OBS 2.6.5 released ================== This release is fixing in first place a XSS security issue, tracked in bnc#947736 and CVE-2015-5966. The leak exists in the webui comment functionality which can be misused to steal passwords or to gain access to projects. OBS 2.5 is also affected, but not yet fixed. OBS 2.4 and before are not affected. Updaters from any OBS 2.6 release can just ugrade the packages and restart all services. Updaters from former releases should read the README.UPDATERS file. OBS update are available from the following projects: https://build.opensuse.org/project/show/OBS:Server:2.6 The appliance can be downloaded from http://openbuildservice.org/download Details from the Release Notes of 2.6.5: ======================================== Feature backports: ================== * none Changes: ======== * webui: make the hint to interconnect more visible Bugfixes: ========= * webui: fix XSS attack vector via comments (bnc#947736 and CVE-2015-5966) * config: fixed apache 2.4 config in template file -- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org