Open Build Service(OBS) 2.4.6 released
Another maintenance release of the 2.4 series is out there.
This is a security and bugfix release, it closes a CSRF bug in the
webui tracked as CVE-2014-0594:
The CSRF protection got incorrectly disabled, this means any
web site can inject actions as long a user has a running session.
This might not be visible to the user.
So we ask admins to update as soon as possible to the new
We want also thank the people from Curesec who found this error.
OBS is available as usual via the OBS:Server:2.4 project.
From the official Release Notes:
# openSUSE Build Service 2.4.6
Updaters from any OBS 2.4 release can just ugrade the packages
and restart all services. Updaters from former releases should
read the README.UPDATERS file.
This release fixes a serious security leak tracked as
All OBS 2.4 admins are requested to updated immediatly to close this
* webui: fix CSRF protection (CVE-2014-0594)
* webui: fix a syntax error when storing instance configuration
* api: fix database locking when changing states of requests
* api: fix typo that fails retry for connection when using LDAP auth.
* api: fix issue tracking via delayed job
SUSE LINUX GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 21284 (AG
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-buildservice+owner(a)opensuse.org