{"affected":[{"ecosystem_specific":{"binaries":[{"nextcloud":"20.0.12-bp152.2.12.1","nextcloud-apache":"20.0.12-bp152.2.12.1"}]},"package":{"ecosystem":"SUSE:Package Hub 15 SP2","name":"nextcloud","purl":"pkg:rpm/suse/nextcloud&distro=SUSE%20Package%20Hub%2015%20SP2"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"20.0.12-bp152.2.12.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for nextcloud fixes the following issues:\n\nUpdate to 20.0.12\n\nFix boo#1190291 \n\n- CVE-2021-32766 (CWE-209): Generation of Error Message Containing Sensitive Information \n- CVE-2021-32800 (CWE-306): Missing Authentication for Critical Function \n- CVE-2021-32801 (CWE-532): Insertion of Sensitive Information into Log File \n- CVE-2021-32802 (CWE-829): Inclusion of Functionality from Untrusted Control Sphere \n\nChanges\n\n- Bump vue-router from 3.4.3 to 3.4.9 (server#27224)\n- Bump v-click-outside from 3.1.1 to 3.1.2 (server#27232)\n- Bump url-search-params-polyfill from 8.1.0 to 8.1.1 (server#27236)\n- Bump debounce from 1.2.0 to 1.2.1 (server#27646)\n- Bump vue and vue-template-compiler (server#27701)\n- Design fixes to app-settings button (server#27745)\n- Reset checksum when writing files to object store (server#27754)\n- Run s3 tests again (server#27804)\n- Fix in locking cache check (server#27829)\n- Bump dompurify from 2.2.8 to 2.2.9 (server#27836)\n- Make search popup usable on mobile, too (server#27858)\n- Cache images on browser (server#27863)\n- Fix dark theme on public link shares (server#27895)\n- Make user status usable on mobile (server#27897)\n- Do not escape display name in dashboard welcome text (server#27913)\n- Bump moment-timezone from 0.5.31 to 0.5.33 (server#27924)\n- Fix newfileMenu on public page (server#27941)\n- Fix svg icons disapearing in app navigation when text overflows (server#27955)\n- Bump bootstrap from 4.5.2 to 4.5.3 (server#27965)\n- Show registered breadcrumb detail views in breadcrumb menu (server#27970)\n- Fix regression in file sidebar (server#27976)\n- Bump exports-loader from 1.1.0 to 1.1.1 (server#27984)\n- Bump @nextcloud/capabilities from 1.0.2 to 1.0.4 (server#27985)\n- Bump @nextcloud/vue-dashboard from 1.0.0 to 1.0.1 (server#27988)\n- Improve notcreatable permissions hint (server#28006)\n- Update CRL due to revoked twofactor_nextcloud_notification.crt (server#28018)\n- Bump sass-loader from 10.0.2 to 10.0.5 (server#28032)\n- Increase footer height for longer menus (server#28045)\n- Mask password for Redis and RedisCluster on connection failure (server#28054)\n- Fix missing theming for login button (server#28065)\n- Fix overlapping of elements in certain views (server#28072)\n- Disable HEIC image preview provider for performance concerns (server#28081)\n- Improve provider check (server#28087)\n- Sanitize more functions from the encryption app (server#28091)\n- Hide download button for public preview of audio files (server#28096)\n- L10n: HTTP in capital letters (server#28107)\n- Fix dark theme in file exists dialog (server#28111)\n- Let memory limit set in tests fit the used amount (server#28125)\n- User management - Add icon to user groups (server#28172)\n- Bump marked from 1.1.1 to 1.1.2 (server#28187)\n- Fix variable override in file view (server#28191)\n- Bump regenerator-runtime from 0.13.7 to 0.13.9 (server#28207)\n- Bump url-loader from 4.1.0 to 4.1.1 (server#28208)\n- Fix Files breadcrumbs being hidden even if there is enough space (server#28224)\n- Dont apply jail search filter is on the root (server#28241)\n- Check that php was compiled with argon2 support or that the php-sodium extensions is installed (server#28289)\n- Fix preference name when generating notifications (activity#603)\n- Fix monochrome icon detection for correct dark mode invert (activity#607)\n- Fix 'Enable notification emails' (activity#613)\n- Show add, del and restored files within by and self filter (activity#616)\n- Link from app-navigation-settings to personal settings (activity#625)\n- Fix pdfviewer design (files_pdfviewer#446)\n- Include version number in firstrunwizard (firstrunwizard#570)\n- Use notification main link if no parameter has a link (notifications#1040)\n- Bump sass-loader from 10.1.0 to 10.1.1 (text#1360)\n- Bump @babel/plugin-transform-runtime from 7.13.9 to 7.13.15 (text#1548)\n- Bump @babel/preset-env from 7.13.9 to 7.13.15 (text#1550)\n- Bump vue-loader from 15.9.6 to 15.9.7 (text#1592)\n- Unify error responses and add logging where appropriate (text#1719)\n- Disable header timeout on mobile (viewer#978)\n","id":"openSUSE-SU-2021:1275-1","modified":"2021-09-16T10:07:16Z","published":"2021-09-16T10:07:16Z","references":[{"type":"ADVISORY","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4MPG3PDTQCC4GNWH7SOI44CK2TZJDN5R/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1190291"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-32766"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-32800"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-32801"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-32802"}],"related":["CVE-2021-32766","CVE-2021-32800","CVE-2021-32801","CVE-2021-32802"],"summary":"Security update for nextcloud","upstream":["CVE-2021-32766","CVE-2021-32800","CVE-2021-32801","CVE-2021-32802"]}