Mailinglist Archive: opensuse-buildservice (137 mails)

< Previous Next >
Re: [opensuse-buildservice] OBS 2.1.16 released. PLEASE UPDATE: Critical security fix.
  • From: James Ford <james.t.ford@xxxxxxxxx>
  • Date: Thu, 15 Dec 2011 21:43:36 -0500
  • Message-id: <CAF1e4oDgt1yqPRGmP=L=uPN35GQ1qJ8HtRD0YtV7j5zMS0rgag@mail.gmail.com>
Wanted to inquire what test suite was used to identify the weaknesses?

On Thu, Dec 15, 2011 at 2:03 PM, Carsten Schoene
<cs@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hello Adrian,

for SLE_11_SP1 it's still 2.1.15 and buildstate is failed, log
says:
|error: Group field must be present in package: obs-api

can this be fixed soon?

Carsten
|
Am 15.12.2011 10:46, schrieb Adrian Schröter:
Open Build Service(OBS) 2.1.16 just got released.

In first place it is fixing a serious security problem which allows
everybody (even without OBS account) to upload binaries to any project and
repository.

Admins of public OBS instances got a pre warning about this, but it is highly
recommended to update every instance now to the final packages.

OBS 2.1.16 is published in "openSUSE:Tools:2.1" project:

  http://download.opensuse.org/repositories/openSUSE:Tools:2.1/

OBS 2.0.x and before are not affected (bug got introduced by new security
enhancements in 2.1 release).

This issue is tracked as CVE-2011-4183, bnc#736243 .


Some other issues (found by test suite) got fixed as well. Find details in
the
Release Notes:


  Feature backports:
  ==================

  * Support linking to remote OBS 2.3 package which links to not existing
    packages.
  * Support upload of build job results via the api for admin users.

  Changes:
  ========

  * dropped openSUSE 11.3 from default target list
  * logrotate files are not installed with .logrotate suffix anymore

  Bugfixes:
  =========

  * CRITICAL SECURITY FIX: Binary upload of build results was allowed to
    everybody without permission check (bnc#736243, CVE-2011-4183).
  * fixed runtime error when checking sourceaccess of links (introduced in
    2.1.15)

Please excuse this grave issue.



--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups