Skip to content

Commit 2032e13

Browse files
chore: add changelog folder for 10.16.3 release (#41571)
Backports changelog/10.16.3_2026-05-22/ from v10.16.3 to master. Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
1 parent 1762a6f commit 2032e13

6 files changed

Lines changed: 43 additions & 0 deletions

File tree

changelog/10.16.3_2026-05-22/41538

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
Bugfix: Prevent mounting local storage if not allowed
2+
3+
Mounting a local storage was possible if the internal class name was used as
4+
backend, despite local storage not allowed to be mounted. This problem is
5+
fixed and the local storage can't be mounted if it was explicitly disallowed in
6+
the configuration.
7+
8+
https://github.com/owncloud/core/pull/41538

changelog/10.16.3_2026-05-22/41539

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
Bugfix: Use the correct user ID when changing email via admin API
2+
3+
The admin API endpoint for changing a user's email address was incorrectly using the requesting admin's user ID instead of the target user's ID, causing the admin's email to be updated rather than the intended user's.
4+
5+
https://github.com/owncloud/core/pull/41539

changelog/10.16.3_2026-05-22/41550

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
Security: Restrict AppConfigController read methods to full admins only
2+
3+
Subadmin users could read all oc_appconfig values including SMTP passwords,
4+
LDAP bind credentials, and encryption master keys via the Settings API.
5+
Removed @NoAdminRequired from getApps, getKeys, and getValue so that the
6+
AdminMiddleware enforces full-admin-only access, consistent with the write
7+
methods.
8+
9+
https://github.com/owncloud/core/pull/41550

changelog/10.16.3_2026-05-22/41558

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
Bugfix: Prevent IDOR in WebDAV comments API
2+
3+
Authenticated users could read, edit, or delete comments on files they have no access to by supplying an arbitrary comment ID in the WebDAV comments endpoint. The fix verifies that a requested comment belongs to the file in the URL before returning it.
4+
5+
https://github.com/owncloud/core/pull/41558
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
Security: Update phpseclib to 3.0.52 for CVE-2026-40194
2+
3+
CVE-2026-40194: Timing attack vulnerability in SSH binary packet processing.
4+
Upgraded phpseclib/phpseclib from 3.0.50 to 3.0.52.
5+
6+
https://github.com/owncloud/core/pull/41529
7+
https://github.com/owncloud/core/pull/41541
8+
https://github.com/phpseclib/phpseclib/releases/tag/3.0.51
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
Security: Update symfony/routing to 5.4.52 for CVE-2026-45065
2+
3+
CVE-2026-45065: UrlGenerator route-requirement bypass via unanchored regex
4+
alternation allowing off-site URL injection. Upgraded symfony/routing from
5+
5.4.48 to 5.4.52.
6+
7+
https://github.com/owncloud/core/pull/41559
8+
https://symfony.com/cve-2026-45065

0 commit comments

Comments
 (0)