Skip to content

Commit 49bdf5c

Browse files
fix: update CHANGELOG.md (#41573)
1 parent 2032e13 commit 49bdf5c

7 files changed

Lines changed: 93 additions & 33 deletions

File tree

CHANGELOG.md

Lines changed: 92 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
# Table of Contents
22

33
* [Changelog for unreleased](#changelog-for-owncloud-core-unreleased-unreleased)
4+
* [Changelog for 10.16.3](#changelog-for-owncloud-core-10163-2026-05-22)
45
* [Changelog for 10.16.2](#changelog-for-owncloud-core-10162-2026-04-02)
56
* [Changelog for 10.16.1](#changelog-for-owncloud-core-10161-2026-02-18)
67
* [Changelog for 10.16.0](#changelog-for-owncloud-core-10160-2025-10-23)
@@ -28,13 +29,12 @@
2829
* [Changelog for 10.4.1](#changelog-for-owncloud-core-1041-2020-03-30)
2930
* [Changelog for 10.4.0](#changelog-for-owncloud-core-1040-2020-02-10)
3031
* [Changelog for 10.3.2](#changelog-for-owncloud-core-1032-2019-12-04)
31-
3232
# Changelog for ownCloud Core [unreleased] (UNRELEASED)
3333

3434
The following sections list the changes in ownCloud core unreleased relevant to
3535
ownCloud admins and users.
3636

37-
[unreleased]: https://github.com/owncloud/core/compare/v10.16.1...master
37+
[unreleased]: https://github.com/owncloud/core/compare/v10.16.3...master
3838

3939
## Summary
4040

@@ -43,6 +43,7 @@ ownCloud admins and users.
4343
* Change - Update PHP dependencies: [#41450](https://github.com/owncloud/core/pull/41450)
4444
* Change - Drop command db:convert-type: [#41451](https://github.com/owncloud/core/pull/41451)
4545
* Change - Removed legacy and deprecated code from ownCloud 11: [#41455](https://github.com/owncloud/core/pull/41455)
46+
* Change - Use configurable URL for internet connectivity check: [#41506](https://github.com/owncloud/core/pull/41506)
4647

4748
## Details
4849

@@ -61,12 +62,19 @@ ownCloud admins and users.
6162
* Change - Update PHP dependencies: [#41450](https://github.com/owncloud/core/pull/41450)
6263

6364
The following have been updated: - doctrine/dbal (2.13.9 to 3.10.4) -
64-
google/auth (v1.50.0 to v1.50.1) - guzzlehttp/psr7 (2.8.0 to 2.9.0) -
65-
phpseclib/phpseclib (3.0.49 to 3.0.50) - pimple/pimple (3.6.1 to 3.6.2)
65+
google/apiclient (v2.19.0 to v2.19.3) - google/apiclient-services (v0.435.0 to
66+
v0.441.1) - google/auth (v1.50.0 to v1.50.1) - guzzlehttp/psr7 (2.8.0 to 2.10.4)
67+
- guzzlehttp/guzzle (7.10.0 to 7.10.5) - guzzlehttp/promises (2.3.0 to 2.4.1) -
68+
laravel/serializable-closure (v2.0.10 to v2.0.13) - phpseclib/phpseclib (3.0.49
69+
to 3.0.50) - pimple/pimple (3.6.1 to 3.6.2) - symfony/deprecation-contracts
70+
(v3.6.0 to v3.7.0) - symfony/mailer (v7.4.6 to v7.4.12)
6671

6772
https://github.com/owncloud/core/pull/41450
6873
https://github.com/owncloud/core/pull/41477
6974
https://github.com/owncloud/core/pull/41495
75+
https://github.com/owncloud/core/pull/41561
76+
https://github.com/owncloud/core/pull/41564
77+
https://github.com/owncloud/core/pull/41569
7078

7179
* Change - Drop command db:convert-type: [#41451](https://github.com/owncloud/core/pull/41451)
7280

@@ -88,6 +96,86 @@ ownCloud admins and users.
8896
https://github.com/owncloud/core/pull/41464
8997
https://github.com/owncloud/core/pull/41468
9098

99+
* Change - Use configurable URL for internet connectivity check: [#41506](https://github.com/owncloud/core/pull/41506)
100+
101+
Default URL is now configurable and the default is set to an independent
102+
resource: https://detectportal.firefox.com/success.txt This also provides an
103+
IPv6 compatible URL.
104+
105+
https://github.com/owncloud/core/issues/41465
106+
https://github.com/owncloud/core/pull/41506
107+
108+
# Changelog for ownCloud Core [10.16.3] (2026-05-22)
109+
110+
The following sections list the changes in ownCloud core 10.16.3 relevant to
111+
ownCloud admins and users.
112+
113+
[10.16.3]: https://github.com/owncloud/core/compare/v10.16.2...v10.16.3
114+
115+
## Summary
116+
117+
* Security - Update phpseclib to 3.0.52 for CVE-2026-40194: [#41529](https://github.com/owncloud/core/pull/41529)
118+
* Security - Restrict AppConfigController read methods to full admins only: [#41550](https://github.com/owncloud/core/pull/41550)
119+
* Security - Update symfony/routing to 5.4.52 for CVE-2026-45065: [#41559](https://github.com/owncloud/core/pull/41559)
120+
* Bugfix - Prevent mounting local storage if not allowed: [#41538](https://github.com/owncloud/core/pull/41538)
121+
* Bugfix - Use the correct user ID when changing email via admin API: [#41539](https://github.com/owncloud/core/pull/41539)
122+
* Bugfix - Prevent IDOR in WebDAV comments API: [#41558](https://github.com/owncloud/core/pull/41558)
123+
124+
## Details
125+
126+
* Security - Update phpseclib to 3.0.52 for CVE-2026-40194: [#41529](https://github.com/owncloud/core/pull/41529)
127+
128+
CVE-2026-40194: Timing attack vulnerability in SSH binary packet processing.
129+
Upgraded phpseclib/phpseclib from 3.0.50 to 3.0.52.
130+
131+
https://github.com/owncloud/core/pull/41529
132+
https://github.com/owncloud/core/pull/41541
133+
https://github.com/phpseclib/phpseclib/releases/tag/3.0.51
134+
135+
* Security - Restrict AppConfigController read methods to full admins only: [#41550](https://github.com/owncloud/core/pull/41550)
136+
137+
Subadmin users could read all oc_appconfig values including SMTP passwords, LDAP
138+
bind credentials, and encryption master keys via the Settings API. Removed
139+
@NoAdminRequired from getApps, getKeys, and getValue so that the AdminMiddleware
140+
enforces full-admin-only access, consistent with the write methods.
141+
142+
https://github.com/owncloud/core/pull/41550
143+
144+
* Security - Update symfony/routing to 5.4.52 for CVE-2026-45065: [#41559](https://github.com/owncloud/core/pull/41559)
145+
146+
CVE-2026-45065: UrlGenerator route-requirement bypass via unanchored regex
147+
alternation allowing off-site URL injection. Upgraded symfony/routing from
148+
5.4.48 to 5.4.52.
149+
150+
https://github.com/owncloud/core/pull/41559
151+
https://symfony.com/cve-2026-45065
152+
153+
* Bugfix - Prevent mounting local storage if not allowed: [#41538](https://github.com/owncloud/core/pull/41538)
154+
155+
Mounting a local storage was possible if the internal class name was used as
156+
backend, despite local storage not allowed to be mounted. This problem is fixed
157+
and the local storage can't be mounted if it was explicitly disallowed in the
158+
configuration.
159+
160+
https://github.com/owncloud/core/pull/41538
161+
162+
* Bugfix - Use the correct user ID when changing email via admin API: [#41539](https://github.com/owncloud/core/pull/41539)
163+
164+
The admin API endpoint for changing a user's email address was incorrectly using
165+
the requesting admin's user ID instead of the target user's ID, causing the
166+
admin's email to be updated rather than the intended user's.
167+
168+
https://github.com/owncloud/core/pull/41539
169+
170+
* Bugfix - Prevent IDOR in WebDAV comments API: [#41558](https://github.com/owncloud/core/pull/41558)
171+
172+
Authenticated users could read, edit, or delete comments on files they have no
173+
access to by supplying an arbitrary comment ID in the WebDAV comments endpoint.
174+
The fix verifies that a requested comment belongs to the file in the URL before
175+
returning it.
176+
177+
https://github.com/owncloud/core/pull/41558
178+
91179
# Changelog for ownCloud Core [10.16.2] (2026-04-02)
92180

93181
The following sections list the changes in ownCloud core 10.16.2 relevant to

Makefile

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -367,7 +367,6 @@ changelog:
367367
@echo Committing changes to this file will result in merge conflicts.
368368
@echo ======================================================================
369369
docker run --rm -v $(work_dir):$(work_dir) -w $(work_dir) toolhippie/calens calens >| CHANGELOG.md
370-
docker run --rm -v $(work_dir):$(work_dir) -w $(work_dir) toolhippie/calens calens -t changelog/CHANGELOG-html.tmpl >| CHANGELOG.html
371370

372371
#
373372
# Dependency management

changelog/unreleased/41538

Lines changed: 0 additions & 8 deletions
This file was deleted.

changelog/unreleased/41539

Lines changed: 0 additions & 5 deletions
This file was deleted.

changelog/unreleased/41550

Lines changed: 0 additions & 9 deletions
This file was deleted.

changelog/unreleased/41558

Lines changed: 0 additions & 5 deletions
This file was deleted.

changelog/unreleased/PHPdependencies20260225onward

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ Change: Update PHP dependencies
33
The following have been updated:
44
- doctrine/dbal (2.13.9 to 3.10.4)
55
- google/apiclient (v2.19.0 to v2.19.3)
6-
google/apiclient-services (v0.435.0 to v0.441.1)
6+
- google/apiclient-services (v0.435.0 to v0.441.1)
77
- google/auth (v1.50.0 to v1.50.1)
88
- guzzlehttp/psr7 (2.8.0 to 2.10.4)
99
- guzzlehttp/guzzle (7.10.0 to 7.10.5)

0 commit comments

Comments
 (0)