Mailinglist Archive: opensuse-buildservice (96 mails)

< Previous Next >
[opensuse-buildservice] Open Build Service (OBS) 2.6.5 released
OBS 2.6.5 released

This release is fixing in first place a XSS security issue, tracked
in bnc#947736 and CVE-2015-5966.

The leak exists in the webui comment functionality which can
be misused to steal passwords or to gain access to projects.

OBS 2.5 is also affected, but not yet fixed. OBS 2.4 and before
are not affected.

Updaters from any OBS 2.6 release can just ugrade the packages
and restart all services. Updaters from former releases should
read the README.UPDATERS file.

OBS update are available from the following projects:

The appliance can be downloaded from

Details from the Release Notes of 2.6.5:

Feature backports:

* none


* webui: make the hint to interconnect more visible


* webui: fix XSS attack vector via comments (bnc#947736 and CVE-2015-5966)
* config: fixed apache 2.4 config in template file


Adrian Schroeter
email: adrian@xxxxxxx

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284
(AG Nürnberg)

Maxfeldstraße 5
90409 Nürnberg

To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages