Overview

File _patchinfo of Package patchinfo.17974

<patchinfo incident="17974">
  <issue tracker="bnc" id="1205800">VUL-0: CVE-2022-39333: nextcloud-desktop: Arbitrary HyperText Markup Language injection in desktop client application</issue>
  <issue tracker="bnc" id="1205799">VUL-0: CVE-2022-39332: nextcloud-deskop: Arbitrary HyperText Markup Language injection in user status and information</issue>
  <issue tracker="bnc" id="1207976">VUL-0: CVE-2023-23942: nextcloud-desktop: missing sanitisation on qml labels leading to javascript injection</issue>
  <issue tracker="bnc" id="1205798">VUL-0: CVE-2022-39331: nextcloud-desktop: Arbitrary HyperText Markup Language injection in notifications</issue>
  <issue tracker="bnc" id="1205801">VUL-0: CVE-2022-39334: nextcloud-desktop: Client incorrectly trusts invalid TLS certificates</issue>
  <issue tracker="cve" id="2022-39334"/>
  <issue tracker="cve" id="2022-39332"/>
  <issue tracker="cve" id="2022-39333"/>
  <issue tracker="cve" id="2022-39331"/>
  <issue tracker="cve" id="2023-23942"/>
  <packager>AndreasStieger</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for nextcloud-desktop</summary>
  <description>This update for nextcloud-desktop fixes the following issues:

Update ot 3.8.0

  - Resize WebView widget once the loginpage rendered
  - Feature/secure file drop
  - Check German translation for wrong wording
  - L10n: Correct word
  - Fix displaying of file details button for local syncfileitem activities
  - Improve config upgrade warning dialog
  - Only accept folder setup page if overrideLocalDir is set
  - Update CHANGELOG.
  - Prevent ShareModel crash from accessing bad pointers
  - Bugfix/init value for pointers
  - Log to stdout when built in Debug config
  - Clean up account creation and deletion code
  - L10n: Added dot to end of sentence
  - L10n: Fixed grammar
  - Fix "Create new folder" menu entries in settings not working correctly on macOS
  - Ci/clang tidy checks init variables
  - Fix share dialog infinite loading
  - Fix edit locally job not finding the user account: wrong user id
  - Skip e2e encrypted files with empty filename in metadata
  - Use new connect syntax
  - Fix avatars not showing up in settings dialog account actions until clicked on
  - Always discover blacklisted folders to avoid data loss when modifying selectivesync list.
  - Fix infinite loading in the share dialog when public link shares are disabled on the server
  - With cfapi when dehydrating files add missing flag
  - Fix text labels in Sync Status component
  - Display 'Search globally' as the last sharees list element
  - Fix display of 2FA notification.
  - Bugfix/do not restore virtual files
  - Show server name in tray main window
  - Add Ubuntu Lunar
  - Debian build classification 'beta' cannot override 'release'.
  - Update changelog
  - Follow shouldNotify flag to hide notifications when needed
  - Bugfix/stop after creating config file
  - E2EE cut extra zeroes from derypted byte array.
  - When local sync folder is overriden, respect this choice
  - Feature/e2ee fixes

- This update also fixes security issues:

  - (boo#1205798, CVE-2022-39331)
    - Arbitrary HyperText Markup Language injection in notifications 
  - (boo#1205799, CVE-2022-39332)
    - Arbitrary HyperText Markup Language injection in user status and information 
  - (boo#1205800, CVE-2022-39333)
    - Arbitrary HyperText Markup Language injection in desktop client application 
  - (boo#1205801, CVE-2022-39334)
    - Client incorrectly trusts invalid TLS certificates 
  - (boo#1207976, CVE-2023-23942)
    - missing sanitisation on qml labels leading to javascript injection 
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places