Security update for nextcloud (important)

An update that fixes 13 vulnerabilities is now available.

Description:

This update for nextcloud fixes the following issues:

nextcloud was updated to 20.0.11:

• Fix boo#1188247 - CVE-2021-32678: OCS API response ratelimits are not
  applied
• Fix boo#1188248 - CVE-2021-32679: filenames where not escaped by default
  in controllers using DownloadResponse
• Fix boo#1188249 - CVE-2021-32680: share expiration date wasn’t properly
  logged
• Fix boo#1188250 - CVE-2021-32688: lacking permission check with
  application specific tokens
• Fix boo#1188251 - CVE-2021-32703: lack of ratelimiting on the shareinfo
  endpoint
• Fix boo#1188252 - CVE-2021-32705: lack of ratelimiting on the public DAV
  endpoint
• Fix boo#1188253 - CVE-2021-32725: default share permissions were not
  being respected for federated reshares of files and folders
• Fix boo#1188254 - CVE-2021-32726: webauthn tokens were not deleted after
  a user has been deleted
• Fix boo#1188255 - CVE-2021-32734: possible full path disclosure on
  shared files
• Fix boo#1188256 - CVE-2021-32741: lack of ratelimiting on the public
  share link mount endpoint
• Bump handlebars from 4.7.6 to 4.7.7 (server#26900)
• Bump lodash from 4.17.20 to 4.17.21 (server#26909)
• Bump hosted-git-info from 2.8.8 to 2.8.9 (server#26920)
• Don’t break OCC if an app is breaking in it’s Application class
  (server#26954)
• Add bruteforce protection to the shareinfo endpoint (server#26956)
• Ignore readonly flag for directories (server#26965)
• Throttle MountPublicLinkController when share is not found (server#26971)
• Respect default share permissions for federated reshares (server#27001)
• Harden apptoken check (server#27014)
• Use parent wrapper to properly handle moves on the same source/target
  storage (server#27016)
• Fix error when using CORS with no auth credentials (server#27027)
• Fix return value of getStorageInfo when ‘quota_include_external_storage’
  is enabled (server#27108)
• Bump patch dependencies (server#27183)
• Use noreply@ as email address for share emails (server#27209)
• Bump p-queue from 6.6.1 to 6.6.2 (server#27226)
• Bump browserslist from 4.14.0 to 4.16.6 (server#27247)
• Bump webpack from 4.44.1 to 4.44.2 (server#27297)
• Properly use limit and offset for search in Jail wrapper (server#27308)
• Make user:report command scale (server#27319)
• Properly log expiration date removal in audit log (server#27325)
• Propagate throttling on OCS response (server#27337)
• Set umask before operations that create local files (server#27349)
• Escape filename in Content-Disposition (server#27360)
• Don’t update statuses to offline again and again (server#27412)
• Header must contain a colon (server#27456)
• Activate constraint check for oracle / pqsql also for 20 (server#27523)
• Only allow removing existing shares that would not be allowed due to
  reshare restrictions (server#27552)
• Bump ws from 7.3.1 to 7.5.0 (server#27570)
• Properly cleanup entries of WebAuthn on user deletion (server#27596)
• Throttle on public DAV endpoint (server#27617)
• Bump vue-loader from 15.9.3 to 15.9.7 (server#27639)
• Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (server#27651)
• Validate the theming color also on CLI (server#27680)
• Downstream encryption:fix-encrypted-version for repairing bad signature
  errors (server#27728)
• Remove encodeURI code (files_pdfviewer#396)
• Only ask for permissions on HTTPS (notifications#998)
• Fix sorting if one of the file name is only composed with number
  (photos#785)
• Backport 20 fix Photos not shown in large browser windows #630 (#686)
  (photos#810)
• Update File.vue (photos#813)
• Update chart.js (serverinfo#309)
• Only return workspace property for top node in a propfind request
  (text#1611)
• ViewerComponent: pass on autofocus to EditorWrapper (text#1647)
• Use text/plain as content type for fetching the document (text#1692)
• Log exceptions that happen on unknown exception and return generic
  messages (text#1698)
• Add fixup (viewer#924)
• Fix: fullscreen for Firefox (viewer#929)

Update to 20.0.7

• Catch NotFoundException when querying quota (server#25315)
• CalDAV] Validate notified emails (server#25324)
• Fix/app fetcher php compat comparison (server#25347)
• Show the actual error on share requests (server#25352)
• Fix parameter provided as string not array (server#25366)
• The objectid is a string (server#25374)
• 20.0.7 final (server#25387)
• Properly handle SMB ACL blocking scanning a directory (server#25421)
• Don’t break completely when creating the digest fail for one user
  (activity#556)
• Only attempt to use a secure view if hide download is actually set
  (files_pdfviewer#296)
• Fix opening PDF files with special characters in their name
  (files_pdfviewer#298)
• Fix PDF viewer failing on Edge (not based on Chromium)
  (files_pdfviewer#299)
• Cannot unfold plain text notifications (notifications#846)
• Remove EPUB mimetype (text#1391)

Update to 20.0.6

• Make sure to do priority app upgrades first (server#25077)
• Respect DB restrictions on number of arguments in statements and queries
  (server#25120)
• Add a hint about the direction of priority (server#25143)
• Do not redirect to logout after login (server#25146)
• Fix comparison of PHP versions (server#25152)
• Add “composer.lock” for acceptance tests to git (server#25178)
• Update CRL due to revoked gravatar.crl (server#25190)
• Don’t log keys on checkSignature (server#25193)
• Update 3rdparty after Archive_Tar (server#25199)
• Bump CA bundle (server#25219)
• Update handling of user credentials (server#25225)
• Fix encoding issue with OC.Notification.show (server#25244)
• Also use storage copy when dav copying directories (server#25261)
• Silence log message (server#25263)
• Extend ILDAPProvider to allow reading arbitrairy ldap attributes for
  users (server#25276)
• Do not obtain userFolder of a federated user (server#25278)
• Bump pear/archive_tar from 1.4.11 to 1.4.12 (3rdparty#603)
• Add gitignore entry for .github folder of dependencies (3rdparty#604)
• Clear event array on getting them (activity#551)

Update to 20.0.5

• Don’t log params of imagecreatefromstring (server#24546)

• Use storage copy implementation when doing dav copy (server#24590)

• Use in objectstore copy (server#24592)

• Add tel, note, org and title search (server#24697)

• Check php compatibility of app store app releases (server#24698)

• Fix #24682]: ensure federation cloud id is retruned if FN property not
  found (server#24709)

• Do not include non-required scripts on the upgrade page (server#24714)

• LDAP: fix inGroup for memberUid type of group memberships (server#24716)

• Cancel user search requests to avoid duplicate results being added
  (server#24728)

• Also unset the other possible unused paramters (server#24751)

• Enables the file name check also to match name of mountpoints
  (server#24760)

• Fixes sharing to group ids with characters that are being url encoded
  (server#24763)

• Limit getIncomplete query to one row (server#24791)

• Fix Argon2 descriptions (server#24792)

• Actually set the TTL on redis set (server#24798)

• Allow to force rename a conflicting calendar (server#24806)

• Fix IPv6 localhost regex (server#24823)

• Catch the error on heartbeat update (server#24826)

• Make oc_files_trash.auto_id a bigint (server#24853)

• Fix total upload size overwritten by next upload (server#24854)

• Avoid huge exception argument logging (server#24876)

• Make share results distinguishable if there are more than one with the
  exact same display name (server#24878)

• Add migration for oc_share_external columns (server#24963)

• Don’t throw a 500 when importing a broken ics reminder file
  (server#24972)

• Fix unreliable ViewTest (server#24976)

• Update root.crl due to revocation of transmission.crt (server#24990)

• Set the JSCombiner cache if needed (server#24997)

• Fix column name to check prior to deleting (server#25009)

• Catch throwable instead of exception (server#25013)

• Set the user language when adding the footer (server#25019)

• Change defaultapp in config.sample.php to dashboard to improve docs and
  align it to source code (server#25030)

• Fix clearing the label of a share (server#25035)

• Update psalm-baseline.xml (server#25066)

• Don’t remove assignable column for now (server#25074)

• Add setup check to verify that the used DB version is still supported���
  (server#25076)

• Correctly set the user for activity parsing when preparing a notifica���
  (activity#542)

• Bump vue-virtual-grid from 2.2.1 to 2.3.0 (photos#597)

• Catch possible database exceptions when fetching document data
  (text#1221)

• Make sure we have the proper PHP version installed before running
  composer (text#1234)

• Revert removal of transformResponse (text#1235)

• Bump prosemirror-view from 1.16.1 to 1.16.5 (text#1255)

• Bump @babel/preset-env from 7.12.1 to 7.12.11 (text#1257)

• Bump babel-loader from 8.1.0 to 8.2.2 (text#1259)

• Bump eslint-plugin-standard from 4.0.2 to 4.1.0 (text#1261)

• Bump vue-loader from 15.9.5 to 15.9.6 (text#1263)

• Bump prosemirror-model from 1.12.0 to 1.13.1 (text#1265)

• Bump core-js from 3.7.0 to 3.8.1 (text#1266)

• Bump stylelint from 13.7.2 to 13.8.0 (text#1269)

• Bump @babel/plugin-transform-runtime from 7.12.1 to 7.12.10 (text#1271)

• Bump sass-loader from 10.0.5 to 10.1.0 (text#1273)

• Bump webpack-merge from 5.3.0 to 5.7.2 (text#1274)

• Bump @babel/core from 7.12.3 to 7.12.10 (text#1277)

• Bump cypress from 5.1.0 to 5.6.0 (text#1278)

• Bump @vue/test-utils from 1.1.1 to 1.1.2 (text#1279)

• Bump webpack-merge from 5.7.2 to 5.7.3 (text#1303)

• The apache subpackage must require the main package, otherwise it will
  not be uninstalled when the main package is uninstalled.

Update to 20.0.4

• Avoid dashboard crash when accessibility app is not installed
  (server#24636)

• Bump ini from 1.3.5 to 1.3.7 (server#24649)

• Handle owncloud migration to latest release (server#24653)

• Use string for storing a OCM remote id (server#24654)

• Fix MySQL database size calculation (serverinfo#262)

• Bump cypress-io/github-action@v2 (viewer#722)

• Fix] sidebar opening animation (viewer#723)

• Fix not.exist cypress and TESTING checks (viewer#725)

• Put apache configuration files in separate subpackage.

• Use apache-rpm-macros for SUSE.

• Change oc_* macros to nc_* macros.

• Insert macro apache_serverroot also in cron files.

