Mailinglist Archive: opensuse-buildservice (96 mails)

< Previous Next >
[opensuse-buildservice] Open Build Service (OBS) 2.6.5 released
OBS 2.6.5 released
==================

This release is fixing in first place a XSS security issue, tracked
in bnc#947736 and CVE-2015-5966.

The leak exists in the webui comment functionality which can
be misused to steal passwords or to gain access to projects.

OBS 2.5 is also affected, but not yet fixed. OBS 2.4 and before
are not affected.

Updaters from any OBS 2.6 release can just ugrade the packages
and restart all services. Updaters from former releases should
read the README.UPDATERS file.

OBS update are available from the following projects:

https://build.opensuse.org/project/show/OBS:Server:2.6

The appliance can be downloaded from

http://openbuildservice.org/download


Details from the Release Notes of 2.6.5:
========================================

Feature backports:
==================

* none

Changes:
========

* webui: make the hint to interconnect more visible

Bugfixes:
=========

* webui: fix XSS attack vector via comments (bnc#947736 and CVE-2015-5966)
* config: fixed apache 2.4 config in template file


--

Adrian Schroeter
email: adrian@xxxxxxx

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284
(AG Nürnberg)

Maxfeldstraße 5
90409 Nürnberg
Germany


--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages