OBS 2.6.3, 2.5.7 and 2.4.8 released =================================== These releases are fixing in first place a security issue which allows to modify package sources without the sufficient permissions. This leak exists in almost all OBS releases so far, esp. when using "patch" command version 2.7 or later, which introduced the git format patch handling. This issue is tracked as CVE-2015-0796. It was found by Marcus Hüwe. Thanks a lot for his work and the way he reported it, allowing us to fix this fast and properly. In case you want to see an exemplary good security leak analyses, read bugzilla issue #941099 :) Updaters from any OBS 2.6 release can just ugrade the packages and restart all services. Updaters from former releases should read the README.UPDATERS file. OBS update are available from the following projects: https://build.opensuse.org/project/show/OBS:Server:2.6 https://build.opensuse.org/project/show/OBS:Server:2.5 https://build.opensuse.org/project/show/OBS:Server:2.4 The appliance can be downloaded from http://openbuildservice.org/download Details from the Release Notes of 2.6.3: ======================================== Feature backports: ================== * backend: support using docker as build environment (not secure) Changes: ======== * none Bugfixes: ========= * backend: validate results of external patch command. could be used to modify packages without sufficiant permissions (bnc#941099, CVE-2015-0796) * backend: fixing create pattern call in publisher * backend: fix handling of host specific bsconfig.* files -- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org