Security update for nextcloud SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:2521-2 Final 1 1 2018-08-26T13:56:07Z current 2018-08-26T13:56:07Z 2018-08-26T13:56:07Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nextcloud This update for nextcloud to version 13.0.5 fixes the following issues: Security issues fixed: - CVE-2018-3780: Fixed a missing sanitization of search results for an autocomplete field that could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users. (boo#1105598) Other bugs fixed: - Fix highlighting of the upload drop zone - Apply ldapUserFilter on members of group - Make the DELETION of groups match greedy on the groupID - Add parent index to share table - Log full exception in cron instead of only the message - Properly lock the target file on dav upload when not using part files - LDAP backup server should not be queried when auth fails - Fix filenames in sharing integration tests - Lower log level for quota manipulation cases - Let user set avatar in nextcloud if LDAP provides invalid image data - Improved logging of smb connection errors - Allow admin to disable fetching of avatars as well as a specific attribute - Allow to disable encryption - Update message shown when unsharing a file - Fixed English grammatical error on Settings page. - Request a valid property for DAV opendir - Allow updating the token on session regeneration - Prevent lock values from going negative with memcache backend - Correctly handle users with numeric user ids - Correctly parse the subject parameters for link (un)shares of calendars - Fix &quot;parsing&quot; of email-addresses in comments and chat messages - Sanitize parameters in createSessionToken() while logging - Also retry rename operation on InvalidArgumentException - Improve url detection in comments - Only bind to ldap if configuration for the first server is set - Use download manager from PDF.js to download the file - Fix trying to load removed scripts - Only pull for new messages if the session is allowed to be kept alive - Always push object data - Add prioritization for Talk The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2018-09/msg00049.html E-Mail link for openSUSE-SU-2018:2521-2 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Package Hub for SUSE Linux Enterprise 12 SUSE Package Hub for SUSE Linux Enterprise 15 nextcloud-13.0.5-bp150.2.3.1 nextcloud-13.0.5-bp150.2.3.1 as a component of SUSE Package Hub for SUSE Linux Enterprise 12 nextcloud-13.0.5-bp150.2.3.1 as a component of SUSE Package Hub for SUSE Linux Enterprise 15 A missing sanitization of search results for an autocomplete field in NextCloud Server <13.0.5 could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users. CVE-2018-3780 SUSE Package Hub for SUSE Linux Enterprise 12:nextcloud-13.0.5-bp150.2.3.1 SUSE Package Hub for SUSE Linux Enterprise 15:nextcloud-13.0.5-bp150.2.3.1 low Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-09/msg00049.html https://www.suse.com/security/cve/CVE-2018-3780.html CVE-2018-3780 https://bugzilla.suse.com/1105598 SUSE Bug 1105598