-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OBS 2.6.6 released ================== This release is fixing an cross site scripting security issue, tracked in https://github.com/openSUSE/open-build-service/issues/1218 The issue exists in the WebUI component and can be used to steal sessions, to gain access to projects as another user for instance. Updaters from any OBS 2.6 release can just upgrade the packages and restart all services. Updaters from former releases should read the README.UPDATERS file. Updated OBS packages are available from https://build.opensuse.org/project/show/OBS:Server:2.6 The appliance can be downloaded from http://openbuildservice.org/download Details from the Release Notes of 2.6.6: ======================================== Feature backports: ================== * none Changes: ======== * Keep enforce_project_keys/forceprojectkeys in sync Bugfixes: ========= * webui: fix XSS attack vector via project.title Henne - -- Henne Vogelsang http://www.opensuse.org Everybody has a plan, until they get hit. - Mike Tyson -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlYdM+EACgkQnWFkwpVfreCSAgCfeQTWloYu10apH3bOPg5K9ZFI +UwAn0iR4qWKzy2122cuEdO/rUmljlqb =Cpsq -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org