openSUSE Security Update: Security update for nextcloud
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2021:1068-1
Rating:             important
References:         #1181445 #1181803 #1181804 #1188247 #1188248 
                    #1188249 #1188250 #1188251 #1188252 #1188253 
                    #1188254 #1188255 #1188256 
Cross-References:   CVE-2020-8293 CVE-2020-8294 CVE-2020-8295
                    CVE-2021-32678 CVE-2021-32679 CVE-2021-32680
                    CVE-2021-32688 CVE-2021-32703 CVE-2021-32705
                    CVE-2021-32725 CVE-2021-32726 CVE-2021-32734
                    CVE-2021-32741
CVSS scores:
                    CVE-2020-8293 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
                    CVE-2020-8294 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
                    CVE-2021-32680 (NVD) : 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
                    CVE-2021-32688 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products:
                    openSUSE Leap 15.2
                    openSUSE Backports SLE-15-SP3
                    openSUSE Backports SLE-15-SP2
                    openSUSE Backports SLE-15-SP1
______________________________________________________________________________

   An update that fixes 13 vulnerabilities is now available.

Description:

   This update for nextcloud fixes the following issues:

   nextcloud was updated to 20.0.11:

   - Fix boo#1188247 - CVE-2021-32678: OCS API response ratelimits are not
     applied
   - Fix boo#1188248 - CVE-2021-32679: filenames where not escaped by default
     in controllers using DownloadResponse
   - Fix boo#1188249 - CVE-2021-32680: share expiration date wasn't properly
     logged
   - Fix boo#1188250 - CVE-2021-32688: lacking permission check with
     application specific tokens
   - Fix boo#1188251 - CVE-2021-32703: lack of ratelimiting on the shareinfo
     endpoint
   - Fix boo#1188252 - CVE-2021-32705: lack of ratelimiting on the public DAV
     endpoint
   - Fix boo#1188253 - CVE-2021-32725: default share permissions were not
     being respected for federated reshares of files and folders   - Fix boo#1188254 - CVE-2021-32726: webauthn tokens were not deleted after
     a user has been deleted
   - Fix boo#1188255 - CVE-2021-32734: possible full path disclosure on
     shared files
   - Fix boo#1188256 - CVE-2021-32741: lack of ratelimiting on the public
     share link mount endpoint
   - Bump handlebars from 4.7.6 to 4.7.7 (server#26900)
   - Bump lodash from 4.17.20 to 4.17.21 (server#26909)
   - Bump hosted-git-info from 2.8.8 to 2.8.9 (server#26920)
   - Don't break OCC if an app is breaking in it's Application class
     (server#26954)
   - Add bruteforce protection to the shareinfo endpoint (server#26956)
   - Ignore readonly flag for directories (server#26965)
   - Throttle MountPublicLinkController when share is not found (server#26971)
   - Respect default share permissions for federated reshares (server#27001)
   - Harden apptoken check (server#27014)
   - Use parent wrapper to properly handle moves on the same source/target
     storage (server#27016)
   - Fix error when using CORS with no auth credentials (server#27027)
   - Fix return value of getStorageInfo when 'quota_include_external_storage'
     is enabled (server#27108)
   - Bump patch dependencies (server#27183)
   - Use noreply@ as email address for share emails (server#27209)
   - Bump p-queue from 6.6.1 to 6.6.2 (server#27226)
   - Bump browserslist from 4.14.0 to 4.16.6 (server#27247)
   - Bump webpack from 4.44.1 to 4.44.2 (server#27297)
   - Properly use limit and offset for search in Jail wrapper (server#27308)
   - Make user:report command scale (server#27319)
   - Properly log expiration date removal in audit log (server#27325)
   - Propagate throttling on OCS response (server#27337)
   - Set umask before operations that create local files (server#27349)
   - Escape filename in Content-Disposition (server#27360)
   - Don't update statuses to offline again and again (server#27412)
   - Header must contain a colon (server#27456)
   - Activate constraint check for oracle / pqsql also for 20 (server#27523)
   - Only allow removing existing shares that would not be allowed due to
     reshare restrictions (server#27552)
   - Bump ws from 7.3.1 to 7.5.0 (server#27570)
   - Properly cleanup entries of WebAuthn on user deletion (server#27596)
   - Throttle on public DAV endpoint (server#27617)
   - Bump vue-loader from 15.9.3 to 15.9.7 (server#27639)
   - Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (server#27651)
   - Validate the theming color also on CLI (server#27680)
   - Downstream encryption:fix-encrypted-version for repairing bad signature
     errors (server#27728)
   - Remove encodeURI code (files_pdfviewer#396)
   - Only ask for permissions on HTTPS (notifications#998)
   - Fix sorting if one of the file name is only composed with number
     (photos#785)
   - Backport 20 fix Photos not shown in large browser windows #630 (#686)
     (photos#810)
   - Update File.vue (photos#813)
   - Update chart.js (serverinfo#309)
   - Only return workspace property for top node in a propfind request
     (text#1611)
   - ViewerComponent: pass on autofocus to EditorWrapper (text#1647)
   - Use text/plain as content type for fetching the document (text#1692)
   - Log exceptions that happen on unknown exception and return generic
     messages (text#1698)
   - Add fixup (viewer#924)
   - Fix: fullscreen for Firefox (viewer#929)

   Update to 20.0.7

   - Catch NotFoundException when querying quota (server#25315)
   - CalDAV] Validate notified emails (server#25324)
   - Fix/app fetcher php compat comparison (server#25347)
   - Show the actual error on share requests (server#25352)
   - Fix parameter provided as string not array (server#25366)
   - The objectid is a string (server#25374)
   - 20.0.7 final (server#25387)
   - Properly handle SMB ACL blocking scanning a directory (server#25421)
   - Don't break completely when creating the digest fail for one user
     (activity#556)
   - Only attempt to use a secure view if hide download is actually set
     (files_pdfviewer#296)
   - Fix opening PDF files with special characters in their name
     (files_pdfviewer#298)
   - Fix PDF viewer failing on Edge (not based on Chromium)
     (files_pdfviewer#299)
   - Cannot unfold plain text notifications (notifications#846)
   - Remove EPUB mimetype (text#1391)

   Update to 20.0.6

   - Make sure to do priority app upgrades first (server#25077)
   - Respect DB restrictions on number of arguments in statements and queries
     (server#25120)
   - Add a hint about the direction of priority (server#25143)
   - Do not redirect to logout after login (server#25146)
   - Fix comparison of PHP versions (server#25152)
   - Add "composer.lock" for acceptance tests to git (server#25178)
   - Update CRL due to revoked gravatar.crl (server#25190)
   - Don't log keys on checkSignature (server#25193)
   - Update 3rdparty after Archive_Tar (server#25199)
   - Bump CA bundle (server#25219)
   - Update handling of user credentials (server#25225)
   - Fix encoding issue with OC.Notification.show (server#25244)
   - Also use storage copy when dav copying directories (server#25261)
   - Silence log message (server#25263)
   - Extend ILDAPProvider to allow reading arbitrairy ldap attributes for
     users (server#25276)
   - Do not obtain userFolder of a federated user (server#25278)
   - Bump pear/archive_tar from 1.4.11 to 1.4.12 (3rdparty#603)
   - Add gitignore entry for .github folder of dependencies (3rdparty#604)
   - Clear event array on getting them (activity#551)

   Update to 20.0.5

   - Don't log params of imagecreatefromstring (server#24546)
   - Use storage copy implementation when doing dav copy (server#24590)
   - Use in objectstore copy (server#24592)
   - Add tel, note, org and title search (server#24697)
   - Check php compatibility of app store app releases (server#24698)
   - Fix #24682]: ensure federation cloud id is retruned if FN property not
     found (server#24709)
   - Do not include non-required scripts on the upgrade page (server#24714)
   - LDAP: fix inGroup for memberUid type of group memberships (server#24716)
   - Cancel user search requests to avoid duplicate results being added
     (server#24728)
   - Also unset the other possible unused paramters (server#24751)
   - Enables the file name check also to match name of mountpoints
     (server#24760)
   - Fixes sharing to group ids with characters that are being url encoded
     (server#24763)
   - Limit getIncomplete query to one row (server#24791)
   - Fix Argon2 descriptions (server#24792)
   - Actually set the TTL on redis set (server#24798)
   - Allow to force rename a conflicting calendar (server#24806)
   - Fix IPv6 localhost regex (server#24823)
   - Catch the error on heartbeat update (server#24826)
   - Make oc_files_trash.auto_id a bigint (server#24853)
   - Fix total upload size overwritten by next upload (server#24854)
   - Avoid huge exception argument logging (server#24876)
   - Make share results distinguishable if there are more than one with the
     exact same display name (server#24878)
   - Add migration for oc_share_external columns (server#24963)
   - Don't throw a 500 when importing a broken ics reminder file
     (server#24972)
   - Fix unreliable ViewTest (server#24976)
   - Update root.crl due to revocation of transmission.crt (server#24990)
   - Set the JSCombiner cache if needed (server#24997)
   - Fix column name to check prior to deleting (server#25009)
   - Catch throwable instead of exception (server#25013)
   - Set the user language when adding the footer (server#25019)
   - Change defaultapp in config.sample.php to dashboard to improve docs and
     align it to source code (server#25030)
   - Fix clearing the label of a share (server#25035)
   - Update psalm-baseline.xml (server#25066)
   - Don't remove assignable column for now (server#25074)
   - Add setup check to verify that the used DB version is still supported???
     (server#25076)
   - Correctly set the user for activity parsing when preparing a notifica???
     (activity#542)
   - Bump vue-virtual-grid from 2.2.1 to 2.3.0 (photos#597)
   - Catch possible database exceptions when fetching document data
     (text#1221)
   - Make sure we have the proper PHP version installed before running
     composer (text#1234)
   - Revert removal of transformResponse (text#1235)
   - Bump prosemirror-view from 1.16.1 to 1.16.5 (text#1255)
   - Bump @babel/preset-env from 7.12.1 to 7.12.11 (text#1257)
   - Bump babel-loader from 8.1.0 to 8.2.2 (text#1259)
   - Bump eslint-plugin-standard from 4.0.2 to 4.1.0 (text#1261)
   - Bump vue-loader from 15.9.5 to 15.9.6 (text#1263)
   - Bump prosemirror-model from 1.12.0 to 1.13.1 (text#1265)
   - Bump core-js from 3.7.0 to 3.8.1 (text#1266)
   - Bump stylelint from 13.7.2 to 13.8.0 (text#1269)
   - Bump @babel/plugin-transform-runtime from 7.12.1 to 7.12.10 (text#1271)
   - Bump sass-loader from 10.0.5 to 10.1.0 (text#1273)
   - Bump webpack-merge from 5.3.0 to 5.7.2 (text#1274)
   - Bump @babel/core from 7.12.3 to 7.12.10 (text#1277)
   - Bump cypress from 5.1.0 to 5.6.0 (text#1278)
   - Bump @vue/test-utils from 1.1.1 to 1.1.2 (text#1279)
   - Bump webpack-merge from 5.7.2 to 5.7.3 (text#1303)

   - The apache subpackage must require the main package, otherwise it will
     not be uninstalled when the main package is uninstalled.

   Update to 20.0.4

   - Avoid dashboard crash when accessibility app is not installed
     (server#24636)
   - Bump ini from 1.3.5 to 1.3.7 (server#24649)
   - Handle owncloud migration to latest release (server#24653)
   - Use string for storing a OCM remote id (server#24654)
   - Fix MySQL database size calculation (serverinfo#262)
   - Bump cypress-io/github-action@v2 (viewer#722)
   - Fix] sidebar opening animation (viewer#723)
   - Fix not.exist cypress and TESTING checks (viewer#725)

   - Put apache configuration files in separate subpackage.

   - Use apache-rpm-macros for SUSE.
   - Change oc_* macros to nc_* macros.
   - Insert macro apache_serverroot also in cron files.

   Update to 20.0.3

   * Check quota of subdirectories when uploading to them (server#24181)
   * CircleId too short in some request (server#24196)
   * Missing level in ScopedPsrLogger (server#24212)
   * Fix nextcloud logo in email notifications misalignment (server#24228)
   * Allow selecting multiple columns with SELECT DISTINCT (server#24230)
   * Use file name instead of path in 'not allowed to share' message
     (server#24231)
   * Fix setting images through occ for theming (server#24232)
   * Use regex when searching on single file shares (server#24239)
   * Harden EncryptionLegacyCipher a bit (server#24249)
   * Update ScanLegacyFormat.php (server#24258)
   * Simple typo in comments (server#24259)
   * Use correct year for generated birthdays events (server#24263)
   * Delete files that exceed trashbin size immediately (server#24297)
   * Update sabre/xml to fix XML parsing errors (server#24311)
   * Only check path for being accessible when the storage is a object home
     (server#24325)
   * Avoid empty null default with value that will be inserted anyways
     (server#24333)
   * Fix contacts menu position and show uid as a tooltip (server#24342)
   * Fix the config key on the sharing expire checkbox (server#24346)
   * Set the display name of federated sharees from addressbook (server#24353)
   * Catch storage not available in versions expire command (server#24367)
   * Use proper bundles for files client and fileinfo (server#24377)
   * Properly encode path when fetching inherited shares (server#24387)
   * Formatting remote sharer should take protocol, path into account
     (server#24391)
   * Make sure we add new line between vcf groups exports (server#24443)
   * Fix public calendars shared to circles (server#24446)
   * Store scss variables under a different prefix for each theming config
     version (server#24453)
   * External storages: save group ids not display names in configuration
     (server#24455)
   * Use correct l10n source in files_sharing JS code (server#24462)
   * Set frame-ancestors to none if none are filled (server#24477)
   * Move the password fiels of chaging passwords to post (server#24478)
   * Move the global password for files external to post (server#24479)
   * Only attempt to move to trash if a file is not in appdata (server#24483)
   * Fix loading mtime of new file in conflict dialog in firefox
     (server#24491)
   * Harden setup check for TLS version if host is not reachable
     (server#24502)
   * Fix file size computation on 32bit platforms (server#24509)
   * Allow subscription to indicate that a userlimit is reached (server#24511)
   * Set mountid for personal external storage mounts (server#24513)
   * Only execute plain mimetype check for directories and do the fallback???
     (server#24517)
   * Fix vsprint parameter (server#24527)
   * Replace abandoned log normalizer with our fork (server#24530)
   * Add icon to user limit notification (server#24531)
   * Also run repair steps when encryption is disabled but a legacy key is
     present (server#24532)
   * [3rdparty][security] Archive TAR to 1.4.11 (server#24534)
   * Generate a new session id if the decrypting the session data fails
     (server#24553)
   * Revert "Do not read certificate bundle from data dir by default"
     (server#24556)
   * Dont use system composer for autoload checker (server#24557)
   * Remember me is not an app_password (server#24563)
   * Do not load nonexisting setup.js (server#24582)
   * Update sabre/xml to fix XML parsing errors (3rdparty#529)
   * Use composer v1 on CI (3rdparty#532)
   * Bump pear/archive_tar from 1.4.9 to 1.4.11 (3rdparty#536)
   * Replace abandoned log normalizer with our fork (3rdparty#543)
   * Allow nullable values as subject params (activity#535)
   * Don't log when unknown array is null (notifications#803)
   * Feat/virtual grid (photos#550)
   * Make sure we have a string to localecompare to (photos#583)
   * Always get recommendations for dashboard if enabled (recommendations#336)
   * Properly fetch oracle database information (serverinfo#258)
   * Also register to urlChanged event to update RichWorkspace (text#1181)
   * Move away from GET (text#1214)

   Update to 20.0.2

   * CVE-2020-8293: Fixed input validation which allowed users to store
     unlimited data in workflow rules (boo#1181445).
   * CVE-2020-8294: Fixed a missing link validation (boo#1181803).
   * Inidicate preview availability in share api responses (server#23419)
   * CalDavBackend: check if timerange is array before accessing
     (server#23563)
   * Some emojis are in CHAR_CATEGORY_GENERAL_OTHER_TYPES (server#23575)
   * Also expire share type email (server#23583)
   * Only use index of mount point when it is there (server#23611)
   * Only retry fetching app store data once every 5 minutes in case it fails
     (server#23633)
   * Bring back the restore share button (server#23636)
   * Fix updates of NULL appconfig values (server#23641)
   * Fix sharing input placeholder for emails (server#23646)
   * Use bigint for fileid in filecache_extended (server#23690)
   * Enable theming background transparency (server#23699)
   * Fix sharer flag on ldap:show-remnants when user owned more than a single
     share (server#23702)
   * Make sure the function signatures of the backgroundjob match
     (server#23710)
   * Check if array elements exist before using them (server#23713)
   * Fix default quota display value in user row (server#23726)
   * Use lib instead if core as l10n module in OC_Files (server#23727)
   * Specify accept argument to avatar upload input field (server#23732)
   * Save email as lower case (server#23733)
   * Reset avatar cropper before showing (server#23736)
   * Also run the SabreAuthInitEvent for the main server (server#23745)
   * Type the \OCP\IUserManager::callForAllUsers closure with Psalm
     (server#23749)
   * Type the \OCP\AppFramework\Services\IInitialState::provideLazyInitial???
     (server#23751)
   * Don't overwrite the event if we use it later (server#23753)
   * Inform the user when flow config data exceeds thresholds (server#23759)
   * Type the \OCP\IUserManager::callForSeenUsers closure with Psalm
     (server#23763)
   * Catch errors when closing file conflict dialog (server#23774)
   * Document the backend registered events of LDAP (server#23779)
   * Fetch the logger and system config once for all query builder instances
     (server#23787)
   * Type the event dispatcher listener callables with Psalm (server#23789)
   * Only run phpunit when "php" changed (server#23794)
   * Remove bold font-weight and lower font-size for empty search box
     (server#23829)
   * No need to check if there is an avatar available, because it is gener???
     (server#23846)
   * Ensure filepicker list is empty before populating (server#23850)
   * UserStatus: clear status message if message is null (server#23858)
   * Fix grid view toggle in tags view (server#23874)
   * Restrict query when searching for versions of trashbin files
     (server#23884)
   * Fix potentially passing null to events where IUser is expected
     (server#23894)
   * Make user status styles scoped (server#23899)
   * Move help to separate stylesheet (server#23900)
   * Add default font size (server#23902)
   * Do not emit UserCreatedEvent twice (server#23917)
   * Bearer must be in the start of the auth header (server#23924)
   * Fix casting of integer and boolean on Oracle (server#23935)
   * Skip already loaded apps in loadApps (server#23948)
   * Fix repair mimetype step to not leave stray cursors (server#23950)
   * Improve query type detection (server#23951)
   * Fix iLike() falsely turning escaped % and _ into wildcards (server#23954)
   * Replace some usages of OC_DB in OC\Share\* with query builder
     (server#23955)
   * Use query builder instead of OC_DB in trashbin (server#23971)
   * Fix greatest/least order for oracle (server#23975)
   * Fix link share label placeholder not showing (server#23992)
   * Unlock when promoting to exclusive lock fails (server#23995)
   * Make sure root storage is valid before checking its size (server#23996)
   * Use query builder instead of OC_DB in OC\Files\* (server#23998)
   * Shortcut to avoid file system setup when generating the logo URL
     (server#24001)
   * Remove old legacy scripts references (server#24004)
   * Fix js search in undefined ocs response (server#24012)
   * Don't leave cursors open (server#24033)
   * Fix sharing tab state not matching resharing admin settings
     (server#24044)
   * Run unit tests against oracle (server#24049)
   * Use png icons in caldav reminder emails (server#24050)
   * Manually iterate over calendardata when oracle is used (server#24058)
   * Make is_user_defined nullable so we can store false on oracle
     (server#24079)
   * Fix default internal expiration date enforce (server#24081)
   * Register new command db:add-missing-primary-keys (server#24106)
   * Convert the card resource to a string if necessary (server#24114)
   * Don't throw on SHOW VERSION query (server#24147)
   * Bump dompurify to 2.2.2 (server#24153)
   * Set up FS before querying storage info in settings (server#24156)
   * Fix default internal expiration date (server#24159)
   * CircleId too short in some request (server#24178)
   * Revert "circleId too short in some request" (server#24183)
   * Missing level in ScopedPsrLogger (server#24212)
   * Fix activity spinner on empty activity (activity#523)
   * Add OCI github action (activity#528)
   * Disable download button by default (files_pdfviewer#257)
   * Feat/dependabot ga/stable20 (firstrunwizard#442)
   * Fix loading notifications without a message on oracle (notifications#796)
   * Do not setup appdata in constructor to avoid errors causing the whole
     instance to stop working (text#1105)
   * Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (text#1125)
   * Bump sass-loader from 10.0.1 to 10.0.5 (text#1134)
   * Bump webpack from 4.44.1 to 4.44.2 (text#1140)
   * Bump dependencies to version in range (text#1164)
   * Validate link on click (text#1166)
   * Add migration to fix oracle issues with the database schema (text#1177)
   * Bump cypress from 4.12.1 to 5.1.0 (text#1179)
   * Fix URL escaping of shared files (viewer#681)
   * Fix component click outside and cleanup structure (viewer#684)

   Update to 20.0.1

   No changelog from upstream at this time.

   Update to 20.0.0

   * Changes The three biggest features we introduce with Nextcloud 20 are:
     - Our new dashboard provides a great starting point for the day with
       over a dozen widgets ranging from Twitter and Github to Moodle and
       Zammad already available
     - Search was unified, bringing search results of Nextcloud apps as well
       as external services like Gitlab, Jira and Discourse in one place
     - Talk introduced bridging to other platforms including MS Teams, Slack,
       IRC, Matrix and a dozen others     * Some other improvements we want to highlight include:
       - Notifications and Activities were brought together, making sure you
         won???t miss anything important
       - We added a ???status??? setting so you can communicate to other
         users what you are up to
       - Talk also brings dashboard and search integration, emoji picker,
         upload view, camera and microphone settings, mute and more
       - Calendar integrates in dashboard and search, introduced a list view
         and design improvements
       - Mail introduces threaded view, mailbox management and more
       - Deck integrates with dashboard and search, introduces Calendar
         integration, modal view for card editing and series of smaller
         improvements
       - Flow adds push notification and webhooks so other web apps can
         easily integrate with Nextcloud
       - Text introduced direct linking to files in Nextcloud
       - Files lets you add a description to public link shares
   + Read the full announcement on our blog
   - NC-SA-2020-037
   - CVE-2020-8295: Fixed Denial of service attack when resetting the
     password for a user(boo#1181804)
   - Update to 20.0.11
   - Fix boo#1188247 - CVE-2021-32678: OCS API response ratelimits are not
     applied
   - Fix boo#1188248 - CVE-2021-32679: filenames where not escaped by default
     in controllers using DownloadResponse
   - Fix boo#1188249 - CVE-2021-32680: share expiration date wasn't properly
     logged
   - Fix boo#1188250 - CVE-2021-32688: lacking permission check with
     application specific tokens
   - Fix boo#1188251 - CVE-2021-32703: lack of ratelimiting on the shareinfo
     endpoint
   - Fix boo#1188252 - CVE-2021-32705: lack of ratelimiting on the public DAV
     endpoint
   - Fix boo#1188253 - CVE-2021-32725: default share permissions were not
     being respected for federated reshares of files and folders   - Fix boo#1188254 - CVE-2021-32726: webauthn tokens were not deleted after
     a user has been deleted
   - Fix boo#1188255 - CVE-2021-32734: possible full path disclosure on
     shared files
   - Fix boo#1188256 - CVE-2021-32741: lack of ratelimiting on the public
     share link mount endpoint
   - Bump handlebars from 4.7.6 to 4.7.7 (server#26900)
   - Bump lodash from 4.17.20 to 4.17.21 (server#26909)
   - Bump hosted-git-info from 2.8.8 to 2.8.9 (server#26920)
   - Don't break OCC if an app is breaking in it's Application class
     (server#26954)
   - Add bruteforce protection to the shareinfo endpoint (server#26956)
   - Ignore readonly flag for directories (server#26965)
   - Throttle MountPublicLinkController when share is not found (server#26971)
   - Respect default share permissions for federated reshares (server#27001)
   - Harden apptoken check (server#27014)
   - Use parent wrapper to properly handle moves on the same source/target
     storage (server#27016)
   - Fix error when using CORS with no auth credentials (server#27027)
   - Fix return value of getStorageInfo when 'quota_include_external_storage'
     is enabled (server#27108)
   - Bump patch dependencies (server#27183)
   - Use noreply@ as email address for share emails (server#27209)
   - Bump p-queue from 6.6.1 to 6.6.2 (server#27226)
   - Bump browserslist from 4.14.0 to 4.16.6 (server#27247)
   - Bump webpack from 4.44.1 to 4.44.2 (server#27297)
   - Properly use limit and offset for search in Jail wrapper (server#27308)
   - Make user:report command scale (server#27319)
   - Properly log expiration date removal in audit log (server#27325)
   - Propagate throttling on OCS response (server#27337)
   - Set umask before operations that create local files (server#27349)
   - Escape filename in Content-Disposition (server#27360)
   - Don't update statuses to offline again and again (server#27412)
   - Header must contain a colon (server#27456)
   - Activate constraint check for oracle / pqsql also for 20 (server#27523)
   - Only allow removing existing shares that would not be allowed due to
     reshare restrictions (server#27552)
   - Bump ws from 7.3.1 to 7.5.0 (server#27570)
   - Properly cleanup entries of WebAuthn on user deletion (server#27596)
   - Throttle on public DAV endpoint (server#27617)
   - Bump vue-loader from 15.9.3 to 15.9.7 (server#27639)
   - Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (server#27651)
   - Validate the theming color also on CLI (server#27680)
   - Downstream encryption:fix-encrypted-version for repairing bad signature
     errors (server#27728)
   - Remove encodeURI code (files_pdfviewer#396)
   - Only ask for permissions on HTTPS (notifications#998)
   - Fix sorting if one of the file name is only composed with number
     (photos#785)
   - Backport 20 fix Photos not shown in large browser windows #630 (#686)
     (photos#810)
   - Update File.vue (photos#813)
   - Update chart.js (serverinfo#309)
   - Only return workspace property for top node in a propfind request
     (text#1611)
   - ViewerComponent: pass on autofocus to EditorWrapper (text#1647)
   - Use text/plain as content type for fetching the document (text#1692)
   - Log exceptions that happen on unknown exception and return generic
     messages (text#1698)
   - Add fixup (viewer#924)
   - Fix: fullscreen for Firefox (viewer#929)

   Update to 20.0.7

   - Catch NotFoundException when querying quota (server#25315)
   - CalDAV] Validate notified emails (server#25324)
   - Fix/app fetcher php compat comparison (server#25347)
   - Show the actual error on share requests (server#25352)
   - Fix parameter provided as string not array (server#25366)
   - The objectid is a string (server#25374)
   - 20.0.7 final (server#25387)
   - Properly handle SMB ACL blocking scanning a directory (server#25421)
   - Don't break completely when creating the digest fail for one user
     (activity#556)
   - Only attempt to use a secure view if hide download is actually set
     (files_pdfviewer#296)
   - Fix opening PDF files with special characters in their name
     (files_pdfviewer#298)
   - Fix PDF viewer failing on Edge (not based on Chromium)
     (files_pdfviewer#299)
   - Cannot unfold plain text notifications (notifications#846)
   - Remove EPUB mimetype (text#1391)

   Update to 20.0.6

   - Make sure to do priority app upgrades first (server#25077)
   - Respect DB restrictions on number of arguments in statements and queries
     (server#25120)
   - Add a hint about the direction of priority (server#25143)
   - Do not redirect to logout after login (server#25146)
   - Fix comparison of PHP versions (server#25152)
   - Add "composer.lock" for acceptance tests to git (server#25178)
   - Update CRL due to revoked gravatar.crl (server#25190)
   - Don't log keys on checkSignature (server#25193)
   - Update 3rdparty after Archive_Tar (server#25199)
   - Bump CA bundle (server#25219)
   - Update handling of user credentials (server#25225)
   - Fix encoding issue with OC.Notification.show (server#25244)
   - Also use storage copy when dav copying directories (server#25261)
   - Silence log message (server#25263)
   - Extend ILDAPProvider to allow reading arbitrairy ldap attributes for
     users (server#25276)
   - Do not obtain userFolder of a federated user (server#25278)
   - Bump pear/archive_tar from 1.4.11 to 1.4.12 (3rdparty#603)
   - Add gitignore entry for .github folder of dependencies (3rdparty#604)
   - Clear event array on getting them (activity#551)

   Update to 20.0.5

   - Don't log params of imagecreatefromstring (server#24546)
   - Use storage copy implementation when doing dav copy (server#24590)
   - Use in objectstore copy (server#24592)
   - Add tel, note, org and title search (server#24697)
   - Check php compatibility of app store app releases (server#24698)
   - Fix #24682]: ensure federation cloud id is retruned if FN property not
     found (server#24709)
   - Do not include non-required scripts on the upgrade page (server#24714)
   - LDAP: fix inGroup for memberUid type of group memberships (server#24716)
   - Cancel user search requests to avoid duplicate results being added
     (server#24728)
   - Also unset the other possible unused paramters (server#24751)
   - Enables the file name check also to match name of mountpoints
     (server#24760)
   - Fixes sharing to group ids with characters that are being url encoded
     (server#24763)
   - Limit getIncomplete query to one row (server#24791)
   - Fix Argon2 descriptions (server#24792)
   - Actually set the TTL on redis set (server#24798)
   - Allow to force rename a conflicting calendar (server#24806)
   - Fix IPv6 localhost regex (server#24823)
   - Catch the error on heartbeat update (server#24826)
   - Make oc_files_trash.auto_id a bigint (server#24853)
   - Fix total upload size overwritten by next upload (server#24854)
   - Avoid huge exception argument logging (server#24876)
   - Make share results distinguishable if there are more than one with the
     exact same display name (server#24878)
   - Add migration for oc_share_external columns (server#24963)
   - Don't throw a 500 when importing a broken ics reminder file
     (server#24972)
   - Fix unreliable ViewTest (server#24976)
   - Update root.crl due to revocation of transmission.crt (server#24990)
   - Set the JSCombiner cache if needed (server#24997)
   - Fix column name to check prior to deleting (server#25009)
   - Catch throwable instead of exception (server#25013)
   - Set the user language when adding the footer (server#25019)
   - Change defaultapp in config.sample.php to dashboard to improve docs and
     align it to source code (server#25030)
   - Fix clearing the label of a share (server#25035)
   - Update psalm-baseline.xml (server#25066)
   - Don't remove assignable column for now (server#25074)
   - Add setup check to verify that the used DB version is still supported???
     (server#25076)
   - Correctly set the user for activity parsing when preparing a notifica???
     (activity#542)
   - Bump vue-virtual-grid from 2.2.1 to 2.3.0 (photos#597)
   - Catch possible database exceptions when fetching document data
     (text#1221)
   - Make sure we have the proper PHP version installed before running
     composer (text#1234)
   - Revert removal of transformResponse (text#1235)
   - Bump prosemirror-view from 1.16.1 to 1.16.5 (text#1255)
   - Bump @babel/preset-env from 7.12.1 to 7.12.11 (text#1257)
   - Bump babel-loader from 8.1.0 to 8.2.2 (text#1259)
   - Bump eslint-plugin-standard from 4.0.2 to 4.1.0 (text#1261)
   - Bump vue-loader from 15.9.5 to 15.9.6 (text#1263)
   - Bump prosemirror-model from 1.12.0 to 1.13.1 (text#1265)
   - Bump core-js from 3.7.0 to 3.8.1 (text#1266)
   - Bump stylelint from 13.7.2 to 13.8.0 (text#1269)
   - Bump @babel/plugin-transform-runtime from 7.12.1 to 7.12.10 (text#1271)
   - Bump sass-loader from 10.0.5 to 10.1.0 (text#1273)
   - Bump webpack-merge from 5.3.0 to 5.7.2 (text#1274)
   - Bump @babel/core from 7.12.3 to 7.12.10 (text#1277)
   - Bump cypress from 5.1.0 to 5.6.0 (text#1278)
   - Bump @vue/test-utils from 1.1.1 to 1.1.2 (text#1279)
   - Bump webpack-merge from 5.7.2 to 5.7.3 (text#1303)

   - The apache subpackage must require the main package, otherwise it will
     not be uninstalled when the main package is uninstalled.

