Security update for nextcloud-desktop SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2023:0171-1 Final 1 1 2023-07-10T11:03:58Z current 2023-07-10T11:03:58Z 2023-07-10T11:03:58Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nextcloud-desktop This update for nextcloud-desktop fixes the following issues: Update ot 3.8.0 - Resize WebView widget once the loginpage rendered - Feature/secure file drop - Check German translation for wrong wording - L10n: Correct word - Fix displaying of file details button for local syncfileitem activities - Improve config upgrade warning dialog - Only accept folder setup page if overrideLocalDir is set - Update CHANGELOG. - Prevent ShareModel crash from accessing bad pointers - Bugfix/init value for pointers - Log to stdout when built in Debug config - Clean up account creation and deletion code - L10n: Added dot to end of sentence - L10n: Fixed grammar - Fix 'Create new folder' menu entries in settings not working correctly on macOS - Ci/clang tidy checks init variables - Fix share dialog infinite loading - Fix edit locally job not finding the user account: wrong user id - Skip e2e encrypted files with empty filename in metadata - Use new connect syntax - Fix avatars not showing up in settings dialog account actions until clicked on - Always discover blacklisted folders to avoid data loss when modifying selectivesync list. - Fix infinite loading in the share dialog when public link shares are disabled on the server - With cfapi when dehydrating files add missing flag - Fix text labels in Sync Status component - Display 'Search globally' as the last sharees list element - Fix display of 2FA notification. - Bugfix/do not restore virtual files - Show server name in tray main window - Add Ubuntu Lunar - Debian build classification 'beta' cannot override 'release'. - Update changelog - Follow shouldNotify flag to hide notifications when needed - Bugfix/stop after creating config file - E2EE cut extra zeroes from derypted byte array. - When local sync folder is overriden, respect this choice - Feature/e2ee fixes - This update also fixes security issues: - (boo#1205798, CVE-2022-39331) - Arbitrary HyperText Markup Language injection in notifications - (boo#1205799, CVE-2022-39332) - Arbitrary HyperText Markup Language injection in user status and information - (boo#1205800, CVE-2022-39333) - Arbitrary HyperText Markup Language injection in desktop client application - (boo#1205801, CVE-2022-39334) - Client incorrectly trusts invalid TLS certificates - (boo#1207976, CVE-2023-23942) - missing sanitisation on qml labels leading to javascript injection The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2023-171 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MYOV4BMU2LQGVZ5NTYTI7BA3XMRNOCDF/ E-Mail link for openSUSE-SU-2023:0171-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1205798 SUSE Bug 1205798 https://bugzilla.suse.com/1205799 SUSE Bug 1205799 https://bugzilla.suse.com/1205800 SUSE Bug 1205800 https://bugzilla.suse.com/1205801 SUSE Bug 1205801 https://bugzilla.suse.com/1207976 SUSE Bug 1207976 https://www.suse.com/security/cve/CVE-2022-39331/ SUSE CVE CVE-2022-39331 page https://www.suse.com/security/cve/CVE-2022-39332/ SUSE CVE CVE-2022-39332 page https://www.suse.com/security/cve/CVE-2022-39333/ SUSE CVE CVE-2022-39333 page https://www.suse.com/security/cve/CVE-2022-39334/ SUSE CVE CVE-2022-39334 page https://www.suse.com/security/cve/CVE-2023-23942/ SUSE CVE CVE-2023-23942 page SUSE Package Hub 15 SP5 openSUSE Leap 15.5 caja-extension-nextcloud-3.8.0-bp155.2.3.1 cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1 libnextcloudsync-devel-3.8.0-bp155.2.3.1 libnextcloudsync0-3.8.0-bp155.2.3.1 nautilus-extension-nextcloud-3.8.0-bp155.2.3.1 nemo-extension-nextcloud-3.8.0-bp155.2.3.1 nextcloud-desktop-3.8.0-bp155.2.3.1 nextcloud-desktop-doc-3.8.0-bp155.2.3.1 nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1 nextcloud-desktop-lang-3.8.0-bp155.2.3.1 caja-extension-nextcloud-3.8.0-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 libnextcloudsync-devel-3.8.0-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 libnextcloudsync0-3.8.0-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 nautilus-extension-nextcloud-3.8.0-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 nemo-extension-nextcloud-3.8.0-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 nextcloud-desktop-3.8.0-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 nextcloud-desktop-doc-3.8.0-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 nextcloud-desktop-lang-3.8.0-bp155.2.3.1 as a component of SUSE Package Hub 15 SP5 caja-extension-nextcloud-3.8.0-bp155.2.3.1 as a component of openSUSE Leap 15.5 cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1 as a component of openSUSE Leap 15.5 libnextcloudsync-devel-3.8.0-bp155.2.3.1 as a component of openSUSE Leap 15.5 libnextcloudsync0-3.8.0-bp155.2.3.1 as a component of openSUSE Leap 15.5 nautilus-extension-nextcloud-3.8.0-bp155.2.3.1 as a component of openSUSE Leap 15.5 nemo-extension-nextcloud-3.8.0-bp155.2.3.1 as a component of openSUSE Leap 15.5 nextcloud-desktop-3.8.0-bp155.2.3.1 as a component of openSUSE Leap 15.5 nextcloud-desktop-doc-3.8.0-bp155.2.3.1 as a component of openSUSE Leap 15.5 nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1 as a component of openSUSE Leap 15.5 nextcloud-desktop-lang-3.8.0-bp155.2.3.1 as a component of openSUSE Leap 15.5 Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. CVE-2022-39331 SUSE Package Hub 15 SP5:caja-extension-nextcloud-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:caja-extension-nextcloud-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MYOV4BMU2LQGVZ5NTYTI7BA3XMRNOCDF/ https://www.suse.com/security/cve/CVE-2022-39331.html CVE-2022-39331 https://bugzilla.suse.com/1205798 SUSE Bug 1205798 Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application via user status and information. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. CVE-2022-39332 SUSE Package Hub 15 SP5:caja-extension-nextcloud-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:caja-extension-nextcloud-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MYOV4BMU2LQGVZ5NTYTI7BA3XMRNOCDF/ https://www.suse.com/security/cve/CVE-2022-39332.html CVE-2022-39332 https://bugzilla.suse.com/1205799 SUSE Bug 1205799 Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. CVE-2022-39333 SUSE Package Hub 15 SP5:caja-extension-nextcloud-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:caja-extension-nextcloud-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MYOV4BMU2LQGVZ5NTYTI7BA3XMRNOCDF/ https://www.suse.com/security/cve/CVE-2022-39333.html CVE-2022-39333 https://bugzilla.suse.com/1205800 SUSE Bug 1205800 Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server. CVE-2022-39334 SUSE Package Hub 15 SP5:caja-extension-nextcloud-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:caja-extension-nextcloud-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MYOV4BMU2LQGVZ5NTYTI7BA3XMRNOCDF/ https://www.suse.com/security/cve/CVE-2022-39334.html CVE-2022-39334 https://bugzilla.suse.com/1205801 SUSE Bug 1205801 The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your computer. Versions prior to 3.6.3 are missing sanitisation on qml labels which are used for basic HTML elements such as `strong`, `em` and `head` lines in the UI of the desktop client. The lack of sanitisation may allow for javascript injection. It is recommended that the Nextcloud Desktop Client is upgraded to 3.6.3. There are no known workarounds for this issue. CVE-2023-23942 SUSE Package Hub 15 SP5:caja-extension-nextcloud-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1 SUSE Package Hub 15 SP5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:caja-extension-nextcloud-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1 openSUSE Leap 15.5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MYOV4BMU2LQGVZ5NTYTI7BA3XMRNOCDF/ https://www.suse.com/security/cve/CVE-2023-23942.html CVE-2023-23942 https://bugzilla.suse.com/1207976 SUSE Bug 1207976