Open Build Service(OBS) 2.4.6 released ====================================== Another maintenance release of the 2.4 series is out there. This is a security and bugfix release, it closes a CSRF bug in the webui tracked as CVE-2014-0594: The CSRF protection got incorrectly disabled, this means any web site can inject actions as long a user has a running session. This might not be visible to the user. So we ask admins to update as soon as possible to the new version. We want also thank the people from Curesec who found this error. OBS is available as usual via the OBS:Server:2.4 project. https://build.opensuse.org/project/show/OBS:Server:2.4
From the official Release Notes: ================================
# # openSUSE Build Service 2.4.6 # Updaters from any OBS 2.4 release can just ugrade the packages and restart all services. Updaters from former releases should read the README.UPDATERS file. This release fixes a serious security leak tracked as All OBS 2.4 admins are requested to updated immediatly to close this hole. Feature backports: ================== * None Changes: ======== * None Bugfixes: ========= * webui: fix CSRF protection (CVE-2014-0594) * webui: fix a syntax error when storing instance configuration * api: fix database locking when changing states of requests * api: fix typo that fails retry for connection when using LDAP auth. * api: fix issue tracking via delayed job -- Adrian Schroeter email: adrian@suse.de SUSE LINUX GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org