   Update to 20.0.4

   - Avoid dashboard crash when accessibility app is not installed
     (server#24636)
   - Bump ini from 1.3.5 to 1.3.7 (server#24649)
   - Handle owncloud migration to latest release (server#24653)
   - Use string for storing a OCM remote id (server#24654)
   - Fix MySQL database size calculation (serverinfo#262)
   - Bump cypress-io/github-action@v2 (viewer#722)
   - Fix] sidebar opening animation (viewer#723)
   - Fix not.exist cypress and TESTING checks (viewer#725)

   - Put apache configuration files in separate subpackage.

   - Use apache-rpm-macros for SUSE.
   - Change oc_* macros to nc_* macros.
   - Insert macro apache_serverroot also in cron files.

   Update to 20.0.3

   * Check quota of subdirectories when uploading to them (server#24181)
   * CircleId too short in some request (server#24196)
   * Missing level in ScopedPsrLogger (server#24212)
   * Fix nextcloud logo in email notifications misalignment (server#24228)
   * Allow selecting multiple columns with SELECT DISTINCT (server#24230)
   * Use file name instead of path in 'not allowed to share' message
     (server#24231)
   * Fix setting images through occ for theming (server#24232)
   * Use regex when searching on single file shares (server#24239)
   * Harden EncryptionLegacyCipher a bit (server#24249)
   * Update ScanLegacyFormat.php (server#24258)
   * Simple typo in comments (server#24259)
   * Use correct year for generated birthdays events (server#24263)
   * Delete files that exceed trashbin size immediately (server#24297)
   * Update sabre/xml to fix XML parsing errors (server#24311)
   * Only check path for being accessible when the storage is a object home
     (server#24325)
   * Avoid empty null default with value that will be inserted anyways
     (server#24333)
   * Fix contacts menu position and show uid as a tooltip (server#24342)
   * Fix the config key on the sharing expire checkbox (server#24346)
   * Set the display name of federated sharees from addressbook (server#24353)
   * Catch storage not available in versions expire command (server#24367)
   * Use proper bundles for files client and fileinfo (server#24377)
   * Properly encode path when fetching inherited shares (server#24387)
   * Formatting remote sharer should take protocol, path into account
     (server#24391)
   * Make sure we add new line between vcf groups exports (server#24443)
   * Fix public calendars shared to circles (server#24446)
   * Store scss variables under a different prefix for each theming config
     version (server#24453)
   * External storages: save group ids not display names in configuration
     (server#24455)
   * Use correct l10n source in files_sharing JS code (server#24462)
   * Set frame-ancestors to none if none are filled (server#24477)
   * Move the password fiels of chaging passwords to post (server#24478)
   * Move the global password for files external to post (server#24479)
   * Only attempt to move to trash if a file is not in appdata (server#24483)
   * Fix loading mtime of new file in conflict dialog in firefox
     (server#24491)
   * Harden setup check for TLS version if host is not reachable
     (server#24502)
   * Fix file size computation on 32bit platforms (server#24509)
   * Allow subscription to indicate that a userlimit is reached (server#24511)
   * Set mountid for personal external storage mounts (server#24513)
   * Only execute plain mimetype check for directories and do the fallback???
     (server#24517)
   * Fix vsprint parameter (server#24527)
   * Replace abandoned log normalizer with our fork (server#24530)
   * Add icon to user limit notification (server#24531)
   * Also run repair steps when encryption is disabled but a legacy key is
     present (server#24532)
   * [3rdparty][security] Archive TAR to 1.4.11 (server#24534)
   * Generate a new session id if the decrypting the session data fails
     (server#24553)
   * Revert "Do not read certificate bundle from data dir by default"
     (server#24556)
   * Dont use system composer for autoload checker (server#24557)
   * Remember me is not an app_password (server#24563)
   * Do not load nonexisting setup.js (server#24582)
   * Update sabre/xml to fix XML parsing errors (3rdparty#529)
   * Use composer v1 on CI (3rdparty#532)
   * Bump pear/archive_tar from 1.4.9 to 1.4.11 (3rdparty#536)
   * Replace abandoned log normalizer with our fork (3rdparty#543)
   * Allow nullable values as subject params (activity#535)
   * Don't log when unknown array is null (notifications#803)
   * Feat/virtual grid (photos#550)
   * Make sure we have a string to localecompare to (photos#583)
   * Always get recommendations for dashboard if enabled (recommendations#336)
   * Properly fetch oracle database information (serverinfo#258)
   * Also register to urlChanged event to update RichWorkspace (text#1181)
   * Move away from GET (text#1214)

   Update to 20.0.2

   * CVE-2020-8293: Fixed input validation which allowed users to store
     unlimited data in workflow rules (boo#1181445).
   * CVE-2020-8294: Fixed a missing link validation (boo#1181803).
   * Inidicate preview availability in share api responses (server#23419)
   * CalDavBackend: check if timerange is array before accessing
     (server#23563)
   * Some emojis are in CHAR_CATEGORY_GENERAL_OTHER_TYPES (server#23575)
   * Also expire share type email (server#23583)
   * Only use index of mount point when it is there (server#23611)
   * Only retry fetching app store data once every 5 minutes in case it fails
     (server#23633)
   * Bring back the restore share button (server#23636)
   * Fix updates of NULL appconfig values (server#23641)
   * Fix sharing input placeholder for emails (server#23646)
   * Use bigint for fileid in filecache_extended (server#23690)
   * Enable theming background transparency (server#23699)
   * Fix sharer flag on ldap:show-remnants when user owned more than a single
     share (server#23702)
   * Make sure the function signatures of the backgroundjob match
     (server#23710)
   * Check if array elements exist before using them (server#23713)
   * Fix default quota display value in user row (server#23726)
   * Use lib instead if core as l10n module in OC_Files (server#23727)
   * Specify accept argument to avatar upload input field (server#23732)
   * Save email as lower case (server#23733)
   * Reset avatar cropper before showing (server#23736)
   * Also run the SabreAuthInitEvent for the main server (server#23745)
   * Type the \OCP\IUserManager::callForAllUsers closure with Psalm
     (server#23749)
   * Type the \OCP\AppFramework\Services\IInitialState::provideLazyInitial???
     (server#23751)
   * Don't overwrite the event if we use it later (server#23753)
   * Inform the user when flow config data exceeds thresholds (server#23759)
   * Type the \OCP\IUserManager::callForSeenUsers closure with Psalm
     (server#23763)
   * Catch errors when closing file conflict dialog (server#23774)
   * Document the backend registered events of LDAP (server#23779)
   * Fetch the logger and system config once for all query builder instances
     (server#23787)
   * Type the event dispatcher listener callables with Psalm (server#23789)
   * Only run phpunit when "php" changed (server#23794)
   * Remove bold font-weight and lower font-size for empty search box
     (server#23829)
   * No need to check if there is an avatar available, because it is gener???
     (server#23846)
   * Ensure filepicker list is empty before populating (server#23850)
   * UserStatus: clear status message if message is null (server#23858)
   * Fix grid view toggle in tags view (server#23874)
   * Restrict query when searching for versions of trashbin files
     (server#23884)
   * Fix potentially passing null to events where IUser is expected
     (server#23894)
   * Make user status styles scoped (server#23899)
   * Move help to separate stylesheet (server#23900)
   * Add default font size (server#23902)
   * Do not emit UserCreatedEvent twice (server#23917)
   * Bearer must be in the start of the auth header (server#23924)
   * Fix casting of integer and boolean on Oracle (server#23935)
   * Skip already loaded apps in loadApps (server#23948)
   * Fix repair mimetype step to not leave stray cursors (server#23950)
   * Improve query type detection (server#23951)
   * Fix iLike() falsely turning escaped % and _ into wildcards (server#23954)
   * Replace some usages of OC_DB in OC\Share\* with query builder
     (server#23955)
   * Use query builder instead of OC_DB in trashbin (server#23971)
   * Fix greatest/least order for oracle (server#23975)
   * Fix link share label placeholder not showing (server#23992)
   * Unlock when promoting to exclusive lock fails (server#23995)
   * Make sure root storage is valid before checking its size (server#23996)
   * Use query builder instead of OC_DB in OC\Files\* (server#23998)
   * Shortcut to avoid file system setup when generating the logo URL
     (server#24001)
   * Remove old legacy scripts references (server#24004)
   * Fix js search in undefined ocs response (server#24012)
   * Don't leave cursors open (server#24033)
   * Fix sharing tab state not matching resharing admin settings
     (server#24044)
   * Run unit tests against oracle (server#24049)
   * Use png icons in caldav reminder emails (server#24050)
   * Manually iterate over calendardata when oracle is used (server#24058)
   * Make is_user_defined nullable so we can store false on oracle
     (server#24079)
   * Fix default internal expiration date enforce (server#24081)
   * Register new command db:add-missing-primary-keys (server#24106)
   * Convert the card resource to a string if necessary (server#24114)
   * Don't throw on SHOW VERSION query (server#24147)
   * Bump dompurify to 2.2.2 (server#24153)
   * Set up FS before querying storage info in settings (server#24156)
   * Fix default internal expiration date (server#24159)
   * CircleId too short in some request (server#24178)
   * Revert "circleId too short in some request" (server#24183)
   * Missing level in ScopedPsrLogger (server#24212)
   * Fix activity spinner on empty activity (activity#523)
   * Add OCI github action (activity#528)
   * Disable download button by default (files_pdfviewer#257)
   * Feat/dependabot ga/stable20 (firstrunwizard#442)
   * Fix loading notifications without a message on oracle (notifications#796)
   * Do not setup appdata in constructor to avoid errors causing the whole
     instance to stop working (text#1105)
   * Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (text#1125)
   * Bump sass-loader from 10.0.1 to 10.0.5 (text#1134)
   * Bump webpack from 4.44.1 to 4.44.2 (text#1140)
   * Bump dependencies to version in range (text#1164)
   * Validate link on click (text#1166)
   * Add migration to fix oracle issues with the database schema (text#1177)
   * Bump cypress from 4.12.1 to 5.1.0 (text#1179)
   * Fix URL escaping of shared files (viewer#681)
   * Fix component click outside and cleanup structure (viewer#684)

   Update to 20.0.1

   No changelog from upstream at this time.

