Mailinglist Archive: opensuse-buildservice (136 mails)

< Previous Next >
[opensuse-buildservice] OBS 2.6.3, 2.5.7 and 2.4.8 released
OBS 2.6.3, 2.5.7 and 2.4.8 released

These releases are fixing in first place a security issue which
allows to modify package sources without the sufficient permissions.

This leak exists in almost all OBS releases so far, esp. when
using "patch" command version 2.7 or later, which introduced
the git format patch handling.

This issue is tracked as CVE-2015-0796.

It was found by Marcus Hüwe. Thanks a lot for his work and
the way he reported it, allowing us to fix this fast and properly.
In case you want to see an exemplary good security leak analyses,
read bugzilla issue #941099 :)

Updaters from any OBS 2.6 release can just ugrade the packages
and restart all services. Updaters from former releases should
read the README.UPDATERS file.

OBS update are available from the following projects:

The appliance can be downloaded from

Details from the Release Notes:

Feature backports:

* backend: support using docker as build environment (not secure)


* none


* backend: validate results of external patch command. could be used
to modify packages without sufficiant permissions (bnc#941099,
* backend: fixing create pattern call in publisher
* backend: fix handling of host specific bsconfig.* files


Adrian Schroeter
email: adrian@xxxxxxx

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu, Graham
Norton, HRB 21284 (AG Nürnberg)
Maxfeldstraße 5
90409 Nürnberg

To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages