Wanted to inquire what test suite was used to identify the weaknesses?
On Thu, Dec 15, 2011 at 2:03 PM, Carsten Schoene
Hello Adrian,
for SLE_11_SP1 it's still 2.1.15 and buildstate is failed, log says: |error: Group field must be present in package: obs-api
can this be fixed soon?
Carsten | Am 15.12.2011 10:46, schrieb Adrian Schröter:
Open Build Service(OBS) 2.1.16 just got released.
In first place it is fixing a serious security problem which allows everybody (even without OBS account) to upload binaries to any project and repository.
Admins of public OBS instances got a pre warning about this, but it is highly recommended to update every instance now to the final packages.
OBS 2.1.16 is published in "openSUSE:Tools:2.1" project:
http://download.opensuse.org/repositories/openSUSE:Tools:2.1/
OBS 2.0.x and before are not affected (bug got introduced by new security enhancements in 2.1 release).
This issue is tracked as CVE-2011-4183, bnc#736243 .
Some other issues (found by test suite) got fixed as well. Find details in the Release Notes:
Feature backports: ==================
* Support linking to remote OBS 2.3 package which links to not existing packages. * Support upload of build job results via the api for admin users.
Changes: ========
* dropped openSUSE 11.3 from default target list * logrotate files are not installed with .logrotate suffix anymore
Bugfixes: =========
* CRITICAL SECURITY FIX: Binary upload of build results was allowed to everybody without permission check (bnc#736243, CVE-2011-4183). * fixed runtime error when checking sourceaccess of links (introduced in 2.1.15)
Please excuse this grave issue.
-- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org