Mailinglist Archive: opensuse-buildservice (175 mails)

< Previous Next >
[opensuse-buildservice] OBS 2.1.13 released
  • From: Adrian Schröter <adrian@xxxxxxx>
  • Date: Thu, 20 Oct 2011 17:33:15 +0200
  • Message-id: <6007550.Vo9o8oyBjL@scherben>

We released another 2.1 version, providing a security fix. The
webui had a place where code injection worked. Means everybody can run
code on your web server as "wwwrun" or "lighttpd" user.

OBS 2.0.x and before is not affected. current OBS 2.3 candidate packages
contains the fix as well.

Please find the packages and appliances here:

http://download.opensuse.org/repositories/openSUSE:/Tools:/2.1/

The openSUSE:Tools project is still on hold until 2.3 gets released.


People how run a public reachable OBS instance have been informed before.
If you want also get an early warning on such cases, please drop me a mail and
tell which instance you maintain.


The changes are quite minimal:

Feature backports:
==================

* none

Changes:
========

* api: updated default build target list

Bugfixes:
=========

* webui: fixed quoting of URL parameter (CVE-2011-3178, bnc#723788)


--
Adrian Schroeter
SUSE Linux Products GmbH
email: adrian@xxxxxxx

--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages