Описание
Security update for nextcloud-desktop
This update for nextcloud-desktop fixes the following issues:
Update ot 3.8.0
-
Resize WebView widget once the loginpage rendered
-
Feature/secure file drop
-
Check German translation for wrong wording
-
L10n: Correct word
-
Fix displaying of file details button for local syncfileitem activities
-
Improve config upgrade warning dialog
-
Only accept folder setup page if overrideLocalDir is set
-
Update CHANGELOG.
-
Prevent ShareModel crash from accessing bad pointers
-
Bugfix/init value for pointers
-
Log to stdout when built in Debug config
-
Clean up account creation and deletion code
-
L10n: Added dot to end of sentence
-
L10n: Fixed grammar
-
Fix 'Create new folder' menu entries in settings not working correctly on macOS
-
Ci/clang tidy checks init variables
-
Fix share dialog infinite loading
-
Fix edit locally job not finding the user account: wrong user id
-
Skip e2e encrypted files with empty filename in metadata
-
Use new connect syntax
-
Fix avatars not showing up in settings dialog account actions until clicked on
-
Always discover blacklisted folders to avoid data loss when modifying selectivesync list.
-
Fix infinite loading in the share dialog when public link shares are disabled on the server
-
With cfapi when dehydrating files add missing flag
-
Fix text labels in Sync Status component
-
Display 'Search globally' as the last sharees list element
-
Fix display of 2FA notification.
-
Bugfix/do not restore virtual files
-
Show server name in tray main window
-
Add Ubuntu Lunar
-
Debian build classification 'beta' cannot override 'release'.
-
Update changelog
-
Follow shouldNotify flag to hide notifications when needed
-
Bugfix/stop after creating config file
-
E2EE cut extra zeroes from derypted byte array.
-
When local sync folder is overriden, respect this choice
-
Feature/e2ee fixes
-
This update also fixes security issues:
- (boo#1205798, CVE-2022-39331)
- Arbitrary HyperText Markup Language injection in notifications
- (boo#1205799, CVE-2022-39332)
- Arbitrary HyperText Markup Language injection in user status and information
- (boo#1205800, CVE-2022-39333)
- Arbitrary HyperText Markup Language injection in desktop client application
- (boo#1205801, CVE-2022-39334)
- Client incorrectly trusts invalid TLS certificates
- (boo#1207976, CVE-2023-23942)
- missing sanitisation on qml labels leading to javascript injection
- (boo#1205798, CVE-2022-39331)
Список пакетов
SUSE Package Hub 15 SP5
openSUSE Leap 15.5
Ссылки
- E-Mail link for openSUSE-SU-2023:0171-1
- SUSE Security Ratings
- SUSE Bug 1205798
- SUSE Bug 1205799
- SUSE Bug 1205800
- SUSE Bug 1205801
- SUSE Bug 1207976
- SUSE CVE CVE-2022-39331 page
- SUSE CVE CVE-2022-39332 page
- SUSE CVE CVE-2022-39333 page
- SUSE CVE CVE-2022-39334 page
- SUSE CVE CVE-2023-23942 page
Описание
Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.
Затронутые продукты
Ссылки
- CVE-2022-39331
- SUSE Bug 1205798
Описание
Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application via user status and information. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.
Затронутые продукты
Ссылки
- CVE-2022-39332
- SUSE Bug 1205799
Описание
Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.
Затронутые продукты
Ссылки
- CVE-2022-39333
- SUSE Bug 1205800
Описание
Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server.
Затронутые продукты
Ссылки
- CVE-2022-39334
- SUSE Bug 1205801
Описание
The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your computer. Versions prior to 3.6.3 are missing sanitisation on qml labels which are used for basic HTML elements such as `strong`, `em` and `head` lines in the UI of the desktop client. The lack of sanitisation may allow for javascript injection. It is recommended that the Nextcloud Desktop Client is upgraded to 3.6.3. There are no known workarounds for this issue.
Затронутые продукты
Ссылки
- CVE-2023-23942
- SUSE Bug 1207976