chore: update changelog

Author: owncloud-calens-bot[bot]

CHANGELOG.md

@@ -38,6 +38,18 @@ ownCloud admins and users.
 
 ## Summary
 
+* Security - Sanitize storage connection error messages returned to clients: [#41585](https://github.com/owncloud/core/pull/41585)
+* Security - Prevent user enumeration via differential password reset UI: [#41586](https://github.com/owncloud/core/pull/41586)
+* Security - Disable group-admin feature by default behind allow_subadmins: [#41634](https://github.com/owncloud/core/pull/41634)
+* Bugfix - Add missing space to mail footer signature delimiter: [#41364](https://github.com/owncloud/core/issues/41364)
+* Bugfix - Fix htaccess RewriteBase rules blocking API requests by file extension: [#41418](https://github.com/owncloud/core/issues/41418)
+* Bugfix - Fix subadmin email change updating caller's address instead of target's: [#41574](https://github.com/owncloud/core/pull/41574)
+* Bugfix - Adjust code to avoid PHP8 messages: [#41597](https://github.com/owncloud/core/pull/41597)
+* Bugfix - Support federation between systems in subdirectories: [#41599](https://github.com/owncloud/core/pull/41599)
+* Bugfix - Remove owncloud.com/federation link from federated cloud settings: [#41608](https://github.com/owncloud/core/pull/41608)
+* Bugfix - Fix JS test isolation bugs exposed by Jasmine 5 random test ordering: [#41616](https://github.com/owncloud/core/pull/41616)
+* Bugfix - Decrypt versions and trashbin so encryption can be disabled: [#41623](https://github.com/owncloud/core/issues/41623)
+* Bugfix - Fix user:home:list-dirs and user:home:list-users crashing on PHP 8: [#41630](https://github.com/owncloud/core/issues/41630)
 * Change - Update M$ Office icons: [#41347](https://github.com/owncloud/core/pull/41347)
 * Change - No longer store auto loader information in any memory cache: [#41376](https://github.com/owncloud/core/pull/41376)
 * Change - Update PHP dependencies: [#41450](https://github.com/owncloud/core/pull/41450)
@@ -47,6 +59,136 @@ ownCloud admins and users.
 
 ## Details
 
+* Security - Sanitize storage connection error messages returned to clients: [#41585](https://github.com/owncloud/core/pull/41585)
+
+   The external storage status handler returned raw exception messages including
+   Guzzle cURL error details such as resolved IP addresses and port numbers in the
+   JSON response. This allowed authenticated users to distinguish connection states
+   and map internal network topology. The full exception is now logged server-side
+   only; a generic message is returned to the client.
+
+   https://github.com/owncloud/core/pull/41585
+
+* Security - Prevent user enumeration via differential password reset UI: [#41586](https://github.com/owncloud/core/pull/41586)
+
+   The login form showed a "Reset it?" link only when a valid user on a backend
+   that supports password changes was detected. LDAP users produced a different
+   response than non-existent users, allowing unauthenticated enumeration of
+   accounts on those backends. The backend capability check has been removed; the
+   reset link is now shown uniformly regardless of user existence or backend type.
+
+   https://github.com/owncloud/core/pull/41586
+
+* Security - Disable group-admin feature by default behind allow_subadmins: [#41634](https://github.com/owncloud/core/pull/41634)
+
+   Disable the subadmin (group-admin) feature by default behind a new
+   allow_subadmins system config, as a security risk-mitigation. The feature's code
+   path has known security shortcomings; deployments that rely on it can opt back
+   in with 'allow_subadmins' => true in config.php. On upgrade, existing
+   group-admin assignments are ignored until an admin sets 'allow_subadmins' =>
+   true in config.php.
+
+   https://github.com/owncloud/core/pull/41634
+
+* Bugfix - Add missing space to mail footer signature delimiter: [#41364](https://github.com/owncloud/core/issues/41364)
+
+   We've fixed the signature delimiter in the email footer templates. The delimiter
+   on the first line was missing the trailing space required by the signature block
+   convention (RFC 3676), so mail clients were unable to recognize and collapse the
+   signature. The delimiter is now correctly written as "-- " (dash-dash-space).
+
+   https://github.com/owncloud/core/issues/41364
+   https://github.com/owncloud/core/pull/41617
+
+* Bugfix - Fix htaccess RewriteBase rules blocking API requests by file extension: [#41418](https://github.com/owncloud/core/issues/41418)
+
+   Files whose names end in extensions like .jpg, .png, .svg, .json and others
+   could not be marked as favorites or have their tags updated via the files API
+   when htaccess.RewriteBase was configured. The .htaccess rules generated by `occ
+   maintenance:update:htaccess` used a URI extension check to skip routing through
+   index.php, which inadvertently blocked API requests to paths like
+   `/apps/files/api/v1/files/photo.jpg`, returning 405 Method Not Allowed.
+
+   The fix replaces the extension-based condition with `RewriteCond
+   %{REQUEST_FILENAME} !-f`, which correctly routes virtual API paths through
+   index.php while still serving actual static files directly.
+
+   https://github.com/owncloud/core/issues/41418
+
+* Bugfix - Fix subadmin email change updating caller's address instead of target's: [#41574](https://github.com/owncloud/core/pull/41574)
+
+   The verification token and confirmation link in the subadmin path of
+   setMailAddress were associated with the caller's account instead of the target
+   user's account. Clicking the confirmation link changed the subadmin's email
+   rather than the intended target's email.
+
+   https://github.com/owncloud/core/pull/41574
+
+* Bugfix - Adjust code to avoid PHP8 messages: [#41597](https://github.com/owncloud/core/pull/41597)
+
+   Avoid trying to access array offset on false in the encryption storage wrapper.
+
+   Handle passing null to normalizeUrl in the federation DbHandler.
+
+   https://github.com/owncloud/core/pull/41597
+
+* Bugfix - Support federation between systems in subdirectories: [#41599](https://github.com/owncloud/core/pull/41599)
+
+   If a federated server was installed in a subdirectory like:
+
+   Mydomain.com/cloud
+
+   Then checks to see that the server is up and responding would fail. This problem
+   has been corrected.
+
+   https://github.com/owncloud/core/pull/41599
+
+* Bugfix - Remove owncloud.com/federation link from federated cloud settings: [#41608](https://github.com/owncloud/core/pull/41608)
+
+   The "Add to your website" feature in the personal federation settings was
+   generating a link to https://owncloud.com/federation# which no longer works
+   after owncloud.com was restructured. The federation Cloud ID is now displayed
+   directly without linking to the defunct external page.
+
+   https://github.com/owncloud/core/pull/41608
+
+* Bugfix - Fix JS test isolation bugs exposed by Jasmine 5 random test ordering: [#41616](https://github.com/owncloud/core/pull/41616)
+
+   Several JS test specs left shared singleton state dirty between tests, causing
+   intermittent failures when Jasmine 5 ran tests in random order. Fixed
+   OC._currentMenu leak in fileactionsmenuSpec, stale OCA.Files.fileActions
+   reference causing infinite recursion in files_sharing/appSpec, and stale models
+   in the OC.SystemTags.collection singleton in systemtagsinfoviewSpec and
+   systemtagsinputfieldSpec.
+
+   https://github.com/owncloud/core/pull/41616
+
+* Bugfix - Decrypt versions and trashbin so encryption can be disabled: [#41623](https://github.com/owncloud/core/issues/41623)
+
+   "occ encryption:decrypt-all" only walked the regular "files" folder, leaving the
+   "encrypted" flag set on entries in "files_versions" and "files_trashbin".
+   Because "occ encryption:disable" refuses while any file cache row is still
+   flagged as encrypted, administrators were left unable to disable encryption even
+   though decrypt-all reported success.
+
+   Decrypt-all now also descends into "files_versions" and "files_trashbin", and
+   the disable command now lists the paths that are still flagged as encrypted
+   together with a hint on how to clean them up, instead of printing a generic
+   message.
+
+   https://github.com/owncloud/core/issues/41623
+   https://github.com/owncloud/core/pull/41624
+
+* Bugfix - Fix user:home:list-dirs and user:home:list-users crashing on PHP 8: [#41630](https://github.com/owncloud/core/issues/41630)
+
+   The occ commands user:home:list-dirs and user:home:list-users --all passed null
+   as the search pattern to IUserManager::search() to mean "all users". On PHP 8
+   the null reached Connection::escapeLikeParameter(string $param) and raised a
+   TypeError, aborting the command. Both commands now pass the empty string, which
+   is the established "match all" sentinel used by every other caller.
+
+   https://github.com/owncloud/core/issues/41630
+
 * Change - Update M$ Office icons: [#41347](https://github.com/owncloud/core/pull/41347)
 
    Icons have been updated according to the M$ cloud storage partner program
@@ -65,37 +207,57 @@ ownCloud admins and users.
 
    * doctrine/dbal (2.13.9 to 3.10.4)
 
-   * google/apiclient (v2.19.0 to v2.19.3)
+   * firebase/php-jwt (7.0.5 to 7.1.0)
 
-   * google/apiclient-services (v0.435.0 to v0.441.1)
+   * google/apiclient (v2.19.0 to v2.19.3)
 
-   * google/auth (v1.50.0 to v1.50.1)
+   * google/apiclient-services (v0.435.0 to v0.445.0)
 
-   * guzzlehttp/psr7 (2.8.0 to 2.10.4)
+   * google/auth (v1.50.0 to v1.51.0)
 
-   * guzzlehttp/guzzle (7.10.0 to 7.11.0)
+   * guzzlehttp/guzzle (7.10.0 to 7.12.0)
 
    * guzzlehttp/promises (2.3.0 to 2.4.1)
 
+   * guzzlehttp/psr7 (2.8.0 to 2.12.0)
+
    * laravel/serializable-closure (v2.0.10 to v2.0.13)
 
-   * phpseclib/phpseclib (3.0.49 to 3.0.50)
+   * phpseclib/phpseclib (3.0.49 to 3.0.55)
 
    * pimple/pimple (3.6.1 to 3.6.2)
 
+   * sabre/event (5.1.7 to 5.1.8)
+
    * sabre/vobject (4.5.8 to 4.6.0)
 
-   * symfony/deprecation-contracts (v3.6.0 to v3.7.0)
+   * symfony/console (v7.4.7 to v7.4.13)
 
    * symfony/mailer (v7.4.6 to v7.4.12)
 
+   * symfony/process (v7.4.5 to v7.4.13)
+
+   * symfony/routing (v7.4.6 to v7.4.13)
+
+   * symfony/string (v7.4.6 to v7.4.13)
+
+   * symfony/translation (v7.4.6 to v7.4.10)
+
+   * symfony/deprecation-contracts (v3.6.0 to v3.7.0)
+
+   * symfony/translation-contracts (v3.6.1 to v3.7.0)
+
    https://github.com/owncloud/core/pull/41450
    https://github.com/owncloud/core/pull/41477
    https://github.com/owncloud/core/pull/41495
    https://github.com/owncloud/core/pull/41561
    https://github.com/owncloud/core/pull/41564
    https://github.com/owncloud/core/pull/41569
    https://github.com/owncloud/core/pull/41590
+   https://github.com/owncloud/core/pull/41613
+   https://github.com/owncloud/core/pull/41619
+   https://github.com/owncloud/core/pull/41626
+   https://github.com/owncloud/core/pull/41635
 
 * Change - Drop command db:convert-type: [#41451](https://github.com/owncloud/core/pull/41451)