Security update for nextcloud SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0220-1 Final 1 1 2020-02-15T19:09:47Z current 2020-02-15T19:09:47Z 2020-02-15T19:09:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nextcloud This update for nextcloud fixes the following issues: Nextcloud was updated to 15.0.14: - NC-SA-2020-002, CVE-2019-15613: workflow rules to depend their behaviour on the file extension when checking file mimetypes (boo#1162766) - NC-SA-2019-016, CVE-2019-15623: Exposure of Private Information caused the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled (boo#1162775) - NC-SA-2019-015, CVE-2019-15624: Improper Input Validation allowed group admins to create users with IDs of system folders (boo#1162776) - NC-SA-2019-012, CVE-2020-8119: Improper authorization caused leaking of previews and files when a file-drop share link is opened via the gallery app (boo#1162781) - NC-SA-2019-014, CVE-2020-8118: An authenticated server-side request forgery allowed to detect local and remote services when adding a new subscription in the calendar application (boo#1162782) - NC-SA-2020-012, CVE-2019-15621: Improper permissions preservation causes sharees to be able to reshare with write permissions when sharing the mount point of a share they received, as a public link (boo#1162784) - To many changes. For detail see: https://nextcloud.com/changelog/ nextcloud was updated to 13.0.12: - Fix NC-SA-2020-001 - To many changes. For detail see: https://nextcloud.com/changelog/ The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-220 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4ZKAQ7AEGBUT5BPIHKS2AN3QK2XYBODP/ E-Mail link for openSUSE-SU-2020:0220-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1162766 SUSE Bug 1162766 https://bugzilla.suse.com/1162775 SUSE Bug 1162775 https://bugzilla.suse.com/1162776 SUSE Bug 1162776 https://bugzilla.suse.com/1162781 SUSE Bug 1162781 https://bugzilla.suse.com/1162782 SUSE Bug 1162782 https://bugzilla.suse.com/1162784 SUSE Bug 1162784 https://www.suse.com/security/cve/CVE-2019-15613/ SUSE CVE CVE-2019-15613 page https://www.suse.com/security/cve/CVE-2019-15621/ SUSE CVE CVE-2019-15621 page https://www.suse.com/security/cve/CVE-2019-15623/ SUSE CVE CVE-2019-15623 page https://www.suse.com/security/cve/CVE-2019-15624/ SUSE CVE CVE-2019-15624 page https://www.suse.com/security/cve/CVE-2020-8118/ SUSE CVE CVE-2020-8118 page https://www.suse.com/security/cve/CVE-2020-8119/ SUSE CVE CVE-2020-8119 page SUSE Package Hub 12 SUSE Package Hub 15 SUSE Package Hub 15 SP1 openSUSE Leap 15.1 nextcloud-15.0.14-bp151.3.3.1 nextcloud-15.0.14-bp151.3.3.1 as a component of SUSE Package Hub 12 nextcloud-15.0.14-bp151.3.3.1 as a component of SUSE Package Hub 15 nextcloud-15.0.14-bp151.3.3.1 as a component of SUSE Package Hub 15 SP1 nextcloud-15.0.14-bp151.3.3.1 as a component of openSUSE Leap 15.1 A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend their behaviour on the file extension when checking file mimetypes. CVE-2019-15613 SUSE Package Hub 12:nextcloud-15.0.14-bp151.3.3.1 SUSE Package Hub 15 SP1:nextcloud-15.0.14-bp151.3.3.1 SUSE Package Hub 15:nextcloud-15.0.14-bp151.3.3.1 openSUSE Leap 15.1:nextcloud-15.0.14-bp151.3.3.1 moderate 6 AV:N/AC:M/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4ZKAQ7AEGBUT5BPIHKS2AN3QK2XYBODP/ https://www.suse.com/security/cve/CVE-2019-15613.html CVE-2019-15613 https://bugzilla.suse.com/1162766 SUSE Bug 1162766 Improper permissions preservation in Nextcloud Server 16.0.1 causes sharees to be able to reshare with write permissions when sharing the mount point of a share they received, as a public link. CVE-2019-15621 SUSE Package Hub 12:nextcloud-15.0.14-bp151.3.3.1 SUSE Package Hub 15 SP1:nextcloud-15.0.14-bp151.3.3.1 SUSE Package Hub 15:nextcloud-15.0.14-bp151.3.3.1 openSUSE Leap 15.1:nextcloud-15.0.14-bp151.3.3.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4ZKAQ7AEGBUT5BPIHKS2AN3QK2XYBODP/ https://www.suse.com/security/cve/CVE-2019-15621.html CVE-2019-15621 https://bugzilla.suse.com/1162784 SUSE Bug 1162784 Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled. CVE-2019-15623 SUSE Package Hub 12:nextcloud-15.0.14-bp151.3.3.1 SUSE Package Hub 15 SP1:nextcloud-15.0.14-bp151.3.3.1 SUSE Package Hub 15:nextcloud-15.0.14-bp151.3.3.1 openSUSE Leap 15.1:nextcloud-15.0.14-bp151.3.3.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4ZKAQ7AEGBUT5BPIHKS2AN3QK2XYBODP/ https://www.suse.com/security/cve/CVE-2019-15623.html CVE-2019-15623 https://bugzilla.suse.com/1162775 SUSE Bug 1162775 Improper Input Validation in Nextcloud Server 15.0.7 allows group admins to create users with IDs of system folders. CVE-2019-15624 SUSE Package Hub 12:nextcloud-15.0.14-bp151.3.3.1 SUSE Package Hub 15 SP1:nextcloud-15.0.14-bp151.3.3.1 SUSE Package Hub 15:nextcloud-15.0.14-bp151.3.3.1 openSUSE Leap 15.1:nextcloud-15.0.14-bp151.3.3.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4ZKAQ7AEGBUT5BPIHKS2AN3QK2XYBODP/ https://www.suse.com/security/cve/CVE-2019-15624.html CVE-2019-15624 https://bugzilla.suse.com/1162776 SUSE Bug 1162776 An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and remote services when adding a new subscription in the calendar application. CVE-2020-8118 SUSE Package Hub 12:nextcloud-15.0.14-bp151.3.3.1 SUSE Package Hub 15 SP1:nextcloud-15.0.14-bp151.3.3.1 SUSE Package Hub 15:nextcloud-15.0.14-bp151.3.3.1 openSUSE Leap 15.1:nextcloud-15.0.14-bp151.3.3.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4ZKAQ7AEGBUT5BPIHKS2AN3QK2XYBODP/ https://www.suse.com/security/cve/CVE-2020-8118.html CVE-2020-8118 https://bugzilla.suse.com/1162782 SUSE Bug 1162782 Improper authorization in Nextcloud server 17.0.0 causes leaking of previews and files when a file-drop share link is opened via the gallery app. CVE-2020-8119 SUSE Package Hub 12:nextcloud-15.0.14-bp151.3.3.1 SUSE Package Hub 15 SP1:nextcloud-15.0.14-bp151.3.3.1 SUSE Package Hub 15:nextcloud-15.0.14-bp151.3.3.1 openSUSE Leap 15.1:nextcloud-15.0.14-bp151.3.3.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4ZKAQ7AEGBUT5BPIHKS2AN3QK2XYBODP/ https://www.suse.com/security/cve/CVE-2020-8119.html CVE-2020-8119 https://bugzilla.suse.com/1162781 SUSE Bug 1162781