Overview Repositories Revisions Requests Users Attributes Meta
Security update for nextcloud-desktop

This update for nextcloud-desktop fixes the following issues:

Update ot 3.8.0

- Resize WebView widget once the loginpage rendered
- Feature/secure file drop
- Check German translation for wrong wording
- L10n: Correct word
- Fix displaying of file details button for local syncfileitem activities
- Improve config upgrade warning dialog
- Only accept folder setup page if overrideLocalDir is set
- Update CHANGELOG.
- Prevent ShareModel crash from accessing bad pointers
- Bugfix/init value for pointers
- Log to stdout when built in Debug config
- Clean up account creation and deletion code
- L10n: Added dot to end of sentence
- L10n: Fixed grammar
- Fix "Create new folder" menu entries in settings not working correctly on macOS
- Ci/clang tidy checks init variables
- Fix share dialog infinite loading
- Fix edit locally job not finding the user account: wrong user id
- Skip e2e encrypted files with empty filename in metadata
- Use new connect syntax
- Fix avatars not showing up in settings dialog account actions until clicked on
- Always discover blacklisted folders to avoid data loss when modifying selectivesync list.
- Fix infinite loading in the share dialog when public link shares are disabled on the server
- With cfapi when dehydrating files add missing flag
- Fix text labels in Sync Status component
- Display 'Search globally' as the last sharees list element
- Fix display of 2FA notification.
- Bugfix/do not restore virtual files
- Show server name in tray main window
- Add Ubuntu Lunar
- Debian build classification 'beta' cannot override 'release'.
- Update changelog
- Follow shouldNotify flag to hide notifications when needed
- Bugfix/stop after creating config file
- E2EE cut extra zeroes from derypted byte array.
- When local sync folder is overriden, respect this choice
- Feature/e2ee fixes

- This update also fixes security issues:

- (boo#1205798, CVE-2022-39331)
- Arbitrary HyperText Markup Language injection in notifications
- (boo#1205799, CVE-2022-39332)
- Arbitrary HyperText Markup Language injection in user status and information
- (boo#1205800, CVE-2022-39333)
- Arbitrary HyperText Markup Language injection in desktop client application
- (boo#1205801, CVE-2022-39334)
- Client incorrectly trusts invalid TLS certificates
- (boo#1207976, CVE-2023-23942)
- missing sanitisation on qml labels leading to javascript injection

Fixed bugs
bnc#1205800
VUL-0: CVE-2022-39333: nextcloud-desktop: Arbitrary HyperText Markup Language injection in desktop client application
bnc#1205799
VUL-0: CVE-2022-39332: nextcloud-deskop: Arbitrary HyperText Markup Language injection in user status and information
bnc#1207976
VUL-0: CVE-2023-23942: nextcloud-desktop: missing sanitisation on qml labels leading to javascript injection
bnc#1205798
VUL-0: CVE-2022-39331: nextcloud-desktop: Arbitrary HyperText Markup Language injection in notifications
bnc#1205801
VUL-0: CVE-2022-39334: nextcloud-desktop: Client incorrectly trusts invalid TLS certificates
CVE-2022-39334
CVE-2022-39332
CVE-2022-39333
CVE-2022-39331
CVE-2023-23942
Selected Binaries
openSUSE Build Service is sponsored by
Places