OBS 2.7.1 released ================== This release fixes two important CVEs in OBS related dependencies (rails, actionview, activerecord). The related CVEs are stated in the Release Notes. For more information, please see this blog article from the official rails website: http://weblog.rubyonrails.org/2016/8/11/Rails-5-0-0-1-4-2-7-2-and-3-2-22-3-h... Previous OBS releases are also affected, but not yet fixed. We plan to release a fix for 2.6 in the next few days. Updaters from any OBS 2.7.0 release can just upgrade the packages and restart all services. Updaters from former releases should read the README.UPDATERS file. OBS update are available from the following projects: https://build.opensuse.org/project/show/OBS:Server:2.7 The appliance can be downloaded from http://openbuildservice.org/download Details from the Release Notes of 2.7.1: ======================================== Feature backports: ================== * none Changes: ======== * none Bugfixes: ========= * [webui][api] Update rails to version 4.2.7.1 to fix CVE-2016-6316 and CVE-2016-6317 * [webui] Users in not 'confirmed' state were allowed to login * [api] Users in not 'confirmed' state were allowed to run services via former created token * [backend] Fixing project copy which includes binaries * [backend] worker supports jobs from OBS 2.8 scheduler * [backend] support publishing of .vdi (VirtualBox image) files -- Christian Bruckmayer SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org