Alerts This Week
Warning Icon 1 677
Alerts This Week
Warning Icon 1 677

openSUSE: 2021:1602-1 critical: nextcloud file traversal

opensuse
Calendar Grey December 20, 2021
Dist Opensuse Esm H88
New version released for nextcloud on openSUSE fixing severe vulnerabilities. Implement updates to bolster security.

An update that fixes three vulnerabilities is now available.

Description

This update for nextcloud fixes the following issues:

Update to 20.0.14

Security issues fixed:

* CVE-2021-41179: Fix boo#1192028 - (CWE-304): Two-Factor Authentication

not enforced for pages marked as public

* CVE-2021-41178: Fix boo#1192030 - (CWE-434): File Traversal affecting

SVG files on Nextcloud Server

* CVE-2021-41177: Fix boo#1192031 - (CWE-799): Rate-limits not working on

instances without configured memory cache backend

Changes:

- Add command to repair broken filesystem trees (server#26630)

- Ensure that user and group IDs in LDAP's tables are also max 64chars

(server#28971)

- Change output format of Psalm to Github (server#29048)

- File-upload: Correctly handle error responses for HTTP2 (server#29069)

- Allow "TwoFactor Nextcloud Notifications" to pull the state of the 2F???

(server#29072)

- Add a few sensitive config keys (server#29085)

- Fix path of file_get_contents...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory patch important two-factor authentication openSUSE nextcloud file traversal

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.2:

zypper in -t patch openSUSE-2021-1602=1

- openSUSE Backports SLE-15-SP3:

zypper in -t patch openSUSE-2021-1602=1

- openSUSE Backports SLE-15-SP2:

zypper in -t patch openSUSE-2021-1602=1

- openSUSE Backports SLE-15-SP1:

zypper in -t patch openSUSE-2021-1602=1

- SUSE Package Hub for SUSE Linux Enterprise 12:

zypper in -t patch openSUSE-2021-1602=1

Package List

- openSUSE Leap 15.2 (noarch):

nextcloud-20.0.14-lp152.3.15.1

nextcloud-apache-20.0.14-lp152.3.15.1

- openSUSE Backports SLE-15-SP3 (noarch):

nextcloud-20.0.14-bp153.2.9.1

nextcloud-apache-20.0.14-bp153.2.9.1

- openSUSE Backports SLE-15-SP2 (noarch):

nextcloud-20.0.14-bp152.2.15.1

nextcloud-apache-20.0.14-bp152.2.15.1

- openSUSE Backports SLE-15-SP1 (noarch):

nextcloud-20.0.14-bp151.3.21.1

nextcloud-apache-20.0.14-bp151.3.21.1

- SUSE Package Hub for SUSE Linux Enterprise 12 (noarch):

nextcloud-20.0.14-34.1

nextcloud-apache-20.0.14-34.1

References

https://www.suse.com/security/cve/CVE-2021-41177.html

https://www.suse.com/security/cve/CVE-2021-41178.html

https://www.suse.com/security/cve/CVE-2021-41179.html

https://bugzilla.suse.com/1192028

https://bugzilla.suse.com/1192030

https://bugzilla.suse.com/1192031

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2021:1602-1
Rating: important

Topics%20covered

Topics Covered

security advisory patch important two-factor authentication openSUSE nextcloud file traversal

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here