openSUSE Security Update: Security update for nextcloud
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2021:1275-1
Rating:             important
References:         #1190291 
Cross-References:   CVE-2021-32766 CVE-2021-32800 CVE-2021-32801
                    CVE-2021-32802
CVSS scores:
                    CVE-2021-32800 (NVD) : 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
                    CVE-2021-32801 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
                    CVE-2021-32802 (NVD) : 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Affected Products:
                    openSUSE Backports SLE-15-SP2
______________________________________________________________________________

   An update that fixes four vulnerabilities is now available.

Description:

   This update for nextcloud fixes the following issues:

   Update to 20.0.12

   Fix boo#1190291

   - CVE-2021-32766 (CWE-209): Generation of Error Message Containing
     Sensitive Information
   - CVE-2021-32800 (CWE-306): Missing Authentication for Critical Function
   - CVE-2021-32801 (CWE-532): Insertion of Sensitive Information into Log
     File
   - CVE-2021-32802 (CWE-829): Inclusion of Functionality from Untrusted
     Control Sphere

   Changes

   - Bump vue-router from 3.4.3 to 3.4.9 (server#27224)
   - Bump v-click-outside from 3.1.1 to 3.1.2 (server#27232)
   - Bump url-search-params-polyfill from 8.1.0 to 8.1.1 (server#27236)
   - Bump debounce from 1.2.0 to 1.2.1 (server#27646)
   - Bump vue and vue-template-compiler (server#27701)
   - Design fixes to app-settings button (server#27745)
   - Reset checksum when writing files to object store (server#27754)
   - Run s3 tests again (server#27804)
   - Fix in locking cache check (server#27829)
   - Bump dompurify from 2.2.8 to 2.2.9 (server#27836)
   - Make search popup usable on mobile, too (server#27858)
   - Cache images on browser (server#27863)
   - Fix dark theme on public link shares (server#27895)
   - Make user status usable on mobile (server#27897)
   - Do not escape display name in dashboard welcome text (server#27913)
   - Bump moment-timezone from 0.5.31 to 0.5.33 (server#27924)
   - Fix newfileMenu on public page (server#27941)
   - Fix svg icons disapearing in app navigation when text overflows
     (server#27955)
   - Bump bootstrap from 4.5.2 to 4.5.3 (server#27965)
   - Show registered breadcrumb detail views in breadcrumb menu (server#27970)
   - Fix regression in file sidebar (server#27976)
   - Bump exports-loader from 1.1.0 to 1.1.1 (server#27984)
   - Bump @nextcloud/capabilities from 1.0.2 to 1.0.4 (server#27985)
   - Bump @nextcloud/vue-dashboard from 1.0.0 to 1.0.1 (server#27988)
   - Improve notcreatable permissions hint (server#28006)
   - Update CRL due to revoked twofactor_nextcloud_notification.crt
     (server#28018)
   - Bump sass-loader from 10.0.2 to 10.0.5 (server#28032)
   - Increase footer height for longer menus (server#28045)
   - Mask password for Redis and RedisCluster on connection failure
     (server#28054)
   - Fix missing theming for login button (server#28065)
   - Fix overlapping of elements in certain views (server#28072)
   - Disable HEIC image preview provider for performance concerns
     (server#28081)
   - Improve provider check (server#28087)
   - Sanitize more functions from the encryption app (server#28091)
   - Hide download button for public preview of audio files (server#28096)
   - L10n: HTTP in capital letters (server#28107)
   - Fix dark theme in file exists dialog (server#28111)
   - Let memory limit set in tests fit the used amount (server#28125)
   - User management - Add icon to user groups (server#28172)
   - Bump marked from 1.1.1 to 1.1.2 (server#28187)
   - Fix variable override in file view (server#28191)
   - Bump regenerator-runtime from 0.13.7 to 0.13.9 (server#28207)
   - Bump url-loader from 4.1.0 to 4.1.1 (server#28208)
   - Fix Files breadcrumbs being hidden even if there is enough space
     (server#28224)
   - Dont apply jail search filter is on the root (server#28241)
   - Check that php was compiled with argon2 support or that the php-sodium
     extensions is installed (server#28289)
   - Fix preference name when generating notifications (activity#603)
   - Fix monochrome icon detection for correct dark mode invert (activity#607)
   - Fix "Enable notification emails" (activity#613)
   - Show add, del and restored files within by and self filter (activity#616)
   - Link from app-navigation-settings to personal settings (activity#625)
   - Fix pdfviewer design (files_pdfviewer#446)
   - Include version number in firstrunwizard (firstrunwizard#570)
   - Use notification main link if no parameter has a link
     (notifications#1040)
   - Bump sass-loader from 10.1.0 to 10.1.1 (text#1360)
   - Bump @babel/plugin-transform-runtime from 7.13.9 to 7.13.15 (text#1548)
   - Bump @babel/preset-env from 7.13.9 to 7.13.15 (text#1550)
   - Bump vue-loader from 15.9.6 to 15.9.7 (text#1592)
   - Unify error responses and add logging where appropriate (text#1719)
   - Disable header timeout on mobile (viewer#978)


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP2:

      zypper in -t patch openSUSE-2021-1275=1



Package List:

   - openSUSE Backports SLE-15-SP2 (noarch):

      nextcloud-20.0.12-bp152.2.12.1
      nextcloud-apache-20.0.12-bp152.2.12.1


References:

   https://www.suse.com/security/cve/CVE-2021-32766.html
   https://www.suse.com/security/cve/CVE-2021-32800.html
   https://www.suse.com/security/cve/CVE-2021-32801.html
   https://www.suse.com/security/cve/CVE-2021-32802.html
   https://bugzilla.suse.com/1190291

openSUSE: 2021:1275-1 important: nextcloud

September 16, 2021
An update that fixes four vulnerabilities is now available

Description

This update for nextcloud fixes the following issues: Update to 20.0.12 Fix boo#1190291 - CVE-2021-32766 (CWE-209): Generation of Error Message Containing Sensitive Information - CVE-2021-32800 (CWE-306): Missing Authentication for Critical Function - CVE-2021-32801 (CWE-532): Insertion of Sensitive Information into Log File - CVE-2021-32802 (CWE-829): Inclusion of Functionality from Untrusted Control Sphere Changes - Bump vue-router from 3.4.3 to 3.4.9 (server#27224) - Bump v-click-outside from 3.1.1 to 3.1.2 (server#27232) - Bump url-search-params-polyfill from 8.1.0 to 8.1.1 (server#27236) - Bump debounce from 1.2.0 to 1.2.1 (server#27646) - Bump vue and vue-template-compiler (server#27701) - Design fixes to app-settings button (server#27745) - Reset checksum when writing files to object store (server#27754) - Run s3 tests again (server#27804) - Fix in locking cache check (server#27829) - Bump dompurify from 2.2.8 to 2.2.9 (server#27836) - Make search popup usable on mobile, too (server#27858) - Cache images on browser (server#27863) - Fix dark theme on public link shares (server#27895) - Make user status usable on mobile (server#27897) - Do not escape display name in dashboard welcome text (server#27913) - Bump moment-timezone from 0.5.31 to 0.5.33 (server#27924) - Fix newfileMenu on public page (server#27941) - Fix svg icons disapearing in app navigation when text overflows (server#27955) - Bump bootstrap from 4.5.2 to 4.5.3 (server#27965) - Show registered breadcrumb detail views in breadcrumb menu (server#27970) - Fix regression in file sidebar (server#27976) - Bump exports-loader from 1.1.0 to 1.1.1 (server#27984) - Bump @nextcloud/capabilities from 1.0.2 to 1.0.4 (server#27985) - Bump @nextcloud/vue-dashboard from 1.0.0 to 1.0.1 (server#27988) - Improve notcreatable permissions hint (server#28006) - Update CRL due to revoked twofactor_nextcloud_notification.crt (server#28018) - Bump sass-loader from 10.0.2 to 10.0.5 (server#28032) - Increase footer height for longer menus (server#28045) - Mask password for Redis and RedisCluster on connection failure (server#28054) - Fix missing theming for login button (server#28065) - Fix overlapping of elements in certain views (server#28072) - Disable HEIC image preview provider for performance concerns (server#28081) - Improve provider check (server#28087) - Sanitize more functions from the encryption app (server#28091) - Hide download button for public preview of audio files (server#28096) - L10n: HTTP in capital letters (server#28107) - Fix dark theme in file exists dialog (server#28111) - Let memory limit set in tests fit the used amount (server#28125) - User management - Add icon to user groups (server#28172) - Bump marked from 1.1.1 to 1.1.2 (server#28187) - Fix variable override in file view (server#28191) - Bump regenerator-runtime from 0.13.7 to 0.13.9 (server#28207) - Bump url-loader from 4.1.0 to 4.1.1 (server#28208) - Fix Files breadcrumbs being hidden even if there is enough space (server#28224) - Dont apply jail search filter is on the root (server#28241) - Check that php was compiled with argon2 support or that the php-sodium extensions is installed (server#28289) - Fix preference name when generating notifications (activity#603) - Fix monochrome icon detection for correct dark mode invert (activity#607) - Fix "Enable notification emails" (activity#613) - Show add, del and restored files within by and self filter (activity#616) - Link from app-navigation-settings to personal settings (activity#625) - Fix pdfviewer design (files_pdfviewer#446) - Include version number in firstrunwizard (firstrunwizard#570) - Use notification main link if no parameter has a link (notifications#1040) - Bump sass-loader from 10.1.0 to 10.1.1 (text#1360) - Bump @babel/plugin-transform-runtime from 7.13.9 to 7.13.15 (text#1548) - Bump @babel/preset-env from 7.13.9 to 7.13.15 (text#1550) - Bump vue-loader from 15.9.6 to 15.9.7 (text#1592) - Unify error responses and add logging where appropriate (text#1719) - Disable header timeout on mobile (viewer#978)

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP2: zypper in -t patch openSUSE-2021-1275=1


Package List

- openSUSE Backports SLE-15-SP2 (noarch): nextcloud-20.0.12-bp152.2.12.1 nextcloud-apache-20.0.12-bp152.2.12.1


References

https://www.suse.com/security/cve/CVE-2021-32766.html https://www.suse.com/security/cve/CVE-2021-32800.html https://www.suse.com/security/cve/CVE-2021-32801.html https://www.suse.com/security/cve/CVE-2021-32802.html https://bugzilla.suse.com/1190291


Severity
Announcement ID: openSUSE-SU-2021:1275-1
Rating: important
Affected Products: openSUSE Backports SLE-15-SP2 .

Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved