Mailinglist Archive: opensuse-buildservice (151 mails)

< Previous Next >
[opensuse-buildservice] Open Build Service(OBS) 2.4.6 released
Open Build Service(OBS) 2.4.6 released

Another maintenance release of the 2.4 series is out there.

This is a security and bugfix release, it closes a CSRF bug in the
webui tracked as CVE-2014-0594:
The CSRF protection got incorrectly disabled, this means any
web site can inject actions as long a user has a running session.
This might not be visible to the user.

So we ask admins to update as soon as possible to the new

We want also thank the people from Curesec who found this error.

OBS is available as usual via the OBS:Server:2.4 project.

From the official Release Notes:

# openSUSE Build Service 2.4.6

Updaters from any OBS 2.4 release can just ugrade the packages
and restart all services. Updaters from former releases should
read the README.UPDATERS file.

This release fixes a serious security leak tracked as
All OBS 2.4 admins are requested to updated immediatly to close this

Feature backports:

* None


* None


* webui: fix CSRF protection (CVE-2014-0594)
* webui: fix a syntax error when storing instance configuration
* api: fix database locking when changing states of requests
* api: fix typo that fails retry for connection when using LDAP auth.
* api: fix issue tracking via delayed job


Adrian Schroeter
email: adrian@xxxxxxx

SUSE LINUX GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 21284
(AG Nürnberg)
Maxfeldstraße 5
90409 Nürnberg

To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages