Changelog for
obs-worker-2.10.23-150500.124.1.noarch.rpm :
* Fri Mar 01 2024 daniel.donisaAATTsuse.com- Update to version 2.10.22 Bugfixes ======== Frontend:
* Update rack to version 2.2.8.1 - Fixed ReDoS in Accept header parsing [CVE-2024-26146] - Fixed ReDoS in Content Type header parsing [CVE-2024-25126] - Reject Range headers which are too large [CVE-2024-26141] DoS Vulnerability in Multipart MIME parsing.
* Thu Mar 16 2023 daniel.donisaAATTsuse.com- Update to version 2.10.21 Bugfixes ======== Frontend:
* Update rack to version 2.2.6.4 - Fixes CVE-2023-27539 Avoid ReDoS (https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) in header parsing. - Fixes CVE-2023-27530 Possible DoS Vulnerability in Multipart MIME parsing.+
* Fri Jan 27 2023 lukas.krauseAATTsuse.com- Update to version 2.10.20 Bugfixes ======== Frontend:
* Update globalid gem from 1.0.0 to 1.0.1 - Fixes CVE-2023-22799 ReDoS based DoS vulnerability in the GlobalID gem
* Update rack gem from 2.2.4 to 2.2.6.2 - Fixes CVE-2022-44571 Denial of service vulnerability in the Content-Disposition parsing component of Rack. - Fixes CVE-2022-44572 Denial of service vulnerability in the multipart parsing component of Rack. - Fixes CVE-2022-44570 Possible denial of service vulnerability in the Range header parsing component of Rack.
* Thu Dec 15 2022 daniel.donisaAATTsuse.com- Update to version 2.10.19 Bugfixes ======== Frontend:
* Update rails-html-sanitizer to 1.4.4 - CVE-2022-32209 Rails::Html::Sanitizer vulnerable to Cross-site Scripting
* Fix support for qemu system emulated builds via bs_worker
* Mon Jul 18 2022 daniel.donisaAATTsuse.com- Update to version 2.10.17 Bugfixes ======== Frontend:
* Bug fix session leaking during BsRequest auto accept - See https://github.com/openSUSE/open-build-service/pull/12821
* Update rails to 5.2.8.1 - CVE-2022-32224 Possible RCE escalation bug with Serialized Columns in Active Record
* Update tzinfo from 1.2.9 to 1.2.10 - CVE-2022-31163 TZInfo relative path traversal vulnerability allows loading of arbitrary files
* Thu May 26 2022 scabrerapadronAATTsuse.de- Update to version 2.10.16 Features ======== Backend:
* Support for qemu system emulated worker instances Bugfixes ======== Frontend:
* Update Nokogiri to version 1.13.6 to fix two security issues: - CVE-2022-29181 Improper Handling of Unexpected Data Type.
* Update rack to 2.2.3.1 - CVE-2022-30122 Denial of Service Vulnerability in Rack Multipart Parsing - CVE-2022-30123 Possible shell escape sequence injection
* Thu May 05 2022 lukas.krauseAATTsuse.com- Update to version 2.10.15 Bugfixes ========
* Frontend: - Fix CVE-2022-22577: There is a possible XSS vulnerability in Rails / Action Pack. CSP headers were only sent along with responses that Rails considered as \"HTML\" responses. This left API requests without CSP headers, which could possibly expose users to XSS attacks. - Fix CVE-2022-27777: There is a possible XSS vulnerability in Action View tag helpers. Passing untrusted input as hash keys can lead to a possible XSS vulnerability
* Wed Apr 27 2022 adrianAATTsuse.de- Update to version 2.10.14 - support zstd preinstallimages as produced by new build script
* Tue Apr 19 2022 hvogelAATTsuse.comUpdate to version 2.10.13 - Fix XML external entity (XXE) injection in xmlhash CVE-2022-21949 - Update to Ruby 2.7 - Fix heap memory corruption in yajl-ruby gem https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm - Fix excessive backtracking in nokogiri gem https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8 - Fix priviledge escalation issue in ProjectDoProjectReleaseJob (#12407)
* Thu Feb 25 2021 hvogelAATTsuse.com- Update to version 2.10.10 Bugfixes ========
* frontend: - CVE-2020-15169: Potential XSS vulnerability in Action View - CVE-2020-8184: Percent-encoded cookies can be used to overwrite existing prefixed cookie names - GHSA-g6wq-qcwm-j5g2: ReDoS vulnerability in Sec-WebSocket-Extensions parser - GHSA-vr8q-g5c7-m54m: Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
* Tue Jan 12 2021 daniel.donisaAATTsuse.com- Update to version 2.10.9 Bugfixes ========
* Frontend: - Update redcarpet gem to fix a security vulnerability.
* Thu Dec 03 2020 scabrerapadronAATTsuse.de- Update to version 2.10.8 Bugfixes ========
* Frontend: - CVE-2020-8031: Potential Cross-Site Scripting in markdown rendering.
* Mon Jun 29 2020 enavarroAATTsuse.com- Update to version 2.10.7 Bugfixes ========
* Frontend: - CVE-2020-8184: Percent-encoded cookies can be used to overwrite existing prefixed cookie names
* Mon Jun 29 2020 enavarroAATTsuse.com- Remove unneeded files, after retrieving them with the services.
* Mon Jun 29 2020 enavarroAATTsuse.com- Remove \'mode=\"disabled\"\' for obs_scm and bundle_gems services.
* Wed Jun 03 2020 dkangAATTsuse.com- Update to version 2.10.6 Bugfixes ========
* frontend: - CVE-2020-8165: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore - CVE-2020-11082: Potential Cross Site Scripting in Kaminari gem
* Tue May 19 2020 adrianAATTsuse.de- Update to version 2.10.5 Bugfixes ======== Backend
* CVE-2020-8021: unauthorized read access to files where sourceacess is disabled via a crafted _service (bsc#1171649)
* Wed May 13 2020 vpereiraAATTsuse.com- Update to version 2.10.4 Bugfixes ======== Frontend
* CVE-2020-8020: Possible stored XSS attack on comments markdown
* Tue Apr 28 2020 adrianAATTsuse.de- Update to version 2.10.3 Frontend:
* Support recent MySQL/MariaDB releases Backend:
* Fix redis service restart behaviour Shipment:
* Support for openSUSE Leap 15.2 and SLES 15 SP2
* Thu Apr 02 2020 enavarroAATTsuse.com- Update to version 2.10.2 Features ======== Backend:
* Support for zstd compressed Arch Linux packages Bugfixes ======== Frontend:
* Security update for gem rails (CVE-2020-5267)
* Thu Apr 02 2020 enavarroAATTsuse.com- Add missing changes made in 2.10.1 Features ======== Backend:
* EXPERIMENTAL: Add support for rpm-md modules (RHEL/CentOS 8 only). Modules can get enabled via· ExpandFlags: module:$MODULE_NAME in build configuration. Note: they tend to conflict.
* bs_publish: support Debian\'s InRelease file
* support zchunk compression for rpm-md metadata
* new systemd-nspawn backend
* Support zstd compression for rpm and deb Bugfixes ======== Frontend:
* Fix partial editor option hash defaults (obs#8018)
* Fixed inconsistent data on package undelete
* Sphinx startup fixes
* Fix maintained projects link Backend:
* Support openssl 1.1 and newer
* fix publisher sleeping behaviour (obs#8276)
* bs_publish: fix $rsync_extra_options handling (obs#8384)
* service expansion: tweak oldfiles handling (obs#7596)
* fix publishing of containers when no registry is configured Shipment:
* obsdodup starts after obsapisetup Bugfixes:
* Make cleanup_scm_cache cron job work again
* Fix LogRotate setup
* Thu Jul 04 2019 hvogelAATTsuse.com- Update to version 2.10 Features ======== Generic:
* replaced sysv init scripts with systemd files
* Add binary release tracking data for containers.
* Add support to collect performance metrics with InfluxDB
* Amazon EC2/ Microsoft Azure cloud upload support
* Text fields are stored as 4 byte UTF-8 which allows to use emojis. To use this feature, switch database.yml to utf8mb4 encoding
* Added `beta` environment in \'config/feature.yml\' to toggle features in the beta program.
* Bugowners of a project/package now receive notifications about new comments
* Request pre-approval support. Requests will be accepted when last review gets accepted.
* Support webhooks from gitlab
* Send requests creation to rabbitmq bus
* Admins can write Terms of Services, via the API, and they will be shown in the WebUI to users unless they acknowledge them. User Interface:
* Improved UI/UX for package live build log (hints & start/stop loading)
* Do not show excluded entries in package build results by default.
* Refactored the view of the binaries page that before was just a list of links that pointed to the details page. Now you can download the files and upload images to the cloud directly from here.
* Limit results for autocompletion queries to 50
* Include all results for autocompletion that match with the search string.
* Hide disabled repositories by default
* Excluded entries in package build results are not shown by default anymore.
* Use full author identities in generating changes entries
* Request descriptions are now mandatory to avoiding unnecessary requets Backend & build support:
* new publisher features - vagrant box publishing - zchunk compressed files in rpm-md metadata
* binary tracking improvements - tracking of appliances and containers
* container improvements - support multi-arch container manifest generation - kiwi profile handling - improved parsing of Dockerfiles - new OBS-AddTag and OBS-Imagerepo directives - take container with the highest version/release if there is a conflict over a tag - disk space savings with container layer deduplication - integrated container registry
* speed improvements - faster repository publishing and product generation - incremental project updates in the scheduler - reducred interconnect load due to a lastevents proxy
* odds and ends - obs-build: shell support in KVM - prjconf package exclude feature (\"onlybuild\") - sysrq and core dump support for KVM builds - support rpm\'s new \'^\' separator in version comparison - milestone numbering support in release handling Shipment:
* Require system gems (rake and rack) in api-deps package Bugfixes:
* Binary view now shows correct data for multibuild packages
* Source diffs with mixed encoding were causing failures when processing notification mails. This is fixed now.
* Improved explanatory text for role changes on request review page.
* Rails security update was patched (CVE-2019-5419).
* Added upper-limit to range to avoid long running queries in Webui::MonitorController.
* In WebUI, only admins are allowed to create DoD repositories.
* In WebUI, only admins are allowed to create sourceaccess/access repositories flags.
* Added missing authorization to move repository path in Webui::ProjectController.
* Require sourceaccess by default in `require_package`. Intentional changes: ====================
* always run services on expanded link sources
* The format of the OBS options.yml is now distinguishing between Rails environments. You can convert your old configuration by running: (cd /srv/www/obs/api/; rake migrate_options_yml)
* OBS is now using the lograge gem to generate production logs. We are now logging (in one line per request):
* Timestamp
* Request: Method + Controller + Action + Path + Params
* Response status
* Duration: Overall / View / DB
* Remote IP
* User login
* In previous releases it was possible to delete attributes through /source/
/_attribute/?namespace=OBS&name=VeryImportantProject (or similiar for packages). You need to follow the documentation now and the proper route is /source//_attribute/OBS:VeryImportantProject
* GET \'/attribute/:attribute\' route responded with a 400 when the attribute type did not exist. It now returns a 404 status.
* GET \'/source//_attribute\' allowed to filter by namespace. This was never documented and was removed now. \'/_attribute\' will return all attributes, while \'/_attribute/:attribute\' keeps returning only the given attribute (as documented)
* The \'commenter\' and \'commenters\' payload of Comment events used to contain user ids. They now contain the user login name instead. Run the data migrations to convert events in the old format: \'rails data:migrate RAILS_ENV=production\'
* Messages (for projects/packages) deprecated. The API routes below /message/ are deprecated and will be removed in the next version.
* Deprecated Ratings. The following API routes are deprecated and will be removed in the next version: - GET /statistics/highest_rated?limit= - GET /statistics/rating// - PUT /statistics/rating//
* Project and package release operations used to return a 403 permission error also on configuration errors. This is a 404 now: - POST /source/?cmd=release - POST /source//?cmd=release
* Public route dropped for reading patchinfo - GET \'patchinfo/read_patchinfo\'
* Mon Apr 01 2019 dkangAATTsuse.com- Update to version 2.9.6 Bugfixes ======== Frontend:
* Rails security update was patched (CVE-2019-5419).
* Added upper-limit to range to avoid long running queries in Webui::MonitorController.
* In WebUI, only admins are allowed to create DoD repositories.
* In WebUI, only admins are allowed to create sourceaccess/access repositories flags.
* Added missing authorization to move repository path in Webui::ProjectController
* Require sourceaccess by default in `require_package`.
* Mon Oct 08 2018 hvogelAATTsuse.com- Update to version 2.9.5 Bugfixes ======== Frontend:
* Do not allow null characters in comments
* Prevent creation of a request with an ID attribute Backend:
* avoid wipebinaries in locked projects
* fixes for new genmeta scheduling strategy
* fixed usage of preinstallimages Features ======== Backend:
* obs_admin can trigger DoD repository meta data updates via --recheck-dod option
* Tue Jul 24 2018 bgeukenAATTsuse.com- Release of OBS – 2.9.4 Bugfixes ======== Frontend:
* Fixes permission check for bs requests with source projects that link to another project (bsc#1098934)
* Fixes permission check in the InitializeDevelPackage attribute codepath (bsc#1100217)
* Fix permission check of linked projects in BsRequestAction.check_action_permission
* Wed Jun 06 2018 bgeukenAATTsuse.com- 2.9.3 release: Features ======= Backend:
* Allow to use different scheduling strategy which handles large build dependency cycles better. Enable it via project config: BuildFlags: genmetaalgo:1 Bugfixes ======== Frontend:
* Fixes permission issue that allowd unpermitted users to trigger services via the webui.
* Permits setting the initial bs request state. This prevents setting the initial state to something else than \'new\' (CVE-2018-7689).
* Fixes permission check for project with \'InitializeDevelPackage\' attribute (CVE-2018-7688).
* Fixes rendering of requests with multiple submit requests. Previously switching tabs would not trigger a reload of the request content for the selected request. Backend:
* Debian fixes to 2.9 - publish ONIE binary and hashsum, enable Secure Boot EFI signing for Debian packages.
* New regex needssslcertforbuild for Debian builds
* Support publishing via rsync syntax (allows to specify port numbers)
* Make project config parser errors always visible
* Fix corner case on wiping binaries
* Improved .changes merge handling
* Don\'t publish unneeded files of appdata in meta data
* Fixing lost events on restarting schedulers
* Make errors by not reachable remote instances better visible.
* Wed Jun 06 2018 bgeukenAATTsuse.com- 2.9.2 release: Features ======== Frontend:
* Admins can now mark user to be managed locally instead via LDAP
* Cloud uploads can be managed (started, aborted and listed) via API Bugfixes ======== Frontend:
* Fixed issue in live build log that caused parts of the log being duplicated
* Upgrading from 2.8 to 2.9 caused remote repositories with same name to get deleted - If the instance got already upgraded and an interconnect is configured, it might be necessary to restore the database with data from the backend - This can be done with \'rake.ruby2.5 fix_project \'
* Wed Jun 06 2018 bgeukenAATTsuse.com- 2.9.1 release (= initial 2.9 release): Generic:
* image and container maintenance support, including binary tracking
* riscv64 hardware architecture support Frontend:
* New Kerberos authentication mode. Read how to setup Kerberos in the OBS Admin Guide: http://openbuildservice.org/help/manuals/obs-admin-guide/
* New job history page to see why a package was built.
* New GPG key details dialog.
* RSS Feeds for User\'s Notifications is now available.
* New Studio Express feature:
* New central page to branch image templates from.
* Add and edit repository and package lists in kiwi files.
* Edit kiwi image details: name, author, contact, specification.
* RabbitMQ support. OBS admins can configure their instance to send messages to a RabbitMQ server. Read more in the OBS Admin Guide.
* Receive email notifications for projects that are in your watchlist. Configure at /user/notifications.
* Improved UI/UX for configuration of notifications page. Now it shows a better layout and explanations to make this complex page easy to understand.
* Allow users to view the full diff of large changes.
* Remove the unused api_relative_url_root option from the options.yml file.
