openSUSE-SU-2026:20451-1

Описание

This update for gnome-online-accounts, gvfs fixes the following issues:

Changes for gvfs:

Update gvfs to 1.59.90:

• CVE-2026-28295: information disclosure when processing untrusted PASV responses from FTP servers (bsc#1258953).
• CVE-2026-28296: arbitrary FTP command injection due to unsanitized CRLF sequences in user supplied file paths (bsc#1258954).

Changelog:

Update to version 1.59.90:

• client: Fix use-after-free when creating async proxy failed
• udisks2: Emit changed signals from update_all()
• daemon: Fix race on subscribers list when on thread
• ftp: Validate fe_size when parsing symlink target
• ftp: Check localtime() return value before use
• gphoto2: Use g_try_realloc() instead of g_realloc()
• cdda: Reject path traversal in mount URI host
• client: Fail when URI has invalid UTF-8 chars
• udisks2: Fix memory corruption with duplicate mount paths
• build: Update GOA dependency to > 3.57.0
• Some other fixes
• ftp: Use control connection address for PASV data.
• ftp: Reject paths containing CR/LF characters

Update to version 1.59.1:

• mtp: replace Android extension checks with capability checks
• dav: Add X-OC-Mtime header on push to preserve last modified time
• udisks2: Use hash tables in the volume monitor to improve performance
• onedrive: Check for identity instead of presentation identity
• build: Disable google option and mark as deprecated

Update to version 1.58.2:

• ftp: Use control connection address for PASV data
• ftp: Reject paths containing CR/LF characters

Update to version 1.58.1:

• cdda: Fix duration of last track for some media
• build: Fix build when google option is disabled
• Fix various memory leaks
• Updated translations.

Update to version 1.58.0:

• mtp: Allow cancelling ongoing folder enumerations
• wsdd: Use socket-activated service if available
• onedrive: Set emblem for remote data
• fix: Add file rename support in MTP backend move operation
• mtp: Fix -Wmaybe-uninitialized warning in pad_file
• fuse: use fuse_(un)set_feature_flag for libfuse 3.17+
• smbbrowse: Purge server cache for next auth try
• metatree: Open files with O_CLOEXEC
• cdda: Fix incorrect track duration for 99-track CDs
• metadata: Fix journal file permissions inconsistency
• dav: recognize 308 Permanent Redirect

Changes for gnome-online-accounts:

Update to version 3.58.0:

• SMTP server without password cannot be configured
• Remove unneeded SMTP password escaping
• build: Disable google provider Files feature
• MS365: Fix mail address and name
• Google: Set mail name to presentation identity
• Updated translations.

Update to version 3.57.1:

• Default Microsoft 365 client is unverified
• Microsoft 365: Make use of email for id
• goadaemon: Allow manage system notifications
• goamsgraphprovider: bump credentials generation
• goaprovider: Allow to disable, instead of enable, selected providers

Changes from version 3.57.0:

• Support for saving a Kerberos password to the keychain after the first login
• changing expired kerberos password is not supported.
• Provided Files URI does not override undiscovered endpoint
• DAV client rejects 204 status in OPTIONS request handler
• Include emblem-default-symbolic.svg
• Connecting a Runbox CardDAV/CalDAV account hangs/freezes after sign in
• i81n: fix translatable string
• goaimapsmptprovider: fix accounts without SMTP or authentication-less SMTP
• build: only install icons for the goabackend build
• build: don't require goabackend to build documentation
• ci: test the build without gtk4
• DAV-client: Added short path for SOGo

Update to version 3.56.4:

• Bugs fixed:

• Unclear which part of "IMAP+SMTP" account test failed
• Adding nextcloud account which has a subfolder does not work
• goadaemon: Handle broken account configs

Update to version 3.56.3:

• Add DAV detection and configuration for SOGo
• DAV discovery fails when certain SRV lookups fail

Update to version 3.56.1:

• Support for saving a Kerberos password after the first login
• Changing expired kerberos password is not supported
• Provided Files URI does not override undiscovered endpoint
• DAV client rejects 204 status in OPTIONS request handler

Update to version 3.56.0:

• Code style and logging cleanups
• Updated translations

Update to version 3.55.2:

• goaoauth2provider: improve error handling for auth/token endpoints

Update to version 3.55.1:

• Support Webflow authentication for Nextcloud
• Rename dconf key in gnome-online-accounts settings
• "Account Name" GUI field is a bit ambiguous
• Failed to generate a new POT file for the user interface of "gnome-online-accounts" (domain: "po") and some missing files from POTFILES.in

Update to version 3.55.0:

• Add progress spinner for OAuth2 dialogs
• Remove Windows Live! option
• Improve goa_oauth2_provider_ensure_credentials_sync
• Authentication failure in goa IMAP accounts
• Missing files from POTFILES.in
• WebDAV not detected for mail.ru
• goaoauth2provider: fix task chaining for subclasses
• Always lowercase domains when looking up base
• goadavclient: check Nextcloud fallback last
• goabackend: add a composite widget for authflow links
• goadavclient: fix the mailbox.org preconfig

Update to version 3.54.5:

• Adding GOA account fails with sonic.net IMAP service
• Cannot add a ProtonMail bridge with IMAP + TLS
• Nextcloud login does not work anymore due to OPTIONS /login request
• Linked online accounts no longer work
• Invalid URI when adding Google account
• goamsgraphprovider: ensure a valid PresentationIdentity
• goadaemon: complete GTasks to avoid a scary debug warning