openSUSE-SU-2018:2521-2

Описание

This update for nextcloud to version 13.0.5 fixes the following issues:

Security issues fixed:

• CVE-2018-3780: Fixed a missing sanitization of search results for an autocomplete field that could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users. (boo#1105598)

Other bugs fixed:

• Fix highlighting of the upload drop zone
• Apply ldapUserFilter on members of group
• Make the DELETION of groups match greedy on the groupID
• Add parent index to share table
• Log full exception in cron instead of only the message
• Properly lock the target file on dav upload when not using part files
• LDAP backup server should not be queried when auth fails
• Fix filenames in sharing integration tests
• Lower log level for quota manipulation cases
• Let user set avatar in nextcloud if LDAP provides invalid image data
• Improved logging of smb connection errors
• Allow admin to disable fetching of avatars as well as a specific attribute
• Allow to disable encryption
• Update message shown when unsharing a file
• Fixed English grammatical error on Settings page.
• Request a valid property for DAV opendir
• Allow updating the token on session regeneration
• Prevent lock values from going negative with memcache backend
• Correctly handle users with numeric user ids
• Correctly parse the subject parameters for link (un)shares of calendars
• Fix "parsing" of email-addresses in comments and chat messages
• Sanitize parameters in createSessionToken() while logging
• Also retry rename operation on InvalidArgumentException
• Improve url detection in comments
• Only bind to ldap if configuration for the first server is set
• Use download manager from PDF.js to download the file
• Fix trying to load removed scripts
• Only pull for new messages if the session is allowed to be kept alive
• Always push object data
• Add prioritization for Talk