* release mechanism improvements: - manual maintenance release support (avoiding requests) - operation happen atomic for entire project now - support release of single multibuild container
* Ec2 cloud upload support for ec2 images (currently only available for OBS installations based on openSUSE 42.3) Backend:
* support showing source files in blame view (works also via links)
* support project copy with makeoriginolder option Backend:
* support showing source files in blame view (works also via links)
* support project copy with makeoriginolder option Backend:
* New build formats: - native container build based on DockerFile (beside exiting kiwi support) - FISSILE build format - AppImage build format
* freezelink command to freeze current sources accessed via project link
* support showing source files in blame view (works also via links)
* support project copy with makeoriginolder option
* support automatic vrev extending via project links
* Improved container support: - support build of layered containers by reusing existing contaienrs - support publishing to docker registry server - support container signing via notary server
* cloud upload server supporting Amazon EC2 and Microsoft Azure
* improved bootstrap cycle handling
* additional SHA256 checksum in source commit handling for security
* projects can be temporary suspended to avoid scheduling between multiple changes
* support AirBrake for reporting problems
* support new debian repository format
* support for building in openstack cloud
* Many smaller improvements in DownloadOnDemand and multibuild handling Shipment:
* To make use of the ec2 cloud upload feature you need to: - Install the obs-cloud-uploader package. Major bugfixes:
* Fix deletion of groups with users.
* Fix notification generation with very big payloads.
* Create history element on priority raise of request.
* Fix huge bottleneck in notification emails.
* Fix setting of new attributes to a project or package. Wanted changes: ===============
* creating of repositories on branching has changed if repositories of the source refer each other. This gets recreated in new project.
* project copy is not adding the user anymore
* service dispatcher is used by default now
* The editing of a user\'s realname, email adress or password is no longer possible if LDAP mode is activated
* Unused ldap options in options.yml were dropped: - ldap_update_support - ldap_object_class - ldap_entry_base - ldap_sn_attr_required
* dropping of the project/package tag functionality/api
* password hashing algorithm was changed to bcrypt (blowfish)
* The backend notification plugin system is not used anymore. The RabbitMQ plugin is replaced with a RabbitMQ message bus implementation in the frontend, you can find details about this in the admin manual. The Hermes plugin is dropped without replacement as it was only used for notifications which the OBS is doing on it\'s own since quite some time.
* publish hook failures are handled as fatal failures now. => publisher will retry to publish
* Fri Sep 22 2017 esrolfeAATTsuse.de- openSUSE Build Service 2.8.4 Feature backports: ==================
* None Changes: ========
* None Bugfixes: =========
* [webui][api] In LDAP mode if the LDAP server closed the connection to obs and a user tried to login they would get an unauthorized response. This is fixed by reconnecting automatically.
* Wed Aug 30 2017 bgeukenAATTsuse.com- Update code and release notes
* Tue Aug 29 2017 bgeukenAATTsuse.com- OBS 2.8.3 release Feature backports: ==================
* [webui] All global roles are now shown on the admin user edit page and can be added / removed from user accounts
* [webui] LDAP Authentication is now officially supported Changes: ========
* Realname and email address of users can not be edited in LDAP mode Bugfixes: =========
* [webui] Admins that edited their accounts via the user/show page lost their admin role
* [api] fix config change of some /configuration values
* [backend] fix for new linux version format in bs_worker Notes for OBS setups with LDAP authentication: ============================================== Once LDAP mode is activated users can only log in via LDAP. To give admin rights to newly created LDAP users run following commands: \'cd /srv/www/obs/api\' \'bundle exec rake user:give_admin_rights tux RAILS_ENV=production\' See also http://openbuildservice.org/help/manuals/obs-admin-guide/obs.cha.administration.html#_obs_ldap_configuration
* Tue Jun 27 2017 bgeukenAATTsuse.com- OBS 2.8.2 release Feature backports: ==================
* None Changes: ========
* None Bugfixes: =========
* [webui] Fixes abort, rebuild and wipe commands which could operate on a package of a linked project instead of the local one.
* Tue May 09 2017 enavarroAATTsuse.com- OBS 2.8.1 release Feature backports: ==================
* [api][webui] Copy repositories when branching from a remote project Changes: ========
* Removed obsolete option api_relative_url_root
* [backend] Implements \'donotcreatecert\' option for _keyinfo Bugfixes: =========
* [webui] Fixes a bug in branch and submit dialog
* [webui] Fixes a bug in live build log when no architecture or repository parameter was given
* [webui] Fixes a bug in live build log when the package is a multibuild
* [backend] Handles arch dependencies correctly
* Fri Mar 31 2017 ammartinezAATTsuse.com- OBS 2.8.0 release Features ======== UI:
* Allow triggering services from the UI.
* Show a hint to project maintainers, when he/she is not a package maintainer of the target package of a request
* Main projects list is now filtered based on a configurable (by the admin) regular expression
* Users can download the public key and SSL certificate for a project via the project home page
* import of kiwi build descriptions is supported (obs-service-kiwi_import) API:
* Allow admins to lock or delete users and their home projects via new command
* Users can be declared as sub accounts of other users. Useful for automated scripts.
* New API route to get public key and SSL certificate: GET /source/:project_name/_keyinfo
* New feature toggle config file. Use config/feature.yml to enable/disable features in the OBS. Backend:
* multibuild: allow to build multiple jobs from one source package without the need of creating local links
* experimental support of snap package format
* workers are now also tracked when they went away (new states \"down\", \"away\" and \"dead\")
* worker capabilities can be requested
* usable workers can be requested with uncommited constraints
* functionality to remove published packages (osc unpublish)
* New obsservicedispatch service to handle source service runs in a queue and asynchron.
* preinstall images can be used for local building
* improved speed of diffing sources
* Support caching of pulled git sources Shipment:
* optional docker container to run source services is provided Wanted changes: ===============
* kiwi builds: build configuration changes from the project where the kiwi file is stored have always an effect now.
* maintenance_release requests are locking only the source packages on creation now. They don\'t lock the patchinfos. The project gets locked on release now.
* service wrapper script for LXC got replaced by a docker alternative Other changes =============
* Server side pagination on user show page for improving the performance.
* The way to identify spiders got changed. A separate configuration via apache is no longer required. See the Administration Guide.
* Frontend stack is using ruby 2.4 and rails 5.0.1 now
* Tue Mar 14 2017 bgeukenAATTsuse.com- OBS 2.7.4 release Feature backports: ==================
* none Changes: ========
* none Bugfixes: =========
* [api] Fix API permission check for creating and changing (POST) attributes
* [api] Fix API permission check for deleting (DELETE) attributes
* [webui] Invalidate cached session in LDAP mode
* [api][webui] Fail ldap authentification with empty password
* [webui] Fix repository removal when updating project meta fails with an error
* Fri Dec 23 2016 cbruckmayerAATTsuse.com- OBS 2.7.3 release Feature backports: ==================
* none Changes: ========
* Compability with OBS 2.8 remote instances Bugfixes: =========
* [api] Project meta data was corrupted after undelete
* [api] Raising access and sourceaccess permissions as admin is working again
* [backend] Download on demand sync fixes
* [webui] Fixed revert to a specified source revision
* Thu Aug 25 2016 cbruckmayerAATTsuse.com- OBS 2.7.2 release Feature backports: ==================
* none Changes: ========
* none Bugfixes: =========
* [webui][api] Sets bs_request_counter correctly
* [backend] bs_publish: unpublished hook added
* Fri Aug 12 2016 cbruckmayerAATTsuse.com- OBS 2.7.1 relase Feature backports: ==================
* none Changes: ========
* none Bugfixes: =========
* [webui][api] Update rails to version 4.2.7.1 to fix CVE-2016-6316 and CVE-2016-6317
* [webui] Users in not \'confirmed\' state were allowed to login
* [api] Users in not \'confirmed\' state were allowed to run services via former created token
* [backend] Fixing project copy which includes binaries
* [backend] worker supports jobs from OBS 2.8 scheduler
* [backend] support publishing of .vdi (VirtualBox image) files
* Tue May 31 2016 adrianAATTsuse.de- OBS 2.7.0 release
* Fri Apr 08 2016 adrianAATTsuse.de- prepare OBS 2.7.0 beta release
* Fri Jan 29 2016 adrianAATTsuse.de- OBS 2.6.8 release Feature backports: ==================
* none Changes: ========
* none Bugfixes: ========= This release fixes several potential CVEs reported in Ruby on Rails http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/
* [webui] Fixes CVE-2015-7576: Timing attack vulnerability in basic authentication in Action Controller.
* [webui] Fixes CVE-2016-0751: Possible Object Leak and Denial of Service attack in Action Pack
* [webui] Fixes CVE-2015-7577: Nested attributes rejection proc bypass in Active Record.
* [webui] Fixes CVE-2016-0752: Possible Information Leak Vulnerability in Action View
* [webui] Fixes CVE-2016-0753: Possible Input Validation Circumvention in Active Model
* [webui] Fixes CVE-2015-7581: Object leak vulnerability for wildcard controller routes in Action Pack
* [backend] fix local building inside a project on a remote OBS instance
* [backend] fix lost events on scheduler restart
* Fri Nov 06 2015 cbruckmayerAATTsuse.com- OBS 2.6.7 release Feature backports: ==================
* none Changes: ========
* backend: compability support with Download-on-Demand definitions from OBS 2.7 Bugfixes: =========
* webui: drop hardcoded opensuse email adress and link
* webui: fix XSS attack vector via User.realname (bnc#950932)
* webui: fix XSS attack vector via Projec.title (bnc#950932)
* webui: add spec & changes files code highlighting
* Tue Oct 13 2015 hvogelAATTsuse.com- OBS 2.6.6 release Feature backports: ==================
* none Changes: ========
* Keep enforce_project_keys/forceprojectkeys in sync Bugfixes: =========
* webui: fix XSS attack vector via project.title
* Fri Oct 09 2015 adrianAATTsuse.de- OBS 2.6.5 release Feature backports: ==================
* none Changes: ========
* webui: make the hint to interconnect more visible Bugfixes: =========
* webui: fix XSS attack vector via comments (bnc#947736 and CVE-2015-5966)
* config: fixed apache 2.4 config in template file
* Wed Sep 09 2015 adrianAATTsuse.de- OBS 2.6.4 release Feature backports: ==================
* none Changes: ========
* none Bugfixes: =========
* webui: fix read access to local files on server
* api: fix database connection leak caused by sphinx indexing
* backend: fix blocking ajax handler on getbinaries
* Wed Aug 12 2015 adrianAATTsuse.de- OBS 2.6.3 release Feature backports: ==================
* backend: support using docker as build environment (not secure) Changes: ========
* none Bugfixes: =========
* backend: validate results of external patch command. could be used to modify packages without sufficiant permissions (bnc#941099, CVE-2015-0796)
* backend: fixing create pattern call in publisher
* backend: fix handling of host specific bsconfig.
* files
* Wed Apr 08 2015 adrianAATTsuse.de- OBS 2.6.2 release Feature backports: ==================
* none Changes: ========
* dispatcher sends no armv7 jobs to aarch64 build hosts anymore Bugfixes: =========
* webui: depends on rubygem-redcarpet 3.2.3, fixes possible XSS attack (boo#926328)
* Thu Mar 12 2015 adrianAATTsuse.de- OBS 2.6.1 release Feature backports: ==================
* support static links for vmx/vmdk files Changes: ========
* none Bugfixes: =========
* api: fix handling of special chars in maintenance package names
* api: do not allow to overwrite existing groups via wrong route
* api: fix first time login when using LDAP
* webui: fix user icon fetching as done by google bot
* webui: fix display issues (github issues obs#320, obs#711, obs#806)
* backend: fix arbitrary command execution in service daemon (CVE-2015-0778)
* backend: fix lxc support in worker
* backend: fix event handling when using multiple backend servers
* backend: fix publishing of vmx files
* Wed Feb 04 2015 adrianAATTsuse.de- OBS 2.6.0 release - details are in the release notes
* Fri Dec 12 2014 adrianAATTsuse.de- update to OBS 2.6 RC 1 (2.5.95)
* Tue Nov 04 2014 adrianAATTsuse.de- update to OBS 2.6 Beta 1 (2.5.90)