[opensuse-buildservice] Security issue: please update your workers!
Hi, please note that there is a security issue inside of bsdtar/libarchive. This is the tool which we use to prepare builds inside of any environemnt (chroot, kvm, ...). Special crafted binary packages allow an attacker to replace any file on your worker host system. Please update bsdtar and libarchive packages on your workers. You find fixed versions of them inside of the following projects: OBS:Server:2.6 OBS:Server:2.5 OBS:Server:2.4 OBS:Server:Unstable The issue is public already. bye adrian -- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Monday 2015-03-09 11:42, Adrian Schröter wrote:
Please update bsdtar and libarchive packages on your workers. You find fixed versions of them inside of the following projects:
OBS:Server:2.6 OBS:Server:2.5 OBS:Server:2.4 OBS:Server:Unstable
Will updates be released in openSUSE:13.2:Update too? Some workers may source bsdtar and libarchive from repo-oss rather than OBS:Server:*. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Montag, 9. März 2015, 12:26:30 wrote Jan Engelhardt:
On Monday 2015-03-09 11:42, Adrian Schröter wrote:
Please update bsdtar and libarchive packages on your workers. You find fixed versions of them inside of the following projects:
OBS:Server:2.6 OBS:Server:2.5 OBS:Server:2.4 OBS:Server:Unstable
Will updates be released in openSUSE:13.2:Update too? Some workers may source bsdtar and libarchive from repo-oss rather than OBS:Server:*.
yes, but still WIP due to the lack of a CVE number ... -- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
participants (2)
-
Adrian Schröter
-
Jan Engelhardt