[opensuse-buildservice] OBS 2.1.13 released

We released another 2.1 version, providing a security fix. The webui had a place where code injection worked. Means everybody can run code on your web server as "wwwrun" or "lighttpd" user. OBS 2.0.x and before is not affected. current OBS 2.3 candidate packages contains the fix as well. Please find the packages and appliances here: http://download.opensuse.org/repositories/openSUSE:/Tools:/2.1/ The openSUSE:Tools project is still on hold until 2.3 gets released. People how run a public reachable OBS instance have been informed before. If you want also get an early warning on such cases, please drop me a mail and tell which instance you maintain. The changes are quite minimal: Feature backports: ================== * none Changes: ======== * api: updated default build target list Bugfixes: ========= * webui: fixed quoting of URL parameter (CVE-2011-3178, bnc#723788) -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
participants (1)
-
Adrian Schröter