openSUSE Security Update: Security update for nextcloud

Announcement ID:    openSUSE-SU-2021:1602-1
Rating:             important
References:         #1192028 #1192030 #1192031 
Cross-References:   CVE-2021-41177 CVE-2021-41178 CVE-2021-41179
CVSS scores:
                    CVE-2021-41177 (NVD) : 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
                    CVE-2021-41178 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-41179 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected Products:
                    SUSE Package Hub for SUSE Linux Enterprise 12

   An update that fixes three vulnerabilities is now available.


   This update for nextcloud fixes the following issues:

   Update to 20.0.14

   Security issues fixed:

   * CVE-2021-41179: Fix boo#1192028 - (CWE-304): Two-Factor Authentication
     not enforced for pages marked as public
   * CVE-2021-41178: Fix boo#1192030 - (CWE-434): File Traversal affecting
     SVG files on Nextcloud Server
   * CVE-2021-41177: Fix boo#1192031 - (CWE-799): Rate-limits not working on
     instances without configured memory cache backend


   - Add command to repair broken filesystem trees (server#26630)
   - Ensure that user and group IDs in LDAP's tables are also max 64chars
   - Change output format of Psalm to Github (server#29048)
   - File-upload: Correctly handle error responses for HTTP2 (server#29069)
   - Allow "TwoFactor Nextcloud Notifications" to pull the state of the 2F???
   - Add a few sensitive config keys (server#29085)
   - Fix path of file_get_contents (server#29095)
   - Update the certificate bundle (server#29098)
   - Keep pw based auth tokens valid when pw-less login happens (server#29131)
   - Properly handle folder deletion on external s3 storage (server#29158)
   - Tokens without password should not trigger changed password invalidation
   - Don't further setup disabled users when logging in with apache
   - Add 'supported'-label to all supported apps (server#29181)
   - 21] generate a better optimized query for path prefix search filters
   - Keep group restrictions when reenabling apps after an update
   - Add proper message to created share not found (server#29205)
   - Add documentation for files_no_background_scan (server#29219)
   - Don't setup the filesystem to check for a favicon we don't use anyway
   - Fix background scan doc in config (server#29253)
   - Get `filesize()` if `file_exists()` (server#29290)
   - Fix unable to login errors due to file system not being initialized
   - Update 3rdparty ref (server#29297)
   - Bump icewind/streams from 0.7.3 to 0.7.5 in files_external (server#29298)
   - Fix app upgrade (server#29303)
   - Avoid PHP errors when the LDAP attribute is not found (server#29314)
   - Fix security issues when copying groupfolder with advanced ACL
   - Scheduling plugin not updating responding attendee status (server#29387)
   - Make calendar schedule options translatable (server#29388)
   - Add whitelist for apps inside of the server repo (server#29396)
   - Handle files with `is_file` instead of `file_exists` (server#29417)
   - Fixes an undefined index when getAccessList returns an empty array
   - Extra fixes needed for icewind/streams update to 0.7.2 (server#29426)
   - Backport #29260: Respect user enumeration settings in user status lists
   - Implement local filtering in file list (server#29441)
   - Detect mimetype by content only with content (server#29457)
   - Update CRL (server#29505)
   - Update update-psalm-baseline workflow (server#29548)
   - Bump icewind/streams from 0.7.1 to 0.7.5 (3rdparty#855)
   - Bump version (files_pdfviewer#512)
   - Fix deleting notifications with numeric user ID (notifications#1090)
   - Add integration tests for push registration (notifications#1097)
   - Restore old device signature so the proxy works again
   - Bump vue and vue-template-compiler (photos#864)
   - Bump prosemirror-schema-list from 1.1.5 to 1.1.6 (text#1868)
   - Additional checks for workspace controller (text#1887)

Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Package Hub for SUSE Linux Enterprise 12:

      zypper in -t patch openSUSE-2021-1602=1

Package List:

   - SUSE Package Hub for SUSE Linux Enterprise 12 (noarch):