ownCloud Server 10.10 Bugfix und Security Release

Der ownCloud Server der gleichnamigen Cloudlösung für Collaboration und Speicherung von Dateien auf Cloudservern, wurde aktualisiert. Das Update 10.10 behebt zahlreiche Fehler und schließt Sicherheitslücken.

ownCloud Server 10.10 Release Notes

• Security – Prevent stored mail settings password from showing in the webUI: #39833
• Bugfix – Properly setup share owner file system on public link shares: #39518
• Bugfix – Prevent group names starting or ending with white space: #39540
• Bugfix – Set page title for the tags file list: #39556
• Bugfix – Don’t resend invitation mail if a user is guest: #39602
• Bugfix – Text previews had faulty content if BOM was present: #39669
• Bugfix – Fix files:checksums:verify for a single file: #39683
• Bugfix – Moving a file from one folder into a folder that is a number fails: #39702
• Bugfix – Make licenses expire at the end of the expiration date: #39735
• Bugfix – Subadmin will be shown only his assignable groups in the users page: #39752
• Bugfix – Fix wrong formatted XML in public-files dav endpoint: #39797
• Bugfix – Fix issue restoring versions from the trashbin after sharing: #39822
• Bugfix – Fix issue when encryption is enabled and a file is moved out of the share: #39829
• Bugfix – Avoid sending unneeded passwords in the files_external app: #39841
• Bugfix – Fix issue with requesting an invalid share id: #39868
• Bugfix – Remove fr_FR language variant: #39931
• Bugfix – Limit the width of the form on login page: #39962
• Bugfix – Allow re-uploading the same folder after being renamed: #39966
• Bugfix – Default for propfind depth infinity adjusted: #40016
• Bugfix – Allow partial initialization of the FS: #40031
• Bugfix – Filter sensitive data in log for Session::createSessionToken: #40066
• Change – Update the default poll-interval in capabilities: #39143
• Change – Private keys for SFTP storage will be stored in credentials table: #39935
• Change – Update JavaScript dependencies: #39709
• Change – Update PHP dependencies: #39526
• Change – Update Symfony components: #39526
• Enhancement – Allow OPTIONS request handling in framework controllers: #38758
• Enhancement – Unify API responses when setting permissions for public links: #39194
• Enhancement – Show detailed error message if moving a mount into another fails: #39584
• Enhancement – Add warnings for commands that are incompatible with object storage: #39604
• Enhancement – Cache some data in memory from the filecache: #39847
• Enhancement – Add product to version in capabilities response: #39851
• Enhancement – Allow files_external app to be disabled: #39856
• Enhancement – Improve FileDrop view: #39900
• Enhancement – Align “close” for messages: #39907
• Enhancement – Changes regarding cookie handling: #39916
• Enhancement – Expose user type of share receiver in share api: #40013
• Enhancement – Use the same string in the header also in public view: #40032

Details

• Security – Prevent stored mail settings password from showing in the webUI: #39833https://github.com/owncloud/enterprise/issues/5035
  https://github.com/owncloud/core/pull/39833
• Bugfix – Properly setup share owner file system on public link shares: #39518https://github.com/owncloud/core/pull/39518
• Bugfix – Prevent group names starting or ending with white space: #39540https://github.com/owncloud/core/pull/39540
• Bugfix – Set page title for the tags file list: #39556https://github.com/owncloud/core/issues/39556
  https://github.com/owncloud/core/pull/39585
• Bugfix – Don’t resend invitation mail if a user is guest: #39602With this change the resend invitation mail action in the user management UI for guest users has been removed, it is not appropriate for this type of user.https://github.com/owncloud/enterprise/issues/4868
  https://github.com/owncloud/core/pull/39602
• Bugfix – Text previews had faulty content if BOM was present: #39669The BOM was incorrectly detected and was causing ownCloud to choose the wrong font for the text, showing unexpected results. The BOM is now processed correctly and the preview is shown as expectedhttps://github.com/owncloud/core/pull/39669
• Bugfix – Fix files:checksums:verify for a single file: #39683Fixed an issue where running files:checksums:verify for a single file would fail.https://github.com/owncloud/core/pull/39683
• Bugfix – Moving a file from one folder into a folder that is a number fails: #39702The issue is fixed by updating sabre/dav from 4.3.0 to 4.3.1https://github.com/owncloud/core/issues/39702
  https://github.com/owncloud/core/pull/39703
• Bugfix – Make licenses expire at the end of the expiration date: #39735https://github.com/owncloud/core/pull/39735
• Bugfix – Subadmin will be shown only his assignable groups in the users page: #39752Previously, the subadmin could see all groups even if he could only assign users to a bunch of them. Now the subadmin will see the groups he can assign to the userhttps://github.com/owncloud/core/pull/39752
• Bugfix – Fix wrong formatted XML in public-files dav endpoint: #39797Previously, trying to perform a PROPFIND over the public-files endpoint could cause an exception to be thrown, which would generate a wrong formatted XML response. Now, the XML response is properly formatted and can be parsed without problems.https://github.com/owncloud/core/pull/39797
• Bugfix – Fix issue restoring versions from the trashbin after sharing: #39822Previously, having encryption enabled, if a user shared a folder with another user, and that new user removed a file inside that shared folder, that file ended up in the new user’s trashbin along with the file’s versions. Restoring that file from the trashbin caused the versions of that file to get broken due to a bad signature. The file was restored correctly. Now, the versions are also restored correctly from the trashbin too.https://github.com/owncloud/core/pull/39822
• Bugfix – Fix issue when encryption is enabled and a file is moved out of the share: #39829When encryption was used, moving a file out of a shared folder caused the versions of the file to get broken. The file was moved correctly though. This happened due to the key file not being copied to the new location and a new key file being generated for the file. Now, the key file is properly copied to the new location, so the versions can be decrypted properly.https://github.com/owncloud/core/pull/39829
• Bugfix – Avoid sending unneeded passwords in the files_external app: #39841Some passwords were being sent to the web UI in the external storage configuration. These passwords aren’t required and they’re now replaced in the web UI in order not to leak the actual passwordhttps://github.com/owncloud/core/pull/39841
• Bugfix – Fix issue with requesting an invalid share id: #39868When using the pgsql database and requesting an invalid share id, a 500 error status could be returned. This has been fixed. A 404 “not found” is now returned.https://github.com/owncloud/core/issues/39868
  https://github.com/owncloud/core/pull/39873
• Bugfix – Remove fr_FR language variant: #39931French translations were in both the “fr” and the “fr_FR” language codes. “fr_FR” had very few translations and could cause missing translations when the system did not automatically choose “fr”. The “fr_FR” translations have been removed. Translators should use “fr” when doing translations in Transifex.https://github.com/owncloud/core/issues/39931
  https://github.com/owncloud/core/pull/39939
• Bugfix – Limit the width of the form on login page: #39962The login form breaks if error messages and info messages are longer.https://github.com/owncloud/core/pull/39962
• Bugfix – Allow re-uploading the same folder after being renamed: #39966Previously, you couldn’t upload a folder, rename it in the web UI and then re-upload the same folder.This behavior is fixed, so you can now re-upload the folder after renaming ithttps://github.com/owncloud/core/pull/39966
• Bugfix – Default for propfind depth infinity adjusted: #40016Fixed potential cause for performance issues under certain conditions with infinite propfind being enabled by default.https://github.com/owncloud/enterprise/issues/5154
  https://github.com/owncloud/core/pull/40016
• Bugfix – Allow partial initialization of the FS: #40031Previously, when the FS was initialized, we needed to make a request to the LDAP server in order to fetch the possible group shares of the user. Some commands only accessed to the trashbin or versions, and operated for a target user, so accessing to the LDAP server to fetch groups that wouldn’t be used doesn’t make much sense.Now, the commands have the ability to initialize the FS partially, meaning that no additional mount point other than the home one will be mounted. In particular, this affects shares and external storages. Anyway, the commands that have been modified don’t need such access. The main advantage is that now, those commands can operate without a working connection to the LDAP server because the users will be fetched from the DB and they don’t operate with groups.https://github.com/owncloud/core/pull/40031
• Bugfix – Filter sensitive data in log for Session::createSessionToken: #40066https://github.com/owncloud/core/pull/40066
• Change – Update the default poll-interval in capabilities: #39143The default pollinterval advertised in capabilities has been set to 30000 milliseconds. Previously it was 60 milliseconds.https://github.com/owncloud/core/pull/39143
• Change – Private keys for SFTP storage will be stored in credentials table: #39935Previously, both private and public keys were part of the configuration of the SFTP mount point. Although encrypted, there were some scenarios where the private key could be visible.The following changes have been implemented: * The private key will never leave the ownCloud server. * The private key will be stored encrypted inside the oc_credentials table. * A random token will be created to refer to the private key. This token will be part of the SFTP mount point configuration. * The public key will be treated as a normal configuration parameter. This means that it won’t be neither encrypted nor encoded in any way.The overall behavior remains the same. ownCloud will generate a key pair, whose public key will need to be placed in the SFTP server.https://github.com/owncloud/core/pull/39935
• Change – Update JavaScript dependencies: #39709The following have been updated: – ansi-regex (3.0.0 to 3.0.1) – bower_components/backbone (1.4.0 to 1.4.1) – bower_components/showdown (1.9.1 to 2.0.0) – bower_components/underscore (1.13.1 to 1.13.2) – follow-redirects (1.14.2 to 1.14.8) – karma (6.3.8 to 6.3.19) – karma-coverage (2.0.3 to 2.2.0) – log4js (6.3.0 to 6.4.1) – minimist (1.2.5 to 1.2.6)https://github.com/owncloud/core/pull/39709
  https://github.com/owncloud/core/pull/39763
  https://github.com/owncloud/core/pull/39764
  https://github.com/owncloud/core/pull/39785
  https://github.com/owncloud/core/pull/39788
  https://github.com/owncloud/core/pull/39814
  https://github.com/owncloud/core/pull/39816
  https://github.com/owncloud/core/pull/39838
  https://github.com/owncloud/core/pull/39839
  https://github.com/owncloud/core/pull/39926
  https://github.com/owncloud/core/pull/39941
  https://github.com/owncloud/core/pull/39989
• Change – Update PHP dependencies: #39526The following have been updated: – christophwurst/id3parser (v0.1.3 to v0.1.4) – doctrine/dbal (2.13.5 to 2.13.9) – doctrine/lexer (1.2.1 to 1.2.3) – laminas/laminas-inputfilter (2.12.0 to 2.12.1) – laminas/laminas-stdlib (3.6.1 to 3.7.1) – laminas/laminas-validator (2.15.0 to 2.17.0) – laminas/laminas-zendframework-bridge (1.4.0 to 1.4.1) – league/flysystem (1.1.5 to 1.1.9) – league/mime-type-detection (1.8.0 to 1.11.0) – opis/closure (3.6.2 to 3.6.3) – paragonie/constant_time_encoding (2.4.0 to 2.5.0) – phpseclib/phpseclib (3.0.11 to 3.0.14) – sabre/dav (4.2.0 to 4.3.1) – sabre/vobject (4.4.0 to 4.4.1)The following have been updated in apps/files_external/3rdparty: – google/apiclient (2.11.0 to 2.12.4) – google/apiclient-services (0.231.0 to 0.244.0) – guzzlehttp/psr7 (1.8.3 to 1.8.5) – icewind/smb (3.5.1 to 3.5.2) – monolog/monolog (2.3.5 to 2.5.0) – paragonie/constant_time_encoding (v2.4.0 to v2.5.0) – phpseclib/phpseclib (3.0.11 to 3.0.14) – react/promise (v2.8.0 to v2.9.0)https://github.com/owncloud/core/pull/39526
  https://github.com/owncloud/core/pull/39567
  https://github.com/owncloud/core/pull/39631
  https://github.com/owncloud/core/pull/39649
  https://github.com/owncloud/core/pull/39693
  https://github.com/owncloud/core/pull/39695
  https://github.com/owncloud/core/pull/39703
  https://github.com/owncloud/core/pull/39713
  https://github.com/owncloud/core/pull/39717
  https://github.com/owncloud/core/pull/39731
  https://github.com/owncloud/core/pull/39780
  https://github.com/owncloud/core/pull/39838
  https://github.com/owncloud/core/pull/39839
  https://github.com/owncloud/core/pull/39859
  https://github.com/owncloud/core/pull/39949
  https://github.com/owncloud/core/pull/39956
  https://github.com/owncloud/core/pull/39999
  https://github.com/owncloud/core/pull/40001
  https://github.com/owncloud/core/pull/40003
  https://github.com/owncloud/core/pull/40038
• Change – Update Symfony components: #39526The following Symfony components have been updated to: – console 4.4.41 – event-dispatcher 4.4.37 – event-dispatcher-contracts 4.4.34 – process 4.4.41 – routing 4.4.41 – service-contracts 4.4.34 – translation 4.4.41 – translation-contracts 2.5.0The following Symfony polyfill components have been updated to: – symfony/polyfill-ctype v1.25.0 – symfony/polyfill-iconv v1.25.0 – symfony/polyfill-intl-idn v1.25.0 – symfony/polyfill-intl-normalizer v1.25.0 – symfony/polyfill-mbstring v1.25.0 – symfony/polyfill-php72 v1.25.0 – symfony/polyfill-php73 v1.25.0 – symfony/polyfill-php80 v1.25.0The following Symfony contract components have been updated to: – symfony/deprecation-contracts (v2.5.0 to v2.5.1) – symfony/event-dispatcher-contracts (v1.1.11 to v1.1.12) – symfony/service-contracts (v2.5.0 to v2.5.1) – symfony/translation-contracts (v2.5.0 to v2.5.1)https://github.com/owncloud/core/pull/39526
  https://github.com/owncloud/core/pull/39631
  https://github.com/owncloud/core/pull/39646
  https://github.com/owncloud/core/pull/39731
  https://github.com/owncloud/core/pull/39838
  https://github.com/owncloud/core/pull/39855
  https://github.com/owncloud/core/pull/39940
  https://github.com/owncloud/core/pull/39955
  https://github.com/owncloud/core/pull/40026
  https://symfony.com/blog/symfony-4-4-34-released
  https://symfony.com/blog/symfony-4-4-36-released
  https://symfony.com/blog/symfony-4-4-37-released
  https://symfony.com/blog/symfony-4-4-38-released
  https://symfony.com/blog/symfony-4-4-40-released
  https://symfony.com/blog/symfony-4-4-41-released
• Enhancement – Allow OPTIONS request handling in framework controllers: #38758https://github.com/owncloud/core/pull/38758
• Enhancement – Unify API responses when setting permissions for public links: #39194Setting (and changing) the permissions of public links via the OCS API will now return proper and unified API responses. Adding create permissions while public uploading is disabled globally will always return a 403 response.https://github.com/owncloud/core/issues/36442
  https://github.com/owncloud/core/issues/36443
  https://github.com/owncloud/core/pull/39194
• Enhancement – Show detailed error message if moving a mount into another fails: #39584With this change, a detailed error message is shown when moving a mount point into another mount point fails. This is for example the case while moving a shared folder into a SFTP external storage.https://github.com/owncloud/core/issues/39550
  https://github.com/owncloud/core/pull/39584
• Enhancement – Add warnings for commands that are incompatible with object storage: #39604The following commands are affected:* `user:home:list-users` * `user:home:list-homes` * `user:move` * `user:report`https://github.com/owncloud/core/issues/39590
  https://github.com/owncloud/core/pull/39604
• Enhancement – Cache some data in memory from the filecache: #39847Some data from the filecache will be cached from the DB after accessing. This will improve the performance a bit.https://github.com/owncloud/core/pull/39847
• Enhancement – Add product to version in capabilities response: #39851https://github.com/owncloud/core/pull/39851
• Enhancement – Allow files_external app to be disabled: #39856Previously, the files_external app couldn’t be disabled. The corresponding section in the settings page had a checkbox to show or not the settings for the files_external app. Now, if the app is disabled, that section won’t appear. The behavior will be the same as any other disabled app.https://github.com/owncloud/core/pull/39856
• Enhancement – Improve FileDrop view: #39900Small change in the design and behavior of the FileDrop view of Public Links.- The font is bigger and thicker – Background color was added to the list of files – The text in the “Dropbox” is wrapped properly, line-height was removed – Don’t hide the logo on small resolutionshttps://github.com/owncloud/core/pull/39900
• Enhancement – Align “close” for messages: #39907The close button for messages (yellow banner) was slightly displaced.https://github.com/owncloud/core/pull/39907
• Enhancement – Changes regarding cookie handling: #39916The following changes have been implemented: * The expiration set for the passphrase cookie will be refreshed each time a page is loaded or when the “heartbeat” endpoint is hit * If the “session_keepalive” config option is set to true, a periodic request to the “heartbeat” endpoint will be made automatically regardless of any activity going on. This will extend the session lifetime preventing its expiration. * If the “session_keepalive” config option is set to false, a “heartbeat” will be sent based on activity in order to extend the session lifetime. If we don’t detect any activity, the session might expire, and the user will need to login again. * The new “session_forced_logout_timeout” option has been added to the config.php. It’s disabled by default, and setting a positive (non-zero) value will enable the feature. If it’s enabled, the passphrase cookie will expire after those number of seconds pass, when the tab or the browser closes. This will force the user to login again.https://github.com/owncloud/core/pull/39916
• Enhancement – Expose user type of share receiver in share api: #40013https://github.com/owncloud/core/pull/40013
• Enhancement – Use the same string in the header also in public view: #40032In the public view, a different string was used next to the logo than in the internal header. This can cause problems with branding.The string HTMLName from defaults.php is now only used for the header. Name is used exclusively for the mail templates.https://github.com/owncloud/core/pull/40032

Quelle: Server Changelog – ownCloud