[opensuse-buildservice] OBS 2.1.16 released. PLEASE UPDATE: Critical security fix.
Open Build Service(OBS) 2.1.16 just got released. In first place it is fixing a serious security problem which allows everybody (even without OBS account) to upload binaries to any project and repository. Admins of public OBS instances got a pre warning about this, but it is highly recommended to update every instance now to the final packages. OBS 2.1.16 is published in "openSUSE:Tools:2.1" project: http://download.opensuse.org/repositories/openSUSE:Tools:2.1/ OBS 2.0.x and before are not affected (bug got introduced by new security enhancements in 2.1 release). This issue is tracked as CVE-2011-4183, bnc#736243 . Some other issues (found by test suite) got fixed as well. Find details in the Release Notes: Feature backports: ================== * Support linking to remote OBS 2.3 package which links to not existing packages. * Support upload of build job results via the api for admin users. Changes: ======== * dropped openSUSE 11.3 from default target list * logrotate files are not installed with .logrotate suffix anymore Bugfixes: ========= * CRITICAL SECURITY FIX: Binary upload of build results was allowed to everybody without permission check (bnc#736243, CVE-2011-4183). * fixed runtime error when checking sourceaccess of links (introduced in 2.1.15) Please excuse this grave issue. -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Hello Adrian, for SLE_11_SP1 it's still 2.1.15 and buildstate is failed, log says: |error: Group field must be present in package: obs-api can this be fixed soon? Carsten | Am 15.12.2011 10:46, schrieb Adrian Schröter:
Open Build Service(OBS) 2.1.16 just got released.
In first place it is fixing a serious security problem which allows everybody (even without OBS account) to upload binaries to any project and repository.
Admins of public OBS instances got a pre warning about this, but it is highly recommended to update every instance now to the final packages.
OBS 2.1.16 is published in "openSUSE:Tools:2.1" project:
http://download.opensuse.org/repositories/openSUSE:Tools:2.1/
OBS 2.0.x and before are not affected (bug got introduced by new security enhancements in 2.1 release).
This issue is tracked as CVE-2011-4183, bnc#736243 .
Some other issues (found by test suite) got fixed as well. Find details in the Release Notes:
Feature backports: ==================
* Support linking to remote OBS 2.3 package which links to not existing packages. * Support upload of build job results via the api for admin users.
Changes: ========
* dropped openSUSE 11.3 from default target list * logrotate files are not installed with .logrotate suffix anymore
Bugfixes: =========
* CRITICAL SECURITY FIX: Binary upload of build results was allowed to everybody without permission check (bnc#736243, CVE-2011-4183). * fixed runtime error when checking sourceaccess of links (introduced in 2.1.15)
Please excuse this grave issue.
Wanted to inquire what test suite was used to identify the weaknesses? On Thu, Dec 15, 2011 at 2:03 PM, Carsten Schoene <cs@linux-administrator.com> wrote:
Hello Adrian,
for SLE_11_SP1 it's still 2.1.15 and buildstate is failed, log says: |error: Group field must be present in package: obs-api
can this be fixed soon?
Carsten | Am 15.12.2011 10:46, schrieb Adrian Schröter:
Open Build Service(OBS) 2.1.16 just got released.
In first place it is fixing a serious security problem which allows everybody (even without OBS account) to upload binaries to any project and repository.
Admins of public OBS instances got a pre warning about this, but it is highly recommended to update every instance now to the final packages.
OBS 2.1.16 is published in "openSUSE:Tools:2.1" project:
http://download.opensuse.org/repositories/openSUSE:Tools:2.1/
OBS 2.0.x and before are not affected (bug got introduced by new security enhancements in 2.1 release).
This issue is tracked as CVE-2011-4183, bnc#736243 .
Some other issues (found by test suite) got fixed as well. Find details in the Release Notes:
Feature backports: ==================
* Support linking to remote OBS 2.3 package which links to not existing packages. * Support upload of build job results via the api for admin users.
Changes: ========
* dropped openSUSE 11.3 from default target list * logrotate files are not installed with .logrotate suffix anymore
Bugfixes: =========
* CRITICAL SECURITY FIX: Binary upload of build results was allowed to everybody without permission check (bnc#736243, CVE-2011-4183). * fixed runtime error when checking sourceaccess of links (introduced in 2.1.15)
Please excuse this grave issue.
-- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Am Donnerstag, 15. Dezember 2011, 21:43:36 schrieb James Ford:
Wanted to inquire what test suite was used to identify the weaknesses?
The security weakness was just detected by looking at the code (it was really obvious). The test suite is our standard api test suite, it is just used to validate the correct behaviour now. It showed also another small regression by sourceaccess check (but no security leak), so it got fixed as well.
On Thu, Dec 15, 2011 at 2:03 PM, Carsten Schoene
<cs@linux-administrator.com> wrote:
Hello Adrian,
for SLE_11_SP1 it's still 2.1.15 and buildstate is failed, log
says: |error: Group field must be present in package: obs-api
can this be fixed soon?
Done now (Caused by our new spec file formater, to be fixed ...) bye adrian
Carsten
Am 15.12.2011 10:46, schrieb Adrian Schröter:
Open Build Service(OBS) 2.1.16 just got released.
In first place it is fixing a serious security problem which allows everybody (even without OBS account) to upload binaries to any project and repository.
Admins of public OBS instances got a pre warning about this, but it is highly recommended to update every instance now to the final packages.
OBS 2.1.16 is published in "openSUSE:Tools:2.1" project:
http://download.opensuse.org/repositories/openSUSE:Tools:2.1/
OBS 2.0.x and before are not affected (bug got introduced by new security enhancements in 2.1 release).
This issue is tracked as CVE-2011-4183, bnc#736243 .
Some other issues (found by test suite) got fixed as well. Find details in the Release Notes:
Feature backports: ==================
* Support linking to remote OBS 2.3 package which links to not existing packages. * Support upload of build job results via the api for admin users.
Changes: ========
* dropped openSUSE 11.3 from default target list * logrotate files are not installed with .logrotate suffix anymore
Bugfixes: =========
* CRITICAL SECURITY FIX: Binary upload of build results was allowed to everybody without permission check (bnc#736243, CVE-2011-4183). * fixed runtime error when checking sourceaccess of links (introduced in 2.1.15)
Please excuse this grave issue. -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de
-- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
participants (3)
-
Adrian Schröter -
Carsten Schoene -
James Ford