Mailinglist Archive: opensuse-buildservice (137 mails)

< Previous Next >
Re: [opensuse-buildservice] OBS 2.1.16 released. PLEASE UPDATE: Critical security fix.
  • From: Adrian Schröter <adrian@xxxxxxx>
  • Date: Fri, 16 Dec 2011 08:11:20 +0100
  • Message-id: <1506018.xEv8kWFRdh@scherben>
Am Donnerstag, 15. Dezember 2011, 21:43:36 schrieb James Ford:
Wanted to inquire what test suite was used to identify the weaknesses?

The security weakness was just detected by looking at the code (it was really

The test suite is our standard api test suite, it is just used to validate
the correct behaviour now. It showed also another small regression by
sourceaccess check (but no security leak), so it got fixed as well.

On Thu, Dec 15, 2011 at 2:03 PM, Carsten Schoene

<cs@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hello Adrian,

for SLE_11_SP1 it's still 2.1.15 and buildstate is failed, log

|error: Group field must be present in package: obs-api

can this be fixed soon?

Done now (Caused by our new spec file formater, to be fixed ...)



Am 15.12.2011 10:46, schrieb Adrian Schröter:
Open Build Service(OBS) 2.1.16 just got released.

In first place it is fixing a serious security problem which allows
everybody (even without OBS account) to upload binaries to any project
and repository.

Admins of public OBS instances got a pre warning about this, but it is
highly recommended to update every instance now to the final

OBS 2.1.16 is published in "openSUSE:Tools:2.1" project:

OBS 2.0.x and before are not affected (bug got introduced by new
security enhancements in 2.1 release).

This issue is tracked as CVE-2011-4183, bnc#736243 .

Some other issues (found by test suite) got fixed as well. Find
details in the Release Notes:

Feature backports:

* Support linking to remote OBS 2.3 package which links to not
existing packages.
* Support upload of build job results via the api for admin users.


* dropped openSUSE 11.3 from default target list
* logrotate files are not installed with .logrotate suffix anymore


* CRITICAL SECURITY FIX: Binary upload of build results was allowed
everybody without permission check (bnc#736243, CVE-2011-4183).
* fixed runtime error when checking sourceaccess of links
(introduced in 2.1.15)

Please excuse this grave issue.
Adrian Schroeter
SUSE Linux Products GmbH
email: adrian@xxxxxxx

To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >