OBS 2.6.7 released ================== This release is fixing in first place two XSS security issue. The leak exists in the webui search and on the project site which can be misused to steal passwords or to gain access to projects. Furthermore we fixed several minor bugs (see the release notes). Please note that we upgraded passenger to version 5.0.15. OBS 2.5 is also affected, but not yet fixed. OBS 2.4 and before are not affected. Updaters from any OBS 2.6 release can just ugrade the packages and restart all services. Updaters from former releases should read the README.UPDATERS file. OBS update are available from the following projects: https://build.opensuse.org/project/show/OBS:Server:2.6 The appliance can be downloaded from http://openbuildservice.org/download Details from the Release Notes of 2.6.7: ======================================== Feature backports: ================== * none Changes: ======== * [backend] compability support with Download-on-Demand definitions from OBS 2.7 Bugfixes: ========= * [webui] drop hardcoded opensuse email adress and link * [webui] fix XSS attack vector via User.realname (bnc#950932) * [webui] fix XSS attack vector via Projec.title (bnc#950932) * [webui] add spec & changes file code highlighting * [webui] fix saving files with code highlights (e.g. .js, .kiwi) * [webui] fix order of packages/projects for the 'Involved Projects' table on the user home page -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org