugfix/prevent overflow with mtime
- L10n: Changed spelling
- Add 'Help' action back.
- Ensure file activity dialog appears in centre of screen
- Increase maximum text line count in tray activity items to two lines
- Fix file activity dialog
- Properly ask Qt to create qml opengl surface with proper options
- Old submodule url does not work anylonger
- Old submodule url does not work anylonger
- Prepare for 3.5.0-rc1
- Fix icon color and highlight color issues
- Fix for VFS crashes due to mimetype checking for thumbnails
- Fix various dark mode bugs
- Add a new yml github issue template for bug reports.
- Ensure we only store update channel not localized in settings
- Improve talk reply
- Prepare for 3.5.0-rc2
- Bugfix/talk reply part 2
- Darkmode. Fix crash on exit.
- Avoid deleting renamed file with spaces in name
- More dark mode fixes
- Ensure we do properly failed hydration jobs
- Fix build of appimage for branded clients
- Prepare for 3.5.0-rc3
- Feature/files lock
- Add call notification dialog.
- Fix thumbnails for new files made while client open
- Increase time between connection tries
- Improve contrast on server color themed elements
- Fix positioning of activities in the activities list
- Bugfix/activities fetch server overload
- Realigned and resized thumbnails
- Add user avatars in talk notifications in activity list
- Fix sparkle implementation in the desktop client
- Prepare 3.5.0-rc4
- Prepare final 3.5.0 release

- Update to 3.4.4
- Do not remove files from a Group folder and its nested folders when it
is renamed or removed while not allowed.
- Bugfix/prevent overflow with mtime
- Old submodule url does not work anylonger

- Update to 3.4.3
- Remove Hirsute, add Jammy
- Cmake option to disable proxy
- ensure we emit a rename command for renamed files
- Makes sure that sync engine terminates when an error happen
- ensure that bulk upload network job errors are handled
- Rollback local move on server move failure
- Do not remove a folder that has files that were not uploaded yet
during propagation

- Update to 3.4.2
- Bugfix/force re-login on SSL Handshake error
- Do not display 'Conflict when uploading some files to a folder
- Windows. MSI. Unregister Nextcloud folders in SyncRootManager on
uninstall.
- Unbreak loading translations
- Hide share button for deleted files and ignored files in tray activity
- Display error message when creating a link share with compromised
password.
- Bugfix. Re-init sharing manager to enable link sharing UI when
receivng sharing permissions.
- Show only filenames in tray activity items, with full path in tooltip
- use proper API to dehydrate a placeholder file
- Add macOS *.textClipping files to ignore list

- Updatete to 3.4.1
- fix random error when updating CfApi metadata
- do not forget the path when renaming files with invalid names
- Bugfix/assert invalid modtime
- Feature/folder logo variations
- Always prefill username from Windows login name based on server version
- Bugfix/3.4.1 rc1
- Bugfix/sync stuck on error
- Bugfix/force download local invalid files
- Enforce VFS. Disable 'Make always available locally'.
- Bugfix/avoid sync getting stuck
- Fix CMake error in ECMAddAppIcon for mac
- Do not crash on findAndCancelDeletedJob
- ensure any errors after calling FileSystem::getModTime are handled

- Skiped version 3.4.0 because of modtime bug: See:
  https://github.com/nextcloud/desktop/pull/4049 Please read the following
wiki page How to fix files invalid modification date:
  https://github.com/nextcloud/desktop/wiki/Fix-bug-invalid-modification-date


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP4:

zypper in -t patch openSUSE-2023-90=1


Package List:

- openSUSE Backports SLE-15-SP4 (aarch64 x86_64):

libnextcloudsync-devel-3.8.0-bp154.2.3.1
libnextcloudsync0-3.8.0-bp154.2.3.1
nextcloud-desktop-3.8.0-bp154.2.3.1
nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1

- openSUSE Backports SLE-15-SP4 (noarch):

caja-extension-nextcloud-3.8.0-bp154.2.3.1
cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1
nautilus-extension-nextcloud-3.8.0-bp154.2.3.1
nemo-extension-nextcloud-3.8.0-bp154.2.3.1
nextcloud-desktop-doc-3.8.0-bp154.2.3.1
nextcloud-desktop-lang-3.8.0-bp154.2.3.1

References:

  https://www.suse.com/security/cve/CVE-2022-39331.html
  https://www.suse.com/security/cve/CVE-2022-39332.html
  https://www.suse.com/security/cve/CVE-2022-39333.html
  https://www.suse.com/security/cve/CVE-2022-39334.html
  https://www.suse.com/security/cve/CVE-2023-23942.html
  https://bugzilla.suse.com/1201070
  https://bugzilla.suse.com/1205798
  https://bugzilla.suse.com/1205799
  https://bugzilla.suse.com/1205800
  https://bugzilla.suse.com/1205801
  https://bugzilla.suse.com/1207976