Open Build Service(OBS) 2.4.4 just got released =============================================== Another bugfix release of the 2.4 series is out there. This release fixes a serious security leak tracked as CVE-2013-3703 and Novell bugzilla 828256: Users can add or remove other users to projects or packages even when they have no maintainership there. All OBS 2.4 admins a requested to updated immediatly to close this hole. Instances with OBS 2.3 and before are not affected. While OBS 2.4.4 only contains the bugfix for this situation, we introduced a better design in master branch to avoid these kinds of bugs in future. Beside of that a number of bugfixes for constraints and change detections in the backend are included in this release.
From the official Release Notes:
Feature backports: ================== * none Changes: ======== * None Bugfixes: ========= * api: Fix for CVE-2013-3703 * api: Do not hide projects which have an explicit access enabled tag. * api: handle invalid strings in options.yml for allow_user_to_create_home_project setting * backend: repository type changes got not catched by the scheduler * backend: fix project deleting not cleaning up build area in async mode * backend: hostlabel build constraints had no effect * backend: constraints defined in project config had no effect * backend: start more then one worker by default if not using zVM -- Adrian Schroeter email: adrian@suse.de SUSE LINUX GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org