Mailinglist Archive: opensuse-security-announce (23 mails)

< Previous Next >
[security-announce] OBS 2.6.3, 2.5.7 and 2.4.8 released
OBS 2.6.3, 2.5.7 and 2.4.8 released
===================================

These releases are fixing in first place a security issue which
allows to modify package sources without the sufficient permissions.

This leak exists in almost all OBS releases so far, esp. when
using "patch" command version 2.7 or later, which introduced
the git format patch handling.

This issue is tracked as CVE-2015-0796.

It was found by Marcus Hüwe. Thanks a lot for his work and
the way he reported it, allowing us to fix this fast and properly.
In case you want to see an exemplary good security leak analyses,
read bugzilla issue #941099 :)

Updaters from any OBS 2.6 release can just ugrade the packages
and restart all services. Updaters from former releases should
read the README.UPDATERS file.

OBS update are available from the following projects:

https://build.opensuse.org/project/show/OBS:Server:2.6
https://build.opensuse.org/project/show/OBS:Server:2.5
https://build.opensuse.org/project/show/OBS:Server:2.4

The appliance can be downloaded from

http://openbuildservice.org/download


Details from the Release Notes of 2.6.3:
========================================


Feature backports:
==================

* backend: support using docker as build environment (not secure)

Changes:
========

* none

Bugfixes:
=========

* backend: validate results of external patch command. could be used
to modify packages without sufficiant permissions (bnc#941099,
CVE-2015-0796)
* backend: fixing create pattern call in publisher
* backend: fix handling of host specific bsconfig.* files


--

Adrian Schroeter
email: adrian@xxxxxxx

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu, Graham
Norton, HRB 21284 (AG Nürnberg)
Maxfeldstraße 5
90409 Nürnberg
Germany


--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security-announce+help@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages