Mailinglist Archive: opensuse-buildservice (137 mails)

< Previous Next >
[opensuse-buildservice] Open Build Service (OBS) 2.6.7 released
  • From: Christian Bruckmayer <cbruckmayer@xxxxxxx>
  • Date: Mon, 9 Nov 2015 16:44:38 +0100
  • Message-id: <>
OBS 2.6.7 released

This release is fixing in first place two XSS security issue.

The leak exists in the webui search and on the project site which can
be misused to steal passwords or to gain access to projects.

Furthermore we fixed several minor bugs (see the release notes).

Please note that we upgraded passenger to version 5.0.15.

OBS 2.5 is also affected, but not yet fixed. OBS 2.4 and before
are not affected.

Updaters from any OBS 2.6 release can just ugrade the packages
and restart all services. Updaters from former releases should
read the README.UPDATERS file.

OBS update are available from the following projects:

The appliance can be downloaded from

Details from the Release Notes of 2.6.7:

Feature backports:

* none


* [backend] compability support with Download-on-Demand definitions from
OBS 2.7


* [webui] drop hardcoded opensuse email adress and link
* [webui] fix XSS attack vector via User.realname (bnc#950932)
* [webui] fix XSS attack vector via Projec.title (bnc#950932)
* [webui] add spec & changes file code highlighting
* [webui] fix saving files with code highlights (e.g. .js, .kiwi)
* [webui] fix order of packages/projects for the 'Involved Projects'
table on the user home page
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages