The Open Build Service team has released verison 2.0.8 and 2.1.6. of OBS. Both versions are fixing a critical security leak which can be used to modify projects or packages without having write permission to them. We highly recommend to update your instance of OBS as soon as possible to these new versions. Version 1.7 is not affected by this issue. Thanks to Marcus Hüwe for reporting this issue.
Additionally OBS 2.1.6 is also fixing security issues in LDAP mode and a possible crossite scripting attack vector on the login screen (full XSS protection in all webui interfaces will be part of OBS 2.3). Thanks to Dean Pierce from Intel for discussing these issues and possible solutions with us.
You can download all the OBS components (Clients, API, Server, Worker) from our download page and setup your own Open Build Service instance.
Updaters from any OBS 2.1 release can just upgrade the packages and restart all services. Updaters from former releases should read the README.UPDATERS file.