Security update for nextcloud (moderate)

ID OPENSUSE-SU-2018:2521-1
Type suse
Reporter Suse
Modified 2018-08-26T21:13:06


This update for nextcloud to version 13.0.5 fixes the following issues:

Security issues fixed:

  • CVE-2018-3780: Fixed a missing sanitization of search results for an autocomplete field that could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users. (boo#1105598)

Other bugs fixed:

  • Fix highlighting of the upload drop zone
  • Apply ldapUserFilter on members of group
  • Make the DELETION of groups match greedy on the groupID
  • Add parent index to share table
  • Log full exception in cron instead of only the message
  • Properly lock the target file on dav upload when not using part files
  • LDAP backup server should not be queried when auth fails
  • Fix filenames in sharing integration tests
  • Lower log level for quota manipulation cases
  • Let user set avatar in nextcloud if LDAP provides invalid image data
  • Improved logging of smb connection errors
  • Allow admin to disable fetching of avatars as well as a specific attribute
  • Allow to disable encryption
  • Update message shown when unsharing a file
  • Fixed English grammatical error on Settings page.
  • Request a valid property for DAV opendir
  • Allow updating the token on session regeneration
  • Prevent lock values from going negative with memcache backend
  • Correctly handle users with numeric user ids
  • Correctly parse the subject parameters for link (un)shares of calendars
  • Fix "parsing" of email-addresses in comments and chat messages
  • Sanitize parameters in createSessionToken() while logging
  • Also retry rename operation on InvalidArgumentException
  • Improve url detection in comments
  • Only bind to ldap if configuration for the first server is set
  • Use download manager from PDF.js to download the file
  • Fix trying to load removed scripts
  • Only pull for new messages if the session is allowed to be kept alive
  • Always push object data
  • Add prioritization for Talk