SUSE 5019 Published by

A nextcloud-desktop security update has been released for SUSE Linux Enterprise 15 SP5.

openSUSE-SU-2023:0171-1: important: Security update for nextcloud-desktop

openSUSE Security Update: Security update for nextcloud-desktop

Announcement ID: openSUSE-SU-2023:0171-1
Rating: important
References: #1205798 #1205799 #1205800 #1205801 #1207976

Cross-References: CVE-2022-39331 CVE-2022-39332 CVE-2022-39333
CVE-2022-39334 CVE-2023-23942
CVSS scores:
CVE-2022-39331 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-39332 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVE-2022-39333 (NVD) : 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2022-39334 (NVD) : 3.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CVE-2023-23942 (NVD) : 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Affected Products:
openSUSE Backports SLE-15-SP5

An update that fixes 5 vulnerabilities is now available.


This update for nextcloud-desktop fixes the following issues:

Update ot 3.8.0

- Resize WebView widget once the loginpage rendered
- Feature/secure file drop
- Check German translation for wrong wording
- L10n: Correct word
- Fix displaying of file details button for local syncfileitem activities
- Improve config upgrade warning dialog
- Only accept folder setup page if overrideLocalDir is set
- Prevent ShareModel crash from accessing bad pointers
- Bugfix/init value for pointers
- Log to stdout when built in Debug config
- Clean up account creation and deletion code
- L10n: Added dot to end of sentence
- L10n: Fixed grammar
- Fix "Create new folder" menu entries in settings not working correctly
on macOS
- Ci/clang tidy checks init variables
- Fix share dialog infinite loading
- Fix edit locally job not finding the user account: wrong user id
- Skip e2e encrypted files with empty filename in metadata
- Use new connect syntax
- Fix avatars not showing up in settings dialog account actions until
clicked on
- Always discover blacklisted folders to avoid data loss when modifying
selectivesync list.
- Fix infinite loading in the share dialog when public link shares are
disabled on the server
- With cfapi when dehydrating files add missing flag
- Fix text labels in Sync Status component
- Display 'Search globally' as the last sharees list element
- Fix display of 2FA notification.
- Bugfix/do not restore virtual files
- Show server name in tray main window
- Add Ubuntu Lunar
- Debian build classification 'beta' cannot override 'release'.
- Update changelog
- Follow shouldNotify flag to hide notifications when needed
- Bugfix/stop after creating config file
- E2EE cut extra zeroes from derypted byte array.
- When local sync folder is overriden, respect this choice
- Feature/e2ee fixes

- This update also fixes security issues:

- (boo#1205798, CVE-2022-39331)
- Arbitrary HyperText Markup Language injection in notifications
- (boo#1205799, CVE-2022-39332)
- Arbitrary HyperText Markup Language injection in user status and
- (boo#1205800, CVE-2022-39333)
- Arbitrary HyperText Markup Language injection in desktop client
- (boo#1205801, CVE-2022-39334)
- Client incorrectly trusts invalid TLS certificates
- (boo#1207976, CVE-2023-23942)
- missing sanitisation on qml labels leading to javascript injection

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP5:

zypper in -t patch openSUSE-2023-171=1

Package List:

- openSUSE Backports SLE-15-SP5 (aarch64 x86_64):


- openSUSE Backports SLE-15-SP5 (noarch):