Build Service team releases new versions fixing security problems

The Open Build Service team has released verison 2.0.8 and 2.1.6. of OBS. Both versions are fixing a critical security leak which can be used to modify projects or packages without having write permission to them. We highly recommend to update your instance of OBS as soon as possible to these new versions. Version 1.7 is not affected by this issue. Thanks to Marcus Hüwe for reporting this issue.

Other Fixes in OBS 2.1.6

Additionally OBS 2.1.6 is also fixing security issues in LDAP mode and a possible crossite scripting attack vector on the login screen (full XSS protection in all webui interfaces will be part of OBS 2.3). Thanks to Dean Pierce from Intel for discussing these issues and possible solutions with us.

Security fixes
  • api: fix security leak which allowed to modify packages or projects without write access (CVE-2011-0466)
  • api: change password in LDAP mode was possible for foreign user (bnc #648982)
  • webui: Fix possible XSS attack vectors in login page (bnc #669909, CVE-2011-0462)
Bug fixes
  • webui: Fix link to moved OBS web forums
  • webui: Fix adding of repositories from remote projects in advanced repository interface
  • api and webui: Do not use (and fail with) rails 3 environment
  • api: allow admins to raise "sourceaccess" permissions on existing projects or packages
  • api: do not allow to create packages with invalid chars via branch command
  • api: do not fail on "mbranch" when a package gets found directly and indirectly via project link
  • backend: Allow browsing of repositories of remote projects (fixes advanced webui view for adding repos)

Download

You can download all the OBS components (Clients, API, Server, Worker) from our download page and setup your own Open Build Service instance.

Update Notes

Updaters from any OBS 2.1 release can just upgrade the packages and restart all services. Updaters from former releases should read the README.UPDATERS file.