openSUSE-SU-2023:0171-1
See a problem?- Import Source
- https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2023:0171-1.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/openSUSE-SU-2023:0171-1
- Upstream
- Related
- Published
- 2023-07-10T11:03:58Z
- Modified
- 2025-05-08T17:48:14.915304Z
- Summary
- Security update for nextcloud-desktop
- Details
-
This update for nextcloud-desktop fixes the following issues:
Update ot 3.8.0
- Resize WebView widget once the loginpage rendered
- Feature/secure file drop
- Check German translation for wrong wording
- L10n: Correct word
- Fix displaying of file details button for local syncfileitem activities
- Improve config upgrade warning dialog
- Only accept folder setup page if overrideLocalDir is set
- Update CHANGELOG.
- Prevent ShareModel crash from accessing bad pointers
- Bugfix/init value for pointers
- Log to stdout when built in Debug config
- Clean up account creation and deletion code
- L10n: Added dot to end of sentence
- L10n: Fixed grammar
- Fix 'Create new folder' menu entries in settings not working correctly on macOS
- Ci/clang tidy checks init variables
- Fix share dialog infinite loading
- Fix edit locally job not finding the user account: wrong user id
- Skip e2e encrypted files with empty filename in metadata
- Use new connect syntax
- Fix avatars not showing up in settings dialog account actions until clicked on
- Always discover blacklisted folders to avoid data loss when modifying selectivesync list.
- Fix infinite loading in the share dialog when public link shares are disabled on the server
- With cfapi when dehydrating files add missing flag
- Fix text labels in Sync Status component
- Display 'Search globally' as the last sharees list element
- Fix display of 2FA notification.
- Bugfix/do not restore virtual files
- Show server name in tray main window
- Add Ubuntu Lunar
- Debian build classification 'beta' cannot override 'release'.
- Update changelog
- Follow shouldNotify flag to hide notifications when needed
- Bugfix/stop after creating config file
- E2EE cut extra zeroes from derypted byte array.
- When local sync folder is overriden, respect this choice
Feature/e2ee fixes
- This update also fixes security issues:
(boo#1205798, CVE-2022-39331)
- Arbitrary HyperText Markup Language injection in notifications
- (boo#1205799, CVE-2022-39332)
- Arbitrary HyperText Markup Language injection in user status and information
- (boo#1205800, CVE-2022-39333)
- Arbitrary HyperText Markup Language injection in desktop client application
- (boo#1205801, CVE-2022-39334)
- Client incorrectly trusts invalid TLS certificates
- (boo#1207976, CVE-2023-23942)
- missing sanitisation on qml labels leading to javascript injection
- References
-
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MYOV4BMU2LQGVZ5NTYTI7BA3XMRNOCDF/
- https://bugzilla.suse.com/1205798
- https://bugzilla.suse.com/1205799
- https://bugzilla.suse.com/1205800
- https://bugzilla.suse.com/1205801
- https://bugzilla.suse.com/1207976
- https://www.suse.com/security/cve/CVE-2022-39331
- https://www.suse.com/security/cve/CVE-2022-39332
- https://www.suse.com/security/cve/CVE-2022-39333
- https://www.suse.com/security/cve/CVE-2022-39334
- https://www.suse.com/security/cve/CVE-2023-23942
Affected packages
SUSE:Package Hub 15 SP5 / nextcloud-desktop
Package
- Name
- nextcloud-desktop
- Purl
- pkg:rpm/suse/nextcloud-desktop&distro=SUSE%20Package%20Hub%2015%20SP5
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.8.0-bp155.2.3.1
Ecosystem specific
{
"binaries": [
{
"nextcloud-desktop-doc": "3.8.0-bp155.2.3.1",
"libnextcloudsync-devel": "3.8.0-bp155.2.3.1",
"cloudproviders-extension-nextcloud": "3.8.0-bp155.2.3.1",
"nextcloud-desktop": "3.8.0-bp155.2.3.1",
"caja-extension-nextcloud": "3.8.0-bp155.2.3.1",
"nautilus-extension-nextcloud": "3.8.0-bp155.2.3.1",
"nemo-extension-nextcloud": "3.8.0-bp155.2.3.1",
"nextcloud-desktop-lang": "3.8.0-bp155.2.3.1",
"libnextcloudsync0": "3.8.0-bp155.2.3.1",
"nextcloud-desktop-dolphin": "3.8.0-bp155.2.3.1"
}
]
}
openSUSE:Leap 15.5 / nextcloud-desktop
Package
- Name
- nextcloud-desktop
- Purl
- pkg:rpm/opensuse/nextcloud-desktop&distro=openSUSE%20Leap%2015.5
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.8.0-bp155.2.3.1
Ecosystem specific
{
"binaries": [
{
"nextcloud-desktop-doc": "3.8.0-bp155.2.3.1",
"libnextcloudsync-devel": "3.8.0-bp155.2.3.1",
"cloudproviders-extension-nextcloud": "3.8.0-bp155.2.3.1",
"nextcloud-desktop": "3.8.0-bp155.2.3.1",
"caja-extension-nextcloud": "3.8.0-bp155.2.3.1",
"nautilus-extension-nextcloud": "3.8.0-bp155.2.3.1",
"nemo-extension-nextcloud": "3.8.0-bp155.2.3.1",
"nextcloud-desktop-lang": "3.8.0-bp155.2.3.1",
"libnextcloudsync0": "3.8.0-bp155.2.3.1",
"nextcloud-desktop-dolphin": "3.8.0-bp155.2.3.1"
}
]
}