OBS 2.9.4 released ================== We're happy to announce the release of Open Build Service Version 2.9.4. This release includes 2 security fixes and we recommend to update your OBS instance as soon as possible. Please check out the release notes for further details or contact us. Once again a big thank you goes to Marcus Hüwe who found the security bugs, provided detailed bug descriptions and patches:-) If you find security bugs yourself, please report them to security@suse.de. Install 2.9 ========= Please read our setup instructions https://github.com/openSUSE/open-build-service/blob/2.9/README.md#installati... or even better, use our appliance http://download.opensuse.org/repositories/OBS:/Server:/2.9/images/ Update to OBS 2.9 =============== In case you update from a previous OBS stable release please read the README.UPDATERS file which comes with this version. https://github.com/openSUSE/open-build-service/blob/2.9/dist/README.UPDATERS OBS Appliance users who have set up their LVM http://openbuildservice.org/download/#appliance_config can just replace their appliance image without data loss. The migration will happen automatically. Details from Release Notes =================== Bugfixes ======== Frontend: * Fixes permission check for bs requests with source projects that link to another project (CVE-2018-12466, bsc#1098934) * Fixes permission check in the InitializeDevelPackage attribute codepath (CVE-2018-12467, bsc#1100217) * Fix permission check of linked projects in BsRequestAction.check_action_permission -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org