   Update to 20.0.0

   * Changes The three biggest features we introduce with Nextcloud 20 are:
     - Our new dashboard provides a great starting point for the day with
       over a dozen widgets ranging from Twitter and Github to Moodle and
       Zammad already available
     - Search was unified, bringing search results of Nextcloud apps as well
       as external services like Gitlab, Jira and Discourse in one place
     - Talk introduced bridging to other platforms including MS Teams, Slack,
       IRC, Matrix and a dozen others     * Some other improvements we want to highlight include:
       - Notifications and Activities were brought together, making sure you
         won???t miss anything important
       - We added a ???status??? setting so you can communicate to other
         users what you are up to
       - Talk also brings dashboard and search integration, emoji picker,
         upload view, camera and microphone settings, mute and more
       - Calendar integrates in dashboard and search, introduced a list view
         and design improvements
       - Mail introduces threaded view, mailbox management and more
       - Deck integrates with dashboard and search, introduces Calendar
         integration, modal view for card editing and series of smaller
         improvements
       - Flow adds push notification and webhooks so other web apps can
         easily integrate with Nextcloud
       - Text introduced direct linking to files in Nextcloud
       - Files lets you add a description to public link shares
   + Read the full announcement on our blog
   - NC-SA-2020-037
   - CVE-2020-8295: Fixed Denial of service attack when resetting the
     password for a user(boo#1181804)
   - Update to 20.0.11
   - Fix boo#1188247 - CVE-2021-32678: OCS API response ratelimits are not
     applied
   - Fix boo#1188248 - CVE-2021-32679: filenames where not escaped by default
     in controllers using DownloadResponse
   - Fix boo#1188249 - CVE-2021-32680: share expiration date wasn't properly
     logged
   - Fix boo#1188250 - CVE-2021-32688: lacking permission check with
     application specific tokens
   - Fix boo#1188251 - CVE-2021-32703: lack of ratelimiting on the shareinfo
     endpoint
   - Fix boo#1188252 - CVE-2021-32705: lack of ratelimiting on the public DAV
     endpoint
   - Fix boo#1188253 - CVE-2021-32725: default share permissions were not
     being respected for federated reshares of files and folders   - Fix boo#1188254 - CVE-2021-32726: webauthn tokens were not deleted after
     a user has been deleted
   - Fix boo#1188255 - CVE-2021-32734: possible full path disclosure on
     shared files
   - Fix boo#1188256 - CVE-2021-32741: lack of ratelimiting on the public
     share link mount endpoint
   - Bump handlebars from 4.7.6 to 4.7.7 (server#26900)
   - Bump lodash from 4.17.20 to 4.17.21 (server#26909)
   - Bump hosted-git-info from 2.8.8 to 2.8.9 (server#26920)
   - Don't break OCC if an app is breaking in it's Application class
     (server#26954)
   - Add bruteforce protection to the shareinfo endpoint (server#26956)
   - Ignore readonly flag for directories (server#26965)
   - Throttle MountPublicLinkController when share is not found (server#26971)
   - Respect default share permissions for federated reshares (server#27001)
   - Harden apptoken check (server#27014)
   - Use parent wrapper to properly handle moves on the same source/target
     storage (server#27016)
   - Fix error when using CORS with no auth credentials (server#27027)
   - Fix return value of getStorageInfo when 'quota_include_external_storage'
     is enabled (server#27108)
   - Bump patch dependencies (server#27183)
   - Use noreply@ as email address for share emails (server#27209)
   - Bump p-queue from 6.6.1 to 6.6.2 (server#27226)
   - Bump browserslist from 4.14.0 to 4.16.6 (server#27247)
   - Bump webpack from 4.44.1 to 4.44.2 (server#27297)
   - Properly use limit and offset for search in Jail wrapper (server#27308)
   - Make user:report command scale (server#27319)
   - Properly log expiration date removal in audit log (server#27325)
   - Propagate throttling on OCS response (server#27337)
   - Set umask before operations that create local files (server#27349)
   - Escape filename in Content-Disposition (server#27360)
   - Don't update statuses to offline again and again (server#27412)
   - Header must contain a colon (server#27456)
   - Activate constraint check for oracle / pqsql also for 20 (server#27523)
   - Only allow removing existing shares that would not be allowed due to
     reshare restrictions (server#27552)
   - Bump ws from 7.3.1 to 7.5.0 (server#27570)
   - Properly cleanup entries of WebAuthn on user deletion (server#27596)
   - Throttle on public DAV endpoint (server#27617)
   - Bump vue-loader from 15.9.3 to 15.9.7 (server#27639)
   - Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (server#27651)
   - Validate the theming color also on CLI (server#27680)
   - Downstream encryption:fix-encrypted-version for repairing bad signature
     errors (server#27728)
   - Remove encodeURI code (files_pdfviewer#396)
   - Only ask for permissions on HTTPS (notifications#998)
   - Fix sorting if one of the file name is only composed with number
     (photos#785)
   - Backport 20 fix Photos not shown in large browser windows #630 (#686)
     (photos#810)
   - Update File.vue (photos#813)
   - Update chart.js (serverinfo#309)
   - Only return workspace property for top node in a propfind request
     (text#1611)
   - ViewerComponent: pass on autofocus to EditorWrapper (text#1647)
   - Use text/plain as content type for fetching the document (text#1692)
   - Log exceptions that happen on unknown exception and return generic
     messages (text#1698)
   - Add fixup (viewer#924)
   - Fix: fullscreen for Firefox (viewer#929)


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.2:

      zypper in -t patch openSUSE-2021-1068=1

   - openSUSE Backports SLE-15-SP3:

      zypper in -t patch openSUSE-2021-1068=1

   - openSUSE Backports SLE-15-SP2:

      zypper in -t patch openSUSE-2021-1068=1

   - openSUSE Backports SLE-15-SP1:

      zypper in -t patch openSUSE-2021-1068=1



Package List:

   - openSUSE Leap 15.2 (noarch):

      nextcloud-20.0.11-lp152.3.9.1
      nextcloud-apache-20.0.11-lp152.3.9.1

   - openSUSE Backports SLE-15-SP3 (noarch):

      nextcloud-20.0.11-bp153.2.3.1
      nextcloud-apache-20.0.11-bp153.2.3.1

   - openSUSE Backports SLE-15-SP2 (noarch):

      nextcloud-20.0.11-bp152.2.9.1
      nextcloud-apache-20.0.11-bp152.2.9.1

   - openSUSE Backports SLE-15-SP1 (noarch):

      nextcloud-20.0.11-bp151.3.15.1
      nextcloud-apache-20.0.11-bp151.3.15.1


References:

   https://www.suse.com/security/cve/CVE-2020-8293.html
   https://www.suse.com/security/cve/CVE-2020-8294.html
   https://www.suse.com/security/cve/CVE-2020-8295.html
   https://www.suse.com/security/cve/CVE-2021-32678.html
   https://www.suse.com/security/cve/CVE-2021-32679.html
   https://www.suse.com/security/cve/CVE-2021-32680.html
   https://www.suse.com/security/cve/CVE-2021-32688.html
   https://www.suse.com/security/cve/CVE-2021-32703.html
   https://www.suse.com/security/cve/CVE-2021-32705.html
   https://www.suse.com/security/cve/CVE-2021-32725.html
   https://www.suse.com/security/cve/CVE-2021-32726.html
   https://www.suse.com/security/cve/CVE-2021-32734.html
   https://www.suse.com/security/cve/CVE-2021-32741.html
   https://bugzilla.suse.com/1181445
   https://bugzilla.suse.com/1181803
   https://bugzilla.suse.com/1181804
   https://bugzilla.suse.com/1188247
   https://bugzilla.suse.com/1188248
   https://bugzilla.suse.com/1188249
   https://bugzilla.suse.com/1188250
   https://bugzilla.suse.com/1188251
   https://bugzilla.suse.com/1188252
   https://bugzilla.suse.com/1188253
   https://bugzilla.suse.com/1188254
   https://bugzilla.suse.com/1188255
   https://bugzilla.suse.com/1188256