OBS 2.6.3, 2.5.7 and 2.4.8 released
===================================

These releases are fixing in first place a security issue which
allows to modify package sources without the sufficient permissions.

This leak exists in almost all OBS releases so far, esp. when
using “patch” command version 2.7 or later, which introduced
the git format patch handling.

This issue is tracked as CVE-2015-0796.

It was found by Marcus H�we. Thanks a lot for his work and
the way he reported it, allowing us to fix this fast and properly.
In case you want to see an exemplary good security leak analyses,
read bugzilla issue #941099 🙂

Updaters from any OBS 2.6 release can just ugrade the packages
and restart all services. Updaters from former releases should
read the README.UPDATERS file.

OBS update are available from the following projects:

https://build.opensuse.org/project/show/OBS:Server:2.6
https://build.opensuse.org/project/show/OBS:Server:2.5
https://build.opensuse.org/project/show/OBS:Server:2.4

The appliance can be downloaded from

http://openbuildservice.org/download

Details from the Release Notes of 2.6.3:
========================================

Feature backports:
==================

* backend: support using docker as build environment (not secure)

Changes:
========

* none

Bugfixes:
=========

* backend: validate results of external patch command. could be used
to modify packages without sufficiant permissions (bnc#941099, CVE-2015-0796)
* backend: fixing create pattern call in publisher
* backend: fix handling of host specific bsconfig.* files

—

Adrian Schroeter
email: adrian@suse.de

SUSE Linux GmbH, GF: Felix Imend�rffer, Jane Smithard, Dilip Upmanyu, Graham Norton, HRB 21284 (AG N�rnberg)
Maxfeldstra�e 5
90409 N�rnberg
Germany

—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org