openSUSE-SU-2021:1602-1

CVE-2021-41179: Fix boo#1192028 - (CWE-304): Two-Factor Authentication not enforced for pages marked as public
CVE-2021-41178: Fix boo#1192030 - (CWE-434): File Traversal affecting SVG files on Nextcloud Server
CVE-2021-41177: Fix boo#1192031 - (CWE-799): Rate-limits not working on instances without configured memory cache backend

Changes:

Add command to repair broken filesystem trees (server#26630)
Ensure that user and group IDs in LDAP's tables are also max 64chars (server#28971)
Change output format of Psalm to Github (server#29048)
File-upload: Correctly handle error responses for HTTP2 (server#29069)
Allow 'TwoFactor Nextcloud Notifications' to pull the state of the 2F… (server#29072)
Add a few sensitive config keys (server#29085)
Fix path of filegetcontents (server#29095)
Update the certificate bundle (server#29098)
Keep pw based auth tokens valid when pw-less login happens (server#29131)
Properly handle folder deletion on external s3 storage (server#29158)
Tokens without password should not trigger changed password invalidation (server#29166)
Don't further setup disabled users when logging in with apache (server#29167)
Add 'supported'-label to all supported apps (server#29181)
21] generate a better optimized query for path prefix search filters (server#29192)
Keep group restrictions when reenabling apps after an update (server#29198)
Add proper message to created share not found (server#29205)
Add documentation for filesnobackground_scan (server#29219)
Don't setup the filesystem to check for a favicon we don't use anyway (server#29223)
Fix background scan doc in config (server#29253)
Get filesize() if file_exists() (server#29290)
Fix unable to login errors due to file system not being initialized (server#29291)
Update 3rdparty ref (server#29297)
Bump icewind/streams from 0.7.3 to 0.7.5 in files_external (server#29298)
Fix app upgrade (server#29303)
Avoid PHP errors when the LDAP attribute is not found (server#29314)
Fix security issues when copying groupfolder with advanced ACL (server#29366)
Scheduling plugin not updating responding attendee status (server#29387)
Make calendar schedule options translatable (server#29388)
Add whitelist for apps inside of the server repo (server#29396)
Handle files with is_file instead of file_exists (server#29417)
Fixes an undefined index when getAccessList returns an empty array (server#29421)
Extra fixes needed for icewind/streams update to 0.7.2 (server#29426)
Backport #29260: Respect user enumeration settings in user status lists (server#29429)
Implement local filtering in file list (server#29441)
Detect mimetype by content only with content (server#29457)
Update CRL (server#29505)
Update update-psalm-baseline workflow (server#29548)
Bump icewind/streams from 0.7.1 to 0.7.5 (3rdparty#855)
Bump version (files_pdfviewer#512)
Fix deleting notifications with numeric user ID (notifications#1090)
Add integration tests for push registration (notifications#1097)
Restore old device signature so the proxy works again (notifications#1105)
Bump vue and vue-template-compiler (photos#864)
Bump prosemirror-schema-list from 1.1.5 to 1.1.6 (text#1868)
Additional checks for workspace controller (text#1887)

References

Affected packages

SUSE:Package Hub 12 / nextcloud

Package

Name: nextcloud
Purl: pkg:rpm/suse/nextcloud&distro=SUSE%20Package%20Hub%2012

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20.0.14-bp153.2.9.1

Ecosystem specific

{
    "binaries": [
        {
            "nextcloud-apache": "20.0.14-bp153.2.9.1",
            "nextcloud": "20.0.14-bp153.2.9.1"
        }
    ]
}

SUSE:Package Hub 15 SP1 / nextcloud

Package

Name: nextcloud
Purl: pkg:rpm/suse/nextcloud&distro=SUSE%20Package%20Hub%2015%20SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20.0.14-bp153.2.9.1

Ecosystem specific

{
    "binaries": [
        {
            "nextcloud-apache": "20.0.14-bp153.2.9.1",
            "nextcloud": "20.0.14-bp153.2.9.1"
        }
    ]
}

SUSE:Package Hub 15 SP2 / nextcloud

Package

Name: nextcloud
Purl: pkg:rpm/suse/nextcloud&distro=SUSE%20Package%20Hub%2015%20SP2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20.0.14-bp153.2.9.1

Ecosystem specific

{
    "binaries": [
        {
            "nextcloud-apache": "20.0.14-bp153.2.9.1",
            "nextcloud": "20.0.14-bp153.2.9.1"
        }
    ]
}

SUSE:Package Hub 15 SP3 / nextcloud

Package

Name: nextcloud
Purl: pkg:rpm/suse/nextcloud&distro=SUSE%20Package%20Hub%2015%20SP3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20.0.14-bp153.2.9.1

Ecosystem specific

{
    "binaries": [
        {
            "nextcloud-apache": "20.0.14-bp153.2.9.1",
            "nextcloud": "20.0.14-bp153.2.9.1"
        }
    ]
}

openSUSE:Leap 15.2 / nextcloud

Package

Name: nextcloud
Purl: pkg:rpm/opensuse/nextcloud&distro=openSUSE%20Leap%2015.2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20.0.14-bp153.2.9.1

Ecosystem specific

{
    "binaries": [
        {
            "nextcloud-apache": "20.0.14-bp153.2.9.1",
            "nextcloud": "20.0.14-bp153.2.9.1"
        }
    ]
}

openSUSE:Leap 15.3 / nextcloud

Package

Name: nextcloud
Purl: pkg:rpm/opensuse/nextcloud&distro=openSUSE%20Leap%2015.3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20.0.14-bp153.2.9.1

Ecosystem specific

{
    "binaries": [
        {
            "nextcloud-apache": "20.0.14-bp153.2.9.1",
            "nextcloud": "20.0.14-bp153.2.9.1"
        }
    ]
}