Update to 20.0.3

• Check quota of subdirectories when uploading to them (server#24181)
• CircleId too short in some request (server#24196)
• Missing level in ScopedPsrLogger (server#24212)
• Fix nextcloud logo in email notifications misalignment (server#24228)
• Allow selecting multiple columns with SELECT DISTINCT (server#24230)
• Use file name instead of path in ‘not allowed to share’ message
  (server#24231)
• Fix setting images through occ for theming (server#24232)
• Use regex when searching on single file shares (server#24239)
• Harden EncryptionLegacyCipher a bit (server#24249)
• Update ScanLegacyFormat.php (server#24258)
• Simple typo in comments (server#24259)
• Use correct year for generated birthdays events (server#24263)
• Delete files that exceed trashbin size immediately (server#24297)
• Update sabre/xml to fix XML parsing errors (server#24311)
• Only check path for being accessible when the storage is a object home
  (server#24325)
• Avoid empty null default with value that will be inserted anyways
  (server#24333)
• Fix contacts menu position and show uid as a tooltip (server#24342)
• Fix the config key on the sharing expire checkbox (server#24346)
• Set the display name of federated sharees from addressbook (server#24353)
• Catch storage not available in versions expire command (server#24367)
• Use proper bundles for files client and fileinfo (server#24377)
• Properly encode path when fetching inherited shares (server#24387)
• Formatting remote sharer should take protocol, path into account
  (server#24391)
• Make sure we add new line between vcf groups exports (server#24443)
• Fix public calendars shared to circles (server#24446)
• Store scss variables under a different prefix for each theming config
  version (server#24453)
• External storages: save group ids not display names in configuration
  (server#24455)
• Use correct l10n source in files_sharing JS code (server#24462)
• Set frame-ancestors to none if none are filled (server#24477)
• Move the password fiels of chaging passwords to post (server#24478)
• Move the global password for files external to post (server#24479)
• Only attempt to move to trash if a file is not in appdata (server#24483)
• Fix loading mtime of new file in conflict dialog in firefox
  (server#24491)
• Harden setup check for TLS version if host is not reachable
  (server#24502)
• Fix file size computation on 32bit platforms (server#24509)
• Allow subscription to indicate that a userlimit is reached (server#24511)
• Set mountid for personal external storage mounts (server#24513)
• Only execute plain mimetype check for directories and do the fallback���
  (server#24517)
• Fix vsprint parameter (server#24527)
• Replace abandoned log normalizer with our fork (server#24530)
• Add icon to user limit notification (server#24531)
• Also run repair steps when encryption is disabled but a legacy key is
  present (server#24532)
• [3rdparty][security] Archive TAR to 1.4.11 (server#24534)
• Generate a new session id if the decrypting the session data fails
  (server#24553)
• Revert “Do not read certificate bundle from data dir by default”
  (server#24556)
• Dont use system composer for autoload checker (server#24557)
• Remember me is not an app_password (server#24563)
• Do not load nonexisting setup.js (server#24582)
• Update sabre/xml to fix XML parsing errors (3rdparty#529)
• Use composer v1 on CI (3rdparty#532)
• Bump pear/archive_tar from 1.4.9 to 1.4.11 (3rdparty#536)
• Replace abandoned log normalizer with our fork (3rdparty#543)
• Allow nullable values as subject params (activity#535)
• Don’t log when unknown array is null (notifications#803)
• Feat/virtual grid (photos#550)
• Make sure we have a string to localecompare to (photos#583)
• Always get recommendations for dashboard if enabled (recommendations#336)
• Properly fetch oracle database information (serverinfo#258)
• Also register to urlChanged event to update RichWorkspace (text#1181)
• Move away from GET (text#1214)

Update to 20.0.2

• CVE-2020-8293: Fixed input validation which allowed users to store
  unlimited data in workflow rules (boo#1181445).
• CVE-2020-8294: Fixed a missing link validation (boo#1181803).
• Inidicate preview availability in share api responses (server#23419)
• CalDavBackend: check if timerange is array before accessing
  (server#23563)
• Some emojis are in CHAR_CATEGORY_GENERAL_OTHER_TYPES (server#23575)
• Also expire share type email (server#23583)
• Only use index of mount point when it is there (server#23611)
• Only retry fetching app store data once every 5 minutes in case it fails
  (server#23633)
• Bring back the restore share button (server#23636)
• Fix updates of NULL appconfig values (server#23641)
• Fix sharing input placeholder for emails (server#23646)
• Use bigint for fileid in filecache_extended (server#23690)
• Enable theming background transparency (server#23699)
• Fix sharer flag on ldap:show-remnants when user owned more than a single
  share (server#23702)
• Make sure the function signatures of the backgroundjob match
  (server#23710)
• Check if array elements exist before using them (server#23713)
• Fix default quota display value in user row (server#23726)
• Use lib instead if core as l10n module in OC_Files (server#23727)
• Specify accept argument to avatar upload input field (server#23732)
• Save email as lower case (server#23733)
• Reset avatar cropper before showing (server#23736)
• Also run the SabreAuthInitEvent for the main server (server#23745)
• Type the \OCP\IUserManager::callForAllUsers closure with Psalm
  (server#23749)
• Type the \OCP\AppFramework\Services\IInitialState::provideLazyInitial���
  (server#23751)
• Don’t overwrite the event if we use it later (server#23753)
• Inform the user when flow config data exceeds thresholds (server#23759)
• Type the \OCP\IUserManager::callForSeenUsers closure with Psalm
  (server#23763)
• Catch errors when closing file conflict dialog (server#23774)
• Document the backend registered events of LDAP (server#23779)
• Fetch the logger and system config once for all query builder instances
  (server#23787)
• Type the event dispatcher listener callables with Psalm (server#23789)
• Only run phpunit when “php” changed (server#23794)
• Remove bold font-weight and lower font-size for empty search box
  (server#23829)
• No need to check if there is an avatar available, because it is gener���
  (server#23846)
• Ensure filepicker list is empty before populating (server#23850)
• UserStatus: clear status message if message is null (server#23858)
• Fix grid view toggle in tags view (server#23874)
• Restrict query when searching for versions of trashbin files
  (server#23884)
• Fix potentially passing null to events where IUser is expected
  (server#23894)
• Make user status styles scoped (server#23899)
• Move help to separate stylesheet (server#23900)
• Add default font size (server#23902)
• Do not emit UserCreatedEvent twice (server#23917)
• Bearer must be in the start of the auth header (server#23924)
• Fix casting of integer and boolean on Oracle (server#23935)
• Skip already loaded apps in loadApps (server#23948)
• Fix repair mimetype step to not leave stray cursors (server#23950)
• Improve query type detection (server#23951)
• Fix iLike() falsely turning escaped % and _ into wildcards (server#23954)
• Replace some usages of OC_DB in OC\Share* with query builder
  (server#23955)
• Use query builder instead of OC_DB in trashbin (server#23971)
• Fix greatest/least order for oracle (server#23975)
• Fix link share label placeholder not showing (server#23992)
• Unlock when promoting to exclusive lock fails (server#23995)
• Make sure root storage is valid before checking its size (server#23996)
• Use query builder instead of OC_DB in OC\Files* (server#23998)
• Shortcut to avoid file system setup when generating the logo URL
  (server#24001)
• Remove old legacy scripts references (server#24004)
• Fix js search in undefined ocs response (server#24012)
• Don’t leave cursors open (server#24033)
• Fix sharing tab state not matching resharing admin settings
  (server#24044)
• Run unit tests against oracle (server#24049)
• Use png icons in caldav reminder emails (server#24050)
• Manually iterate over calendardata when oracle is used (server#24058)
• Make is_user_defined nullable so we can store false on oracle
  (server#24079)
• Fix default internal expiration date enforce (server#24081)
• Register new command db:add-missing-primary-keys (server#24106)
• Convert the card resource to a string if necessary (server#24114)
• Don’t throw on SHOW VERSION query (server#24147)
• Bump dompurify to 2.2.2 (server#24153)
• Set up FS before querying storage info in settings (server#24156)
• Fix default internal expiration date (server#24159)
• CircleId too short in some request (server#24178)
• Revert “circleId too short in some request” (server#24183)
• Missing level in ScopedPsrLogger (server#24212)
• Fix activity spinner on empty activity (activity#523)
• Add OCI github action (activity#528)
• Disable download button by default (files_pdfviewer#257)
• Feat/dependabot ga/stable20 (firstrunwizard#442)
• Fix loading notifications without a message on oracle (notifications#796)
• Do not setup appdata in constructor to avoid errors causing the whole
  instance to stop working (text#1105)
• Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (text#1125)
• Bump sass-loader from 10.0.1 to 10.0.5 (text#1134)
• Bump webpack from 4.44.1 to 4.44.2 (text#1140)
• Bump dependencies to version in range (text#1164)
• Validate link on click (text#1166)
• Add migration to fix oracle issues with the database schema (text#1177)
• Bump cypress from 4.12.1 to 5.1.0 (text#1179)
• Fix URL escaping of shared files (viewer#681)
• Fix component click outside and cleanup structure (viewer#684)

Update to 20.0.1

No changelog from upstream at this time.

Update to 20.0.0

• Changes The three biggest features we introduce with Nextcloud 20 are:
  • Our new dashboard provides a great starting point for the day with
    over a dozen widgets ranging from Twitter and Github to Moodle and
    Zammad already available
  • Search was unified, bringing search results of Nextcloud apps as well
    as external services like Gitlab, Jira and Discourse in one place
  • Talk introduced bridging to other platforms including MS Teams, Slack,
    IRC, Matrix and a dozen others
  • Some other improvements we want to highlight include:
    • Notifications and Activities were brought together, making sure you
      won���t miss anything important
    • We added a ���status��� setting so you can communicate to other
      users what you are up to
    • Talk also brings dashboard and search integration, emoji picker,
      upload view, camera and microphone settings, mute and more
    • Calendar integrates in dashboard and search, introduced a list view
      and design improvements
    • Mail introduces threaded view, mailbox management and more
    • Deck integrates with dashboard and search, introduces Calendar
      integration, modal view for card editing and series of smaller
      improvements
    • Flow adds push notification and webhooks so other web apps can
      easily integrate with Nextcloud
    • Text introduced direct linking to files in Nextcloud
    • Files lets you add a description to public link shares

• Read the full announcement on our blog

• NC-SA-2020-037
• CVE-2020-8295: Fixed Denial of service attack when resetting the
  password for a user(boo#1181804)
• Update to 20.0.11
• Fix boo#1188247 - CVE-2021-32678: OCS API response ratelimits are not
  applied
• Fix boo#1188248 - CVE-2021-32679: filenames where not escaped by default
  in controllers using DownloadResponse
• Fix boo#1188249 - CVE-2021-32680: share expiration date wasn’t properly
  logged
• Fix boo#1188250 - CVE-2021-32688: lacking permission check with
  application specific tokens
• Fix boo#1188251 - CVE-2021-32703: lack of ratelimiting on the shareinfo
  endpoint
• Fix boo#1188252 - CVE-2021-32705: lack of ratelimiting on the public DAV
  endpoint
• Fix boo#1188253 - CVE-2021-32725: default share permissions were not
  being respected for federated reshares of files and folders
• Fix boo#1188254 - CVE-2021-32726: webauthn tokens were not deleted after
  a user has been deleted
• Fix boo#1188255 - CVE-2021-32734: possible full path disclosure on
  shared files
• Fix boo#1188256 - CVE-2021-32741: lack of ratelimiting on the public
  share link mount endpoint
• Bump handlebars from 4.7.6 to 4.7.7 (server#26900)
• Bump lodash from 4.17.20 to 4.17.21 (server#26909)
• Bump hosted-git-info from 2.8.8 to 2.8.9 (server#26920)
• Don’t break OCC if an app is breaking in it’s Application class
  (server#26954)
• Add bruteforce protection to the shareinfo endpoint (server#26956)
• Ignore readonly flag for directories (server#26965)
• Throttle MountPublicLinkController when share is not found (server#26971)
• Respect default share permissions for federated reshares (server#27001)
• Harden apptoken check (server#27014)
• Use parent wrapper to properly handle moves on the same source/target
  storage (server#27016)
• Fix error when using CORS with no auth credentials (server#27027)
• Fix return value of getStorageInfo when ‘quota_include_external_storage’
  is enabled (server#27108)
• Bump patch dependencies (server#27183)
• Use noreply@ as email address for share emails (server#27209)
• Bump p-queue from 6.6.1 to 6.6.2 (server#27226)
• Bump browserslist from 4.14.0 to 4.16.6 (server#27247)
• Bump webpack from 4.44.1 to 4.44.2 (server#27297)
• Properly use limit and offset for search in Jail wrapper (server#27308)
• Make user:report command scale (server#27319)
• Properly log expiration date removal in audit log (server#27325)
• Propagate throttling on OCS response (server#27337)
• Set umask before operations that create local files (server#27349)
• Escape filename in Content-Disposition (server#27360)
• Don’t update statuses to offline again and again (server#27412)
• Header must contain a colon (server#27456)
• Activate constraint check for oracle / pqsql also for 20 (server#27523)
• Only allow removing existing shares that would not be allowed due to
  reshare restrictions (server#27552)
• Bump ws from 7.3.1 to 7.5.0 (server#27570)
• Properly cleanup entries of WebAuthn on user deletion (server#27596)
• Throttle on public DAV endpoint (server#27617)
• Bump vue-loader from 15.9.3 to 15.9.7 (server#27639)
• Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (server#27651)
• Validate the theming color also on CLI (server#27680)
• Downstream encryption:fix-encrypted-version for repairing bad signature
  errors (server#27728)
• Remove encodeURI code (files_pdfviewer#396)
• Only ask for permissions on HTTPS (notifications#998)
• Fix sorting if one of the file name is only composed with number
  (photos#785)
• Backport 20 fix Photos not shown in large browser windows #630 (#686)
  (photos#810)
• Update File.vue (photos#813)
• Update chart.js (serverinfo#309)
• Only return workspace property for top node in a propfind request
  (text#1611)
• ViewerComponent: pass on autofocus to EditorWrapper (text#1647)
• Use text/plain as content type for fetching the document (text#1692)
• Log exceptions that happen on unknown exception and return generic
  messages (text#1698)
• Add fixup (viewer#924)
• Fix: fullscreen for Firefox (viewer#929)

Update to 20.0.7

• Catch NotFoundException when querying quota (server#25315)
• CalDAV] Validate notified emails (server#25324)
• Fix/app fetcher php compat comparison (server#25347)
• Show the actual error on share requests (server#25352)
• Fix parameter provided as string not array (server#25366)
• The objectid is a string (server#25374)
• 20.0.7 final (server#25387)
• Properly handle SMB ACL blocking scanning a directory (server#25421)
• Don’t break completely when creating the digest fail for one user
  (activity#556)
• Only attempt to use a secure view if hide download is actually set
  (files_pdfviewer#296)
• Fix opening PDF files with special characters in their name
  (files_pdfviewer#298)
• Fix PDF viewer failing on Edge (not based on Chromium)
  (files_pdfviewer#299)
• Cannot unfold plain text notifications (notifications#846)
• Remove EPUB mimetype (text#1391)

Update to 20.0.6

• Make sure to do priority app upgrades first (server#25077)
• Respect DB restrictions on number of arguments in statements and queries
  (server#25120)
• Add a hint about the direction of priority (server#25143)
• Do not redirect to logout after login (server#25146)
• Fix comparison of PHP versions (server#25152)
• Add “composer.lock” for acceptance tests to git (server#25178)
• Update CRL due to revoked gravatar.crl (server#25190)
• Don’t log keys on checkSignature (server#25193)
• Update 3rdparty after Archive_Tar (server#25199)
• Bump CA bundle (server#25219)
• Update handling of user credentials (server#25225)
• Fix encoding issue with OC.Notification.show (server#25244)
• Also use storage copy when dav copying directories (server#25261)
• Silence log message (server#25263)
• Extend ILDAPProvider to allow reading arbitrairy ldap attributes for
  users (server#25276)
• Do not obtain userFolder of a federated user (server#25278)
• Bump pear/archive_tar from 1.4.11 to 1.4.12 (3rdparty#603)
• Add gitignore entry for .github folder of dependencies (3rdparty#604)
• Clear event array on getting them (activity#551)

Update to 20.0.5

• Don’t log params of imagecreatefromstring (server#24546)

• Use storage copy implementation when doing dav copy (server#24590)

• Use in objectstore copy (server#24592)

• Add tel, note, org and title search (server#24697)

• Check php compatibility of app store app releases (server#24698)

• Fix #24682]: ensure federation cloud id is retruned if FN property not
  found (server#24709)

• Do not include non-required scripts on the upgrade page (server#24714)

• LDAP: fix inGroup for memberUid type of group memberships (server#24716)

• Cancel user search requests to avoid duplicate results being added
  (server#24728)

• Also unset the other possible unused paramters (server#24751)

• Enables the file name check also to match name of mountpoints
  (server#24760)

• Fixes sharing to group ids with characters that are being url encoded
  (server#24763)

• Limit getIncomplete query to one row (server#24791)

• Fix Argon2 descriptions (server#24792)

• Actually set the TTL on redis set (server#24798)

• Allow to force rename a conflicting calendar (server#24806)

• Fix IPv6 localhost regex (server#24823)

• Catch the error on heartbeat update (server#24826)

• Make oc_files_trash.auto_id a bigint (server#24853)

• Fix total upload size overwritten by next upload (server#24854)

• Avoid huge exception argument logging (server#24876)

• Make share results distinguishable if there are more than one with the
  exact same display name (server#24878)

• Add migration for oc_share_external columns (server#24963)

• Don’t throw a 500 when importing a broken ics reminder file
  (server#24972)

• Fix unreliable ViewTest (server#24976)

• Update root.crl due to revocation of transmission.crt (server#24990)

• Set the JSCombiner cache if needed (server#24997)

• Fix column name to check prior to deleting (server#25009)

• Catch throwable instead of exception (server#25013)

• Set the user language when adding the footer (server#25019)

• Change defaultapp in config.sample.php to dashboard to improve docs and
  align it to source code (server#25030)

• Fix clearing the label of a share (server#25035)

• Update psalm-baseline.xml (server#25066)

• Don’t remove assignable column for now (server#25074)

• Add setup check to verify that the used DB version is still supported���
  (server#25076)

• Correctly set the user for activity parsing when preparing a notifica���
  (activity#542)

• Bump vue-virtual-grid from 2.2.1 to 2.3.0 (photos#597)

• Catch possible database exceptions when fetching document data
  (text#1221)

• Make sure we have the proper PHP version installed before running
  composer (text#1234)

• Revert removal of transformResponse (text#1235)

• Bump prosemirror-view from 1.16.1 to 1.16.5 (text#1255)

• Bump @babel/preset-env from 7.12.1 to 7.12.11 (text#1257)

• Bump babel-loader from 8.1.0 to 8.2.2 (text#1259)

• Bump eslint-plugin-standard from 4.0.2 to 4.1.0 (text#1261)

• Bump vue-loader from 15.9.5 to 15.9.6 (text#1263)

• Bump prosemirror-model from 1.12.0 to 1.13.1 (text#1265)

• Bump core-js from 3.7.0 to 3.8.1 (text#1266)

• Bump stylelint from 13.7.2 to 13.8.0 (text#1269)

• Bump @babel/plugin-transform-runtime from 7.12.1 to 7.12.10 (text#1271)

• Bump sass-loader from 10.0.5 to 10.1.0 (text#1273)

• Bump webpack-merge from 5.3.0 to 5.7.2 (text#1274)

• Bump @babel/core from 7.12.3 to 7.12.10 (text#1277)

• Bump cypress from 5.1.0 to 5.6.0 (text#1278)

• Bump @vue/test-utils from 1.1.1 to 1.1.2 (text#1279)

• Bump webpack-merge from 5.7.2 to 5.7.3 (text#1303)

• The apache subpackage must require the main package, otherwise it will
  not be uninstalled when the main package is uninstalled.

Update to 20.0.4

• Avoid dashboard crash when accessibility app is not installed
  (server#24636)

• Bump ini from 1.3.5 to 1.3.7 (server#24649)

• Handle owncloud migration to latest release (server#24653)

• Use string for storing a OCM remote id (server#24654)

• Fix MySQL database size calculation (serverinfo#262)

• Bump cypress-io/github-action@v2 (viewer#722)

• Fix] sidebar opening animation (viewer#723)

• Fix not.exist cypress and TESTING checks (viewer#725)

• Put apache configuration files in separate subpackage.

• Use apache-rpm-macros for SUSE.

• Change oc_* macros to nc_* macros.

• Insert macro apache_serverroot also in cron files.

Update to 20.0.3

• Check quota of subdirectories when uploading to them (server#24181)
• CircleId too short in some request (server#24196)
• Missing level in ScopedPsrLogger (server#24212)
• Fix nextcloud logo in email notifications misalignment (server#24228)
• Allow selecting multiple columns with SELECT DISTINCT (server#24230)
• Use file name instead of path in ‘not allowed to share’ message
  (server#24231)
• Fix setting images through occ for theming (server#24232)
• Use regex when searching on single file shares (server#24239)
• Harden EncryptionLegacyCipher a bit (server#24249)
• Update ScanLegacyFormat.php (server#24258)
• Simple typo in comments (server#24259)
• Use correct year for generated birthdays events (server#24263)
• Delete files that exceed trashbin size immediately (server#24297)
• Update sabre/xml to fix XML parsing errors (server#24311)
• Only check path for being accessible when the storage is a object home
  (server#24325)
• Avoid empty null default with value that will be inserted anyways
  (server#24333)
• Fix contacts menu position and show uid as a tooltip (server#24342)
• Fix the config key on the sharing expire checkbox (server#24346)
• Set the display name of federated sharees from addressbook (server#24353)
• Catch storage not available in versions expire command (server#24367)
• Use proper bundles for files client and fileinfo (server#24377)
• Properly encode path when fetching inherited shares (server#24387)
• Formatting remote sharer should take protocol, path into account
  (server#24391)
• Make sure we add new line between vcf groups exports (server#24443)
• Fix public calendars shared to circles (server#24446)
• Store scss variables under a different prefix for each theming config
  version (server#24453)
• External storages: save group ids not display names in configuration
  (server#24455)
• Use correct l10n source in files_sharing JS code (server#24462)
• Set frame-ancestors to none if none are filled (server#24477)
• Move the password fiels of chaging passwords to post (server#24478)
• Move the global password for files external to post (server#24479)
• Only attempt to move to trash if a file is not in appdata (server#24483)
• Fix loading mtime of new file in conflict dialog in firefox
  (server#24491)
• Harden setup check for TLS version if host is not reachable
  (server#24502)
• Fix file size computation on 32bit platforms (server#24509)
• Allow subscription to indicate that a userlimit is reached (server#24511)
• Set mountid for personal external storage mounts (server#24513)
• Only execute plain mimetype check for directories and do the fallback���
  (server#24517)
• Fix vsprint parameter (server#24527)
• Replace abandoned log normalizer with our fork (server#24530)
• Add icon to user limit notification (server#24531)
• Also run repair steps when encryption is disabled but a legacy key is
  present (server#24532)
• [3rdparty][security] Archive TAR to 1.4.11 (server#24534)
• Generate a new session id if the decrypting the session data fails
  (server#24553)
• Revert “Do not read certificate bundle from data dir by default”
  (server#24556)
• Dont use system composer for autoload checker (server#24557)
• Remember me is not an app_password (server#24563)
• Do not load nonexisting setup.js (server#24582)
• Update sabre/xml to fix XML parsing errors (3rdparty#529)
• Use composer v1 on CI (3rdparty#532)
• Bump pear/archive_tar from 1.4.9 to 1.4.11 (3rdparty#536)
• Replace abandoned log normalizer with our fork (3rdparty#543)
• Allow nullable values as subject params (activity#535)
• Don’t log when unknown array is null (notifications#803)
• Feat/virtual grid (photos#550)
• Make sure we have a string to localecompare to (photos#583)
• Always get recommendations for dashboard if enabled (recommendations#336)
• Properly fetch oracle database information (serverinfo#258)
• Also register to urlChanged event to update RichWorkspace (text#1181)
• Move away from GET (text#1214)

Update to 20.0.2

• CVE-2020-8293: Fixed input validation which allowed users to store
  unlimited data in workflow rules (boo#1181445).
• CVE-2020-8294: Fixed a missing link validation (boo#1181803).
• Inidicate preview availability in share api responses (server#23419)
• CalDavBackend: check if timerange is array before accessing
  (server#23563)
• Some emojis are in CHAR_CATEGORY_GENERAL_OTHER_TYPES (server#23575)
• Also expire share type email (server#23583)
• Only use index of mount point when it is there (server#23611)
• Only retry fetching app store data once every 5 minutes in case it fails
  (server#23633)
• Bring back the restore share button (server#23636)
• Fix updates of NULL appconfig values (server#23641)
• Fix sharing input placeholder for emails (server#23646)
• Use bigint for fileid in filecache_extended (server#23690)
• Enable theming background transparency (server#23699)
• Fix sharer flag on ldap:show-remnants when user owned more than a single
  share (server#23702)
• Make sure the function signatures of the backgroundjob match
  (server#23710)
• Check if array elements exist before using them (server#23713)
• Fix default quota display value in user row (server#23726)
• Use lib instead if core as l10n module in OC_Files (server#23727)
• Specify accept argument to avatar upload input field (server#23732)
• Save email as lower case (server#23733)
• Reset avatar cropper before showing (server#23736)
• Also run the SabreAuthInitEvent for the main server (server#23745)
• Type the \OCP\IUserManager::callForAllUsers closure with Psalm
  (server#23749)
• Type the \OCP\AppFramework\Services\IInitialState::provideLazyInitial���
  (server#23751)
• Don’t overwrite the event if we use it later (server#23753)
• Inform the user when flow config data exceeds thresholds (server#23759)
• Type the \OCP\IUserManager::callForSeenUsers closure with Psalm
  (server#23763)
• Catch errors when closing file conflict dialog (server#23774)
• Document the backend registered events of LDAP (server#23779)
• Fetch the logger and system config once for all query builder instances
  (server#23787)
• Type the event dispatcher listener callables with Psalm (server#23789)
• Only run phpunit when “php” changed (server#23794)
• Remove bold font-weight and lower font-size for empty search box
  (server#23829)
• No need to check if there is an avatar available, because it is gener���
  (server#23846)
• Ensure filepicker list is empty before populating (server#23850)
• UserStatus: clear status message if message is null (server#23858)
• Fix grid view toggle in tags view (server#23874)
• Restrict query when searching for versions of trashbin files
  (server#23884)
• Fix potentially passing null to events where IUser is expected
  (server#23894)
• Make user status styles scoped (server#23899)
• Move help to separate stylesheet (server#23900)
• Add default font size (server#23902)
• Do not emit UserCreatedEvent twice (server#23917)
• Bearer must be in the start of the auth header (server#23924)
• Fix casting of integer and boolean on Oracle (server#23935)
• Skip already loaded apps in loadApps (server#23948)
• Fix repair mimetype step to not leave stray cursors (server#23950)
• Improve query type detection (server#23951)
• Fix iLike() falsely turning escaped % and _ into wildcards (server#23954)
• Replace some usages of OC_DB in OC\Share* with query builder
  (server#23955)
• Use query builder instead of OC_DB in trashbin (server#23971)
• Fix greatest/least order for oracle (server#23975)
• Fix link share label placeholder not showing (server#23992)
• Unlock when promoting to exclusive lock fails (server#23995)
• Make sure root storage is valid before checking its size (server#23996)
• Use query builder instead of OC_DB in OC\Files* (server#23998)
• Shortcut to avoid file system setup when generating the logo URL
  (server#24001)
• Remove old legacy scripts references (server#24004)
• Fix js search in undefined ocs response (server#24012)
• Don’t leave cursors open (server#24033)
• Fix sharing tab state not matching resharing admin settings
  (server#24044)
• Run unit tests against oracle (server#24049)
• Use png icons in caldav reminder emails (server#24050)
• Manually iterate over calendardata when oracle is used (server#24058)
• Make is_user_defined nullable so we can store false on oracle
  (server#24079)
• Fix default internal expiration date enforce (server#24081)
• Register new command db:add-missing-primary-keys (server#24106)
• Convert the card resource to a string if necessary (server#24114)
• Don’t throw on SHOW VERSION query (server#24147)
• Bump dompurify to 2.2.2 (server#24153)
• Set up FS before querying storage info in settings (server#24156)
• Fix default internal expiration date (server#24159)
• CircleId too short in some request (server#24178)
• Revert “circleId too short in some request” (server#24183)
• Missing level in ScopedPsrLogger (server#24212)
• Fix activity spinner on empty activity (activity#523)
• Add OCI github action (activity#528)
• Disable download button by default (files_pdfviewer#257)
• Feat/dependabot ga/stable20 (firstrunwizard#442)
• Fix loading notifications without a message on oracle (notifications#796)
• Do not setup appdata in constructor to avoid errors causing the whole
  instance to stop working (text#1105)
• Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (text#1125)
• Bump sass-loader from 10.0.1 to 10.0.5 (text#1134)
• Bump webpack from 4.44.1 to 4.44.2 (text#1140)
• Bump dependencies to version in range (text#1164)
• Validate link on click (text#1166)
• Add migration to fix oracle issues with the database schema (text#1177)
• Bump cypress from 4.12.1 to 5.1.0 (text#1179)
• Fix URL escaping of shared files (viewer#681)
• Fix component click outside and cleanup structure (viewer#684)

Update to 20.0.1

No changelog from upstream at this time.

Update to 20.0.0

• Changes The three biggest features we introduce with Nextcloud 20 are:
  • Our new dashboard provides a great starting point for the day with
    over a dozen widgets ranging from Twitter and Github to Moodle and
    Zammad already available
  • Search was unified, bringing search results of Nextcloud apps as well
    as external services like Gitlab, Jira and Discourse in one place
  • Talk introduced bridging to other platforms including MS Teams, Slack,
    IRC, Matrix and a dozen others
  • Some other improvements we want to highlight include:
    • Notifications and Activities were brought together, making sure you
      won���t miss anything important
    • We added a ���status��� setting so you can communicate to other
      users what you are up to
    • Talk also brings dashboard and search integration, emoji picker,
      upload view, camera and microphone settings, mute and more
    • Calendar integrates in dashboard and search, introduced a list view
      and design improvements
    • Mail introduces threaded view, mailbox management and more
    • Deck integrates with dashboard and search, introduces Calendar
      integration, modal view for card editing and series of smaller
      improvements
    • Flow adds push notification and webhooks so other web apps can
      easily integrate with Nextcloud
    • Text introduced direct linking to files in Nextcloud
    • Files lets you add a description to public link shares

• Read the full announcement on our blog

• NC-SA-2020-037
• CVE-2020-8295: Fixed Denial of service attack when resetting the
  password for a user(boo#1181804)
• Update to 20.0.11
• Fix boo#1188247 - CVE-2021-32678: OCS API response ratelimits are not
  applied
• Fix boo#1188248 - CVE-2021-32679: filenames where not escaped by default
  in controllers using DownloadResponse
• Fix boo#1188249 - CVE-2021-32680: share expiration date wasn’t properly
  logged
• Fix boo#1188250 - CVE-2021-32688: lacking permission check with
  application specific tokens
• Fix boo#1188251 - CVE-2021-32703: lack of ratelimiting on the shareinfo
  endpoint
• Fix boo#1188252 - CVE-2021-32705: lack of ratelimiting on the public DAV
  endpoint
• Fix boo#1188253 - CVE-2021-32725: default share permissions were not
  being respected for federated reshares of files and folders
• Fix boo#1188254 - CVE-2021-32726: webauthn tokens were not deleted after
  a user has been deleted
• Fix boo#1188255 - CVE-2021-32734: possible full path disclosure on
  shared files
• Fix boo#1188256 - CVE-2021-32741: lack of ratelimiting on the public
  share link mount endpoint
• Bump handlebars from 4.7.6 to 4.7.7 (server#26900)
• Bump lodash from 4.17.20 to 4.17.21 (server#26909)
• Bump hosted-git-info from 2.8.8 to 2.8.9 (server#26920)
• Don’t break OCC if an app is breaking in it’s Application class
  (server#26954)
• Add bruteforce protection to the shareinfo endpoint (server#26956)
• Ignore readonly flag for directories (server#26965)
• Throttle MountPublicLinkController when share is not found (server#26971)
• Respect default share permissions for federated reshares (server#27001)
• Harden apptoken check (server#27014)
• Use parent wrapper to properly handle moves on the same source/target
  storage (server#27016)
• Fix error when using CORS with no auth credentials (server#27027)
• Fix return value of getStorageInfo when ‘quota_include_external_storage’
  is enabled (server#27108)
• Bump patch dependencies (server#27183)
• Use noreply@ as email address for share emails (server#27209)
• Bump p-queue from 6.6.1 to 6.6.2 (server#27226)
• Bump browserslist from 4.14.0 to 4.16.6 (server#27247)
• Bump webpack from 4.44.1 to 4.44.2 (server#27297)
• Properly use limit and offset for search in Jail wrapper (server#27308)
• Make user:report command scale (server#27319)
• Properly log expiration date removal in audit log (server#27325)
• Propagate throttling on OCS response (server#27337)
• Set umask before operations that create local files (server#27349)
• Escape filename in Content-Disposition (server#27360)
• Don’t update statuses to offline again and again (server#27412)
• Header must contain a colon (server#27456)
• Activate constraint check for oracle / pqsql also for 20 (server#27523)
• Only allow removing existing shares that would not be allowed due to
  reshare restrictions (server#27552)
• Bump ws from 7.3.1 to 7.5.0 (server#27570)
• Properly cleanup entries of WebAuthn on user deletion (server#27596)
• Throttle on public DAV endpoint (server#27617)
• Bump vue-loader from 15.9.3 to 15.9.7 (server#27639)
• Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (server#27651)
• Validate the theming color also on CLI (server#27680)
• Downstream encryption:fix-encrypted-version for repairing bad signature
  errors (server#27728)
• Remove encodeURI code (files_pdfviewer#396)
• Only ask for permissions on HTTPS (notifications#998)
• Fix sorting if one of the file name is only composed with number
  (photos#785)
• Backport 20 fix Photos not shown in large browser windows #630 (#686)
  (photos#810)
• Update File.vue (photos#813)
• Update chart.js (serverinfo#309)
• Only return workspace property for top node in a propfind request
  (text#1611)
• ViewerComponent: pass on autofocus to EditorWrapper (text#1647)
• Use text/plain as content type for fetching the document (text#1692)
• Log exceptions that happen on unknown exception and return generic
  messages (text#1698)
• Add fixup (viewer#924)
• Fix: fullscreen for Firefox (viewer#929)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Leap 15.2:

  zypper in -t patch openSUSE-2021-1068=1

• openSUSE Backports SLE-15-SP3:

  zypper in -t patch openSUSE-2021-1068=1

• openSUSE Backports SLE-15-SP2:

  zypper in -t patch openSUSE-2021-1068=1

• openSUSE Backports SLE-15-SP1:

  zypper in -t patch openSUSE-2021-1068=1

• SUSE Package Hub for SUSE Linux Enterprise 12:

  zypper in -t patch openSUSE-2021-1068=1