{"affected":[{"ecosystem_specific":{"binaries":[{"nextcloud":"20.0.14-bp153.2.9.1","nextcloud-apache":"20.0.14-bp153.2.9.1"}]},"package":{"ecosystem":"SUSE:Package Hub 12","name":"nextcloud","purl":"pkg:rpm/suse/nextcloud&distro=SUSE%20Package%20Hub%2012"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"20.0.14-bp153.2.9.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"nextcloud":"20.0.14-bp153.2.9.1","nextcloud-apache":"20.0.14-bp153.2.9.1"}]},"package":{"ecosystem":"SUSE:Package Hub 15 SP1","name":"nextcloud","purl":"pkg:rpm/suse/nextcloud&distro=SUSE%20Package%20Hub%2015%20SP1"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"20.0.14-bp153.2.9.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"nextcloud":"20.0.14-bp153.2.9.1","nextcloud-apache":"20.0.14-bp153.2.9.1"}]},"package":{"ecosystem":"SUSE:Package Hub 15 SP2","name":"nextcloud","purl":"pkg:rpm/suse/nextcloud&distro=SUSE%20Package%20Hub%2015%20SP2"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"20.0.14-bp153.2.9.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"nextcloud":"20.0.14-bp153.2.9.1","nextcloud-apache":"20.0.14-bp153.2.9.1"}]},"package":{"ecosystem":"SUSE:Package Hub 15 SP3","name":"nextcloud","purl":"pkg:rpm/suse/nextcloud&distro=SUSE%20Package%20Hub%2015%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"20.0.14-bp153.2.9.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"nextcloud":"20.0.14-bp153.2.9.1","nextcloud-apache":"20.0.14-bp153.2.9.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.2","name":"nextcloud","purl":"pkg:rpm/opensuse/nextcloud&distro=openSUSE%20Leap%2015.2"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"20.0.14-bp153.2.9.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"nextcloud":"20.0.14-bp153.2.9.1","nextcloud-apache":"20.0.14-bp153.2.9.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.3","name":"nextcloud","purl":"pkg:rpm/opensuse/nextcloud&distro=openSUSE%20Leap%2015.3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"20.0.14-bp153.2.9.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"\nThis update for nextcloud fixes the following issues:\n\nUpdate to 20.0.14\n\nSecurity issues fixed:\n\n* CVE-2021-41179: Fix boo#1192028 - (CWE-304): Two-Factor Authentication not enforced for pages marked as public\n* CVE-2021-41178: Fix boo#1192030 - (CWE-434): File Traversal affecting SVG files on Nextcloud Server\n* CVE-2021-41177: Fix boo#1192031 - (CWE-799): Rate-limits not working on instances without configured memory cache backend\n\nChanges:\n\n- Add command to repair broken filesystem trees (server#26630)\n- Ensure that user and group IDs in LDAP's tables are also max 64chars (server#28971)\n- Change output format of Psalm to Github (server#29048)\n- File-upload: Correctly handle error responses for HTTP2 (server#29069)\n- Allow 'TwoFactor Nextcloud Notifications' to pull the state of the 2F… (server#29072)\n- Add a few sensitive config keys (server#29085)\n- Fix path of file_get_contents (server#29095)\n- Update the certificate bundle (server#29098)\n- Keep pw based auth tokens valid when pw-less login happens (server#29131)\n- Properly handle folder deletion on external s3 storage (server#29158)\n- Tokens without password should not trigger changed password invalidation (server#29166)\n- Don't further setup disabled users when logging in with apache (server#29167)\n- Add 'supported'-label to all supported apps (server#29181)\n- 21] generate a better optimized query for path prefix search filters (server#29192)\n- Keep group restrictions when reenabling apps after an update (server#29198)\n- Add proper message to created share not found (server#29205)\n- Add documentation for files_no_background_scan (server#29219)\n- Don't setup the filesystem to check for a favicon we don't use anyway (server#29223)\n- Fix background scan doc in config (server#29253)\n- Get `filesize()` if `file_exists()` (server#29290)\n- Fix unable to login errors due to file system not being initialized (server#29291)\n- Update 3rdparty ref (server#29297)\n- Bump icewind/streams from 0.7.3 to 0.7.5 in files_external (server#29298)\n- Fix app upgrade (server#29303)\n- Avoid PHP errors when the LDAP attribute is not found (server#29314)\n- Fix security issues when copying groupfolder with advanced ACL (server#29366)\n- Scheduling plugin not updating responding attendee status (server#29387)\n- Make calendar schedule options translatable (server#29388)\n- Add whitelist for apps inside of the server repo (server#29396)\n- Handle files with `is_file` instead of `file_exists` (server#29417)\n- Fixes an undefined index when getAccessList returns an empty array (server#29421)\n- Extra fixes needed for icewind/streams update to 0.7.2 (server#29426)\n- Backport #29260: Respect user enumeration settings in user status lists (server#29429)\n- Implement local filtering in file list (server#29441)\n- Detect mimetype by content only with content (server#29457)\n- Update CRL (server#29505)\n- Update update-psalm-baseline workflow (server#29548)\n- Bump icewind/streams from 0.7.1 to 0.7.5 (3rdparty#855)\n- Bump version (files_pdfviewer#512)\n- Fix deleting notifications with numeric user ID (notifications#1090)\n- Add integration tests for push registration (notifications#1097)\n- Restore old device signature so the proxy works again (notifications#1105)\n- Bump vue and vue-template-compiler (photos#864)\n- Bump prosemirror-schema-list from 1.1.5 to 1.1.6 (text#1868)\n- Additional checks for workspace controller (text#1887)\n","id":"openSUSE-SU-2021:1602-1","modified":"2021-12-20T10:28:56Z","published":"2021-12-20T10:28:56Z","references":[{"type":"ADVISORY","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YPS4NA73653ZFLPRD3JJVTUZZ4PYGDUS/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1192028"},{"type":"REPORT","url":"https://bugzilla.suse.com/1192030"},{"type":"REPORT","url":"https://bugzilla.suse.com/1192031"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-41177"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-41178"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-41179"}],"related":["CVE-2021-41177","CVE-2021-41178","CVE-2021-41179"],"summary":"Security update for nextcloud","upstream":["CVE-2021-41177","CVE-2021-41178","CVE-2021-41179"]}