openSUSE Security Update: Security update for nextcloud
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2021:1602-1
Rating:             important
References:         #1192028 #1192030 #1192031 
Cross-References:   CVE-2021-41177 CVE-2021-41178 CVE-2021-41179
                   
CVSS scores:
                    CVE-2021-41177 (NVD) : 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
                    CVE-2021-41178 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-41179 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected Products:
                    openSUSE Leap 15.2
                    openSUSE Backports SLE-15-SP3
                    openSUSE Backports SLE-15-SP2
                    openSUSE Backports SLE-15-SP1
                    SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________

   An update that fixes three vulnerabilities is now available.

Description:


   This update for nextcloud fixes the following issues:

   Update to 20.0.14

   Security issues fixed:

   * CVE-2021-41179: Fix boo#1192028 - (CWE-304): Two-Factor Authentication
     not enforced for pages marked as public
   * CVE-2021-41178: Fix boo#1192030 - (CWE-434): File Traversal affecting
     SVG files on Nextcloud Server
   * CVE-2021-41177: Fix boo#1192031 - (CWE-799): Rate-limits not working on
     instances without configured memory cache backend

   Changes:

   - Add command to repair broken filesystem trees (server#26630)
   - Ensure that user and group IDs in LDAP's tables are also max 64chars
     (server#28971)
   - Change output format of Psalm to Github (server#29048)
   - File-upload: Correctly handle error responses for HTTP2 (server#29069)
   - Allow "TwoFactor Nextcloud Notifications" to pull the state of the 2F???
     (server#29072)
   - Add a few sensitive config keys (server#29085)
   - Fix path of file_get_contents (server#29095)
   - Update the certificate bundle (server#29098)
   - Keep pw based auth tokens valid when pw-less login happens (server#29131)
   - Properly handle folder deletion on external s3 storage (server#29158)
   - Tokens without password should not trigger changed password invalidation
     (server#29166)
   - Don't further setup disabled users when logging in with apache
     (server#29167)
   - Add 'supported'-label to all supported apps (server#29181)
   - 21] generate a better optimized query for path prefix search filters
     (server#29192)
   - Keep group restrictions when reenabling apps after an update
     (server#29198)
   - Add proper message to created share not found (server#29205)
   - Add documentation for files_no_background_scan (server#29219)
   - Don't setup the filesystem to check for a favicon we don't use anyway
     (server#29223)
   - Fix background scan doc in config (server#29253)
   - Get `filesize()` if `file_exists()` (server#29290)
   - Fix unable to login errors due to file system not being initialized
     (server#29291)
   - Update 3rdparty ref (server#29297)
   - Bump icewind/streams from 0.7.3 to 0.7.5 in files_external (server#29298)
   - Fix app upgrade (server#29303)
   - Avoid PHP errors when the LDAP attribute is not found (server#29314)
   - Fix security issues when copying groupfolder with advanced ACL
     (server#29366)
   - Scheduling plugin not updating responding attendee status (server#29387)
   - Make calendar schedule options translatable (server#29388)
   - Add whitelist for apps inside of the server repo (server#29396)
   - Handle files with `is_file` instead of `file_exists` (server#29417)
   - Fixes an undefined index when getAccessList returns an empty array
     (server#29421)
   - Extra fixes needed for icewind/streams update to 0.7.2 (server#29426)
   - Backport #29260: Respect user enumeration settings in user status lists
     (server#29429)
   - Implement local filtering in file list (server#29441)
   - Detect mimetype by content only with content (server#29457)
   - Update CRL (server#29505)
   - Update update-psalm-baseline workflow (server#29548)
   - Bump icewind/streams from 0.7.1 to 0.7.5 (3rdparty#855)
   - Bump version (files_pdfviewer#512)
   - Fix deleting notifications with numeric user ID (notifications#1090)
   - Add integration tests for push registration (notifications#1097)
   - Restore old device signature so the proxy works again
     (notifications#1105)
   - Bump vue and vue-template-compiler (photos#864)
   - Bump prosemirror-schema-list from 1.1.5 to 1.1.6 (text#1868)
   - Additional checks for workspace controller (text#1887)


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.2:

      zypper in -t patch openSUSE-2021-1602=1

   - openSUSE Backports SLE-15-SP3:

      zypper in -t patch openSUSE-2021-1602=1

   - openSUSE Backports SLE-15-SP2:

      zypper in -t patch openSUSE-2021-1602=1

   - openSUSE Backports SLE-15-SP1:

      zypper in -t patch openSUSE-2021-1602=1

   - SUSE Package Hub for SUSE Linux Enterprise 12:

      zypper in -t patch openSUSE-2021-1602=1



Package List:

   - openSUSE Leap 15.2 (noarch):

      nextcloud-20.0.14-lp152.3.15.1
      nextcloud-apache-20.0.14-lp152.3.15.1

   - openSUSE Backports SLE-15-SP3 (noarch):

      nextcloud-20.0.14-bp153.2.9.1
      nextcloud-apache-20.0.14-bp153.2.9.1

   - openSUSE Backports SLE-15-SP2 (noarch):

      nextcloud-20.0.14-bp152.2.15.1
      nextcloud-apache-20.0.14-bp152.2.15.1

   - openSUSE Backports SLE-15-SP1 (noarch):

      nextcloud-20.0.14-bp151.3.21.1
      nextcloud-apache-20.0.14-bp151.3.21.1

   - SUSE Package Hub for SUSE Linux Enterprise 12 (noarch):

      nextcloud-20.0.14-34.1
      nextcloud-apache-20.0.14-34.1


References:

   https://www.suse.com/security/cve/CVE-2021-41177.html
   https://www.suse.com/security/cve/CVE-2021-41178.html
   https://www.suse.com/security/cve/CVE-2021-41179.html
   https://bugzilla.suse.com/1192028
   https://bugzilla.suse.com/1192030
   https://bugzilla.suse.com/1192031

openSUSE: 2021:1602-1 important: nextcloud 10-20-02

December 20, 2021

An update that fixes three vulnerabilities is now available.

Description

This update for nextcloud fixes the following issues: Update to 20.0.14 Security issues fixed: * CVE-2021-41179: Fix boo#1192028 - (CWE-304): Two-Factor Authentication not enforced for pages marked as public * CVE-2021-41178: Fix boo#1192030 - (CWE-434): File Traversal affecting SVG files on Nextcloud Server * CVE-2021-41177: Fix boo#1192031 - (CWE-799): Rate-limits not working on instances without configured memory cache backend Changes: - Add command to repair broken filesystem trees (server#26630) - Ensure that user and group IDs in LDAP's tables are also max 64chars (server#28971) - Change output format of Psalm to Github (server#29048) - File-upload: Correctly handle error responses for HTTP2 (server#29069) - Allow "TwoFactor Nextcloud Notifications" to pull the state of the 2F??? (server#29072) - Add a few sensitive config keys (server#29085) - Fix path of file_get_contents (server#29095) - Update the certificate bundle (server#29098) - Keep pw based auth tokens valid when pw-less login happens (server#29131) - Properly handle folder deletion on external s3 storage (server#29158) - Tokens without password should not trigger changed password invalidation (server#29166) - Don't further setup disabled users when logging in with apache (server#29167) - Add 'supported'-label to all supported apps (server#29181) - 21] generate a better optimized query for path prefix search filters (server#29192) - Keep group restrictions when reenabling apps after an update (server#29198) - Add proper message to created share not found (server#29205) - Add documentation for files_no_background_scan (server#29219) - Don't setup the filesystem to check for a favicon we don't use anyway (server#29223) - Fix background scan doc in config (server#29253) - Get `filesize()` if `file_exists()` (server#29290) - Fix unable to login errors due to file system not being initialized (server#29291) - Update 3rdparty ref (server#29297) - Bump icewind/streams from 0.7.3 to 0.7.5 in files_external (server#29298) - Fix app upgrade (server#29303) - Avoid PHP errors when the LDAP attribute is not found (server#29314) - Fix security issues when copying groupfolder with advanced ACL (server#29366) - Scheduling plugin not updating responding attendee status (server#29387) - Make calendar schedule options translatable (server#29388) - Add whitelist for apps inside of the server repo (server#29396) - Handle files with `is_file` instead of `file_exists` (server#29417) - Fixes an undefined index when getAccessList returns an empty array (server#29421) - Extra fixes needed for icewind/streams update to 0.7.2 (server#29426) - Backport #29260: Respect user enumeration settings in user status lists (server#29429) - Implement local filtering in file list (server#29441) - Detect mimetype by content only with content (server#29457) - Update CRL (server#29505) - Update update-psalm-baseline workflow (server#29548) - Bump icewind/streams from 0.7.1 to 0.7.5 (3rdparty#855) - Bump version (files_pdfviewer#512) - Fix deleting notifications with numeric user ID (notifications#1090) - Add integration tests for push registration (notifications#1097) - Restore old device signature so the proxy works again (notifications#1105) - Bump vue and vue-template-compiler (photos#864) - Bump prosemirror-schema-list from 1.1.5 to 1.1.6 (text#1868) - Additional checks for workspace controller (text#1887)

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-1602=1 - openSUSE Backports SLE-15-SP3: zypper in -t patch openSUSE-2021-1602=1 - openSUSE Backports SLE-15-SP2: zypper in -t patch openSUSE-2021-1602=1 - openSUSE Backports SLE-15-SP1: zypper in -t patch openSUSE-2021-1602=1 - SUSE Package Hub for SUSE Linux Enterprise 12: zypper in -t patch openSUSE-2021-1602=1


Package List

- openSUSE Leap 15.2 (noarch): nextcloud-20.0.14-lp152.3.15.1 nextcloud-apache-20.0.14-lp152.3.15.1 - openSUSE Backports SLE-15-SP3 (noarch): nextcloud-20.0.14-bp153.2.9.1 nextcloud-apache-20.0.14-bp153.2.9.1 - openSUSE Backports SLE-15-SP2 (noarch): nextcloud-20.0.14-bp152.2.15.1 nextcloud-apache-20.0.14-bp152.2.15.1 - openSUSE Backports SLE-15-SP1 (noarch): nextcloud-20.0.14-bp151.3.21.1 nextcloud-apache-20.0.14-bp151.3.21.1 - SUSE Package Hub for SUSE Linux Enterprise 12 (noarch): nextcloud-20.0.14-34.1 nextcloud-apache-20.0.14-34.1


References

https://www.suse.com/security/cve/CVE-2021-41177.html https://www.suse.com/security/cve/CVE-2021-41178.html https://www.suse.com/security/cve/CVE-2021-41179.html https://bugzilla.suse.com/1192028 https://bugzilla.suse.com/1192030 https://bugzilla.suse.com/1192031


Severity
Announcement ID: openSUSE-SU-2021:1602-1
Rating: important

Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved