I want to acknowledge the perfect work of Marcus Hüwe here. He found the two security issues and just in case you look for a very good example work how to report bugs, please look at the bugreports from him :) boo#1094819 boo#1094820 (I created them, but Marcus reported to security@suse.de, what is also the perfect way doing it :) Marcus, thanks a lot again! adrian On Mittwoch, 6. Juni 2018, 14:09:28 CEST wrote Bjoern Geuken:
OBS 2.9.3 released ==================
We're happy to announce the release of Open Build Service Version 2.9.3.
This release includes 2 security fixes and we recommend to update your OBS instance as soon as possible. Please check out the release notes for further details or contact us.
In addition this release includes a couple of bugfixes for the OBS frontend and backend.
Install 2.9 =========
Please read our setup instructions
https://github.com/openSUSE/open-build-service/blob/2.9/README.md#installati...
or even better, use our appliance
http://download.opensuse.org/repositories/OBS:/Server:/2.9/images/
Update to OBS 2.9 ===============
In case you update from a previous OBS stable release please read the README.UPDATERS file which comes with this version.
https://github.com/openSUSE/open-build-service/blob/2.9/dist/README.UPDATERS
OBS Appliance users who have set up their LVM
http://openbuildservice.org/download/#appliance_config
can just replace their appliance image without data loss. The migration will happen automatically.
Details from Release Notes ===================
Features =======
Backend: * Allow to use different scheduling strategy which handles large build dependency cycles better. Enable it via project config:
BuildFlags: genmetaalgo:1
Bugfixes ========
Frontend: * Fixes permission issue that allowd unpermitted users to trigger services via the webui. * Permits setting the initial bs request state. This prevents setting the initial state to something else than 'new' (CVE-2018-7689). * Fixes permission check for projects with 'InitializeDevelPackage' attribute (CVE-2018-7688). * Fixes rendering of requests with multiple submit requests. Previously switching tabs would not trigger a reload of the request content for the selected request.
Backend: * Debian fixes to 2.9 - publish ONIE binary and hashsum, enable Secure Boot EFI signing for Debian packages. * New regex needssslcertforbuild for Debian builds * Support publishing via rsync syntax (allows to specify port numbers) * Make project config parser errors always visible * Fix corner case on wiping binaries * Improved .changes merge handling * Don't publish unneeded files of appdata in meta data * Fixing lost events on restarting schedulers * Make errors by not reachable remote instances better visible.
-- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org