@@ -38,6 +38,14 @@ ownCloud admins and users.
3838
3939## Summary
4040
41+ * Security - Prevent user enumeration via differential password reset UI: [#41586](https://github.com/owncloud/core/pull/41586)
42+ * Bugfix - Add missing space to mail footer signature delimiter: [#41364](https://github.com/owncloud/core/issues/41364)
43+ * Bugfix - Fix htaccess RewriteBase rules blocking API requests by file extension: [#41418](https://github.com/owncloud/core/issues/41418)
44+ * Bugfix - Fix subadmin email change updating caller's address instead of target's: [#41574](https://github.com/owncloud/core/pull/41574)
45+ * Bugfix - Adjust code to avoid PHP8 messages: [#41597](https://github.com/owncloud/core/pull/41597)
46+ * Bugfix - Support federation between systems in subdirectories: [#41599](https://github.com/owncloud/core/pull/41599)
47+ * Bugfix - Remove owncloud.com/federation link from federated cloud settings: [#41608](https://github.com/owncloud/core/pull/41608)
48+ * Bugfix - Fix JS test isolation bugs exposed by Jasmine 5 random test ordering: [#41616](https://github.com/owncloud/core/pull/41616)
4149* Change - Update M$ Office icons: [#41347](https://github.com/owncloud/core/pull/41347)
4250* Change - No longer store auto loader information in any memory cache: [#41376](https://github.com/owncloud/core/pull/41376)
4351* Change - Update PHP dependencies: [#41450](https://github.com/owncloud/core/pull/41450)
@@ -47,6 +55,89 @@ ownCloud admins and users.
4755
4856## Details
4957
58+ * Security - Prevent user enumeration via differential password reset UI: [#41586](https://github.com/owncloud/core/pull/41586)
59+
60+ The login form showed a "Reset it?" link only when a valid user on a backend
61+ that supports password changes was detected. LDAP users produced a different
62+ response than non-existent users, allowing unauthenticated enumeration of
63+ accounts on those backends. The backend capability check has been removed; the
64+ reset link is now shown uniformly regardless of user existence or backend type.
65+
66+ https://github.com/owncloud/core/pull/41586
67+
68+ * Bugfix - Add missing space to mail footer signature delimiter: [#41364](https://github.com/owncloud/core/issues/41364)
69+
70+ We've fixed the signature delimiter in the email footer templates. The delimiter
71+ on the first line was missing the trailing space required by the signature block
72+ convention (RFC 3676), so mail clients were unable to recognize and collapse the
73+ signature. The delimiter is now correctly written as "-- " (dash-dash-space).
74+
75+ https://github.com/owncloud/core/issues/41364
76+ https://github.com/owncloud/core/pull/41617
77+
78+ * Bugfix - Fix htaccess RewriteBase rules blocking API requests by file extension: [#41418](https://github.com/owncloud/core/issues/41418)
79+
80+ Files whose names end in extensions like .jpg, .png, .svg, .json and others
81+ could not be marked as favorites or have their tags updated via the files API
82+ when htaccess.RewriteBase was configured. The .htaccess rules generated by `occ
83+ maintenance:update:htaccess` used a URI extension check to skip routing through
84+ index.php, which inadvertently blocked API requests to paths like
85+ `/apps/files/api/v1/files/photo.jpg`, returning 405 Method Not Allowed.
86+
87+ The fix replaces the extension-based condition with `RewriteCond
88+ %{REQUEST_FILENAME} !-f`, which correctly routes virtual API paths through
89+ index.php while still serving actual static files directly.
90+
91+ https://github.com/owncloud/core/issues/41418
92+
93+ * Bugfix - Fix subadmin email change updating caller's address instead of target's: [#41574](https://github.com/owncloud/core/pull/41574)
94+
95+ The verification token and confirmation link in the subadmin path of
96+ setMailAddress were associated with the caller's account instead of the target
97+ user's account. Clicking the confirmation link changed the subadmin's email
98+ rather than the intended target's email.
99+
100+ https://github.com/owncloud/core/pull/41574
101+
102+ * Bugfix - Adjust code to avoid PHP8 messages: [#41597](https://github.com/owncloud/core/pull/41597)
103+
104+ Avoid trying to access array offset on false in the encryption storage wrapper.
105+
106+ Handle passing null to normalizeUrl in the federation DbHandler.
107+
108+ https://github.com/owncloud/core/pull/41597
109+
110+ * Bugfix - Support federation between systems in subdirectories: [#41599](https://github.com/owncloud/core/pull/41599)
111+
112+ If a federated server was installed in a subdirectory like:
113+
114+ Mydomain.com/cloud
115+
116+ Then checks to see that the server is up and responding would fail. This problem
117+ has been corrected.
118+
119+ https://github.com/owncloud/core/pull/41599
120+
121+ * Bugfix - Remove owncloud.com/federation link from federated cloud settings: [#41608](https://github.com/owncloud/core/pull/41608)
122+
123+ The "Add to your website" feature in the personal federation settings was
124+ generating a link to https://owncloud.com/federation# which no longer works
125+ after owncloud.com was restructured. The federation Cloud ID is now displayed
126+ directly without linking to the defunct external page.
127+
128+ https://github.com/owncloud/core/pull/41608
129+
130+ * Bugfix - Fix JS test isolation bugs exposed by Jasmine 5 random test ordering: [#41616](https://github.com/owncloud/core/pull/41616)
131+
132+ Several JS test specs left shared singleton state dirty between tests, causing
133+ intermittent failures when Jasmine 5 ran tests in random order. Fixed
134+ OC._currentMenu leak in fileactionsmenuSpec, stale OCA.Files.fileActions
135+ reference causing infinite recursion in files_sharing/appSpec, and stale models
136+ in the OC.SystemTags.collection singleton in systemtagsinfoviewSpec and
137+ systemtagsinputfieldSpec.
138+
139+ https://github.com/owncloud/core/pull/41616
140+
50141* Change - Update M$ Office icons: [#41347](https://github.com/owncloud/core/pull/41347)
51142
52143 Icons have been updated according to the M$ cloud storage partner program
@@ -67,35 +158,50 @@ ownCloud admins and users.
67158
68159 * google/apiclient (v2.19.0 to v2.19.3)
69160
70- * google/apiclient-services (v0.435.0 to v0.441.1 )
161+ * google/apiclient-services (v0.435.0 to v0.444.0 )
71162
72- * google/auth (v1.50.0 to v1.50.1 )
163+ * google/auth (v1.50.0 to v1.51.0 )
73164
74165 * guzzlehttp/psr7 (2.8.0 to 2.10.4)
75166
76- * guzzlehttp/guzzle (7.10.0 to 7.11.0 )
167+ * guzzlehttp/guzzle (7.10.0 to 7.11.1 )
77168
78169 * guzzlehttp/promises (2.3.0 to 2.4.1)
79170
80171 * laravel/serializable-closure (v2.0.10 to v2.0.13)
81172
82- * phpseclib/phpseclib (3.0.49 to 3.0.50 )
173+ * phpseclib/phpseclib (3.0.49 to 3.0.53 )
83174
84175 * pimple/pimple (3.6.1 to 3.6.2)
85176
177+ * sabre/event (5.1.7 to 5.1.8)
178+
86179 * sabre/vobject (4.5.8 to 4.6.0)
87180
88- * symfony/deprecation-contracts (v3.6.0 to v3.7.0 )
181+ * symfony/console (v7.4.7 to v7.4.13 )
89182
90183 * symfony/mailer (v7.4.6 to v7.4.12)
91184
185+ * symfony/process (v7.4.5 to v7.4.13)
186+
187+ * symfony/routing (v7.4.6 to v7.4.13)
188+
189+ * symfony/string (v7.4.6 to v7.4.13)
190+
191+ * symfony/translation (v7.4.6 to v7.4.10)
192+
193+ * symfony/deprecation-contracts (v3.6.0 to v3.7.0)
194+
195+ * symfony/translation-contracts (v3.6.1 to v3.7.0)
196+
92197 https://github.com/owncloud/core/pull/41450
93198 https://github.com/owncloud/core/pull/41477
94199 https://github.com/owncloud/core/pull/41495
95200 https://github.com/owncloud/core/pull/41561
96201 https://github.com/owncloud/core/pull/41564
97202 https://github.com/owncloud/core/pull/41569
98203 https://github.com/owncloud/core/pull/41590
204+ https://github.com/owncloud/core/pull/41613
99205
100206* Change - Drop command db:convert-type: [#41451](https://github.com/owncloud/core/pull/41451)
101207
0 commit comments