diff tells two different stories:
- updated files_pdfviewer including a newer PDFJS
- some small fixes around authentication tokens. Here I can feel what’s the problem and what the fix does but frankly I do not understand why Nextcloud GmbH is so afraid of making a little bit more detailed announcement. Of course nobody wants them to disclose the exact details till most of the deployments are updated, but telling “Security update” is so weak and embarrassingly non-transparent. Something like “Critical security update, please update as soon as possible. More details about the vulnerability will be disclosed later” would be more prudent.