Mailinglist Archive: opensuse-buildservice (207 mails)

< Previous Next >
[opensuse-buildservice] OBS 2.0.8 and 2.1.6 released

The openSUSE Build Service team has released verison 2.0.8 and 2.1.6.

Both versions are fixing a critical security leak which can be missused to
projects or packages without having write permission there. We highly recommend
update your instance therefore.
Thanks to Marcus Hüwe for reporting this issue.

Version 1.7 is not affected by this issue.

OBS 2.1.6 is fixing also security issues in LDAP mode and a possible crossite
attack vector on the login screen (full XSS protection in all webui interfaces
will be part
of OBS 2.3).
Thanks to Dean Pierce from Intel for discussing these issues and possible
solutions with us.

Version 2.1.6 can be downloaded as usual from gitorious, openSUSE:Tools (or
for version 2.0.8) project repositories or as appliance for testing and
production systems:

OBS 2.1.6 contains also further changes, please read the release notes below:

# openSUSE Build Service 2.1.6

Updaters from any OBS 2.1 release can just ugrade the packages and restart
all services. Updaters from former releases should read the

Security fixes:
* api: fix security leak which allowed to modify packages or projects without
write access (CVE-2011-0466)
* api: change password in LDAP mode was possible for foreign user (bnc #648982)
* webui: Fix possible XSS attack vectors in login page (bnc #669909,

Feature backports:



* openSUSE 11.4 and Debian 6.0 got added as default target.
* adding reviewers or changing the review state is only allowed for requests
which are in review state now.


* webui: Fix link to moved OBS web forums
* webui: Fix adding of repositories from remote projects in advanced repository
* api and webui: Do not use (and fail with) rails 3 environment
* api: allow admins to raise "sourceaccess" permissions on existing projects or
* api: do not allow to create packages with invalid chars via branch command
* api: do not fail on "mbranch" when a package gets found directly and
indirectly via project link
* backend: Allow browsing of repositories of remote projects (fixes advanced
webui view for adding repos)


Adrian Schroeter
SUSE Linux Products GmbH
email: adrian@xxxxxxx
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages