Changelog for
obs-api-testsuite-deps-2.10.23-131.2.x86_64.rpm :
* Fri Mar 01 2024 daniel.donisaAATTsuse.com- Update to version 2.10.22 Bugfixes ======== Frontend:
* Update rack to version 2.2.8.1 - Fixed ReDoS in Accept header parsing [CVE-2024-26146] - Fixed ReDoS in Content Type header parsing [CVE-2024-25126] - Reject Range headers which are too large [CVE-2024-26141] DoS Vulnerability in Multipart MIME parsing.
* Thu Mar 16 2023 daniel.donisaAATTsuse.com- Update to version 2.10.21 Bugfixes ======== Frontend:
* Update rack to version 2.2.6.4 - Fixes CVE-2023-27539 Avoid ReDoS (https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) in header parsing. - Fixes CVE-2023-27530 Possible DoS Vulnerability in Multipart MIME parsing.+
* Fri Jan 27 2023 lukas.krauseAATTsuse.com- Update to version 2.10.20 Bugfixes ======== Frontend:
* Update globalid gem from 1.0.0 to 1.0.1 - Fixes CVE-2023-22799 ReDoS based DoS vulnerability in the GlobalID gem
* Update rack gem from 2.2.4 to 2.2.6.2 - Fixes CVE-2022-44571 Denial of service vulnerability in the Content-Disposition parsing component of Rack. - Fixes CVE-2022-44572 Denial of service vulnerability in the multipart parsing component of Rack. - Fixes CVE-2022-44570 Possible denial of service vulnerability in the Range header parsing component of Rack.
* Thu Dec 15 2022 daniel.donisaAATTsuse.com- Update to version 2.10.19 Bugfixes ======== Frontend:
* Update rails-html-sanitizer to 1.4.4 - CVE-2022-32209 Rails::Html::Sanitizer vulnerable to Cross-site Scripting
* Fix support for qemu system emulated builds via bs_worker
* Mon Jul 18 2022 daniel.donisaAATTsuse.com- Update to version 2.10.17 Bugfixes ======== Frontend:
* Bug fix session leaking during BsRequest auto accept - See https://github.com/openSUSE/open-build-service/pull/12821
* Update rails to 5.2.8.1 - CVE-2022-32224 Possible RCE escalation bug with Serialized Columns in Active Record
* Update tzinfo from 1.2.9 to 1.2.10 - CVE-2022-31163 TZInfo relative path traversal vulnerability allows loading of arbitrary files
* Thu May 26 2022 scabrerapadronAATTsuse.de- Update to version 2.10.16 Features ======== Backend:
* Support for qemu system emulated worker instances Bugfixes ======== Frontend:
* Update Nokogiri to version 1.13.6 to fix two security issues: - CVE-2022-29181 Improper Handling of Unexpected Data Type.
* Update rack to 2.2.3.1 - CVE-2022-30122 Denial of Service Vulnerability in Rack Multipart Parsing - CVE-2022-30123 Possible shell escape sequence injection
* Thu May 05 2022 lukas.krauseAATTsuse.com- Update to version 2.10.15 Bugfixes ========
* Frontend: - Fix CVE-2022-22577: There is a possible XSS vulnerability in Rails / Action Pack. CSP headers were only sent along with responses that Rails considered as \"HTML\" responses. This left API requests without CSP headers, which could possibly expose users to XSS attacks. - Fix CVE-2022-27777: There is a possible XSS vulnerability in Action View tag helpers. Passing untrusted input as hash keys can lead to a possible XSS vulnerability
* Wed Apr 27 2022 adrianAATTsuse.de- Update to version 2.10.14 - support zstd preinstallimages as produced by new build script
* Tue Apr 19 2022 hvogelAATTsuse.comUpdate to version 2.10.13 - Fix XML external entity (XXE) injection in xmlhash CVE-2022-21949 - Update to Ruby 2.7 - Fix heap memory corruption in yajl-ruby gem https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm - Fix excessive backtracking in nokogiri gem https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8 - Fix priviledge escalation issue in ProjectDoProjectReleaseJob (#12407)
* Thu Feb 25 2021 hvogelAATTsuse.com- Update to version 2.10.10 Bugfixes ========
* frontend: - CVE-2020-15169: Potential XSS vulnerability in Action View - CVE-2020-8184: Percent-encoded cookies can be used to overwrite existing prefixed cookie names - GHSA-g6wq-qcwm-j5g2: ReDoS vulnerability in Sec-WebSocket-Extensions parser - GHSA-vr8q-g5c7-m54m: Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
* Tue Jan 12 2021 daniel.donisaAATTsuse.com- Update to version 2.10.9 Bugfixes ========
* Frontend: - Update redcarpet gem to fix a security vulnerability.
* Thu Dec 03 2020 scabrerapadronAATTsuse.de- Update to version 2.10.8 Bugfixes ========
* Frontend: - CVE-2020-8031: Potential Cross-Site Scripting in markdown rendering.
* Mon Jun 29 2020 enavarroAATTsuse.com- Update to version 2.10.7 Bugfixes ========
* Frontend: - CVE-2020-8184: Percent-encoded cookies can be used to overwrite existing prefixed cookie names
* Mon Jun 29 2020 enavarroAATTsuse.com- Remove unneeded files, after retrieving them with the services.
* Mon Jun 29 2020 enavarroAATTsuse.com- Remove \'mode=\"disabled\"\' for obs_scm and bundle_gems services.
* Wed Jun 03 2020 dkangAATTsuse.com- Update to version 2.10.6 Bugfixes ========
* frontend: - CVE-2020-8165: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore - CVE-2020-11082: Potential Cross Site Scripting in Kaminari gem
* Tue May 19 2020 adrianAATTsuse.de- Update to version 2.10.5 Bugfixes ======== Backend
* CVE-2020-8021: unauthorized read access to files where sourceacess is disabled via a crafted _service (bsc#1171649)
* Wed May 13 2020 vpereiraAATTsuse.com- Update to version 2.10.4 Bugfixes ======== Frontend
* CVE-2020-8020: Possible stored XSS attack on comments markdown
* Tue Apr 28 2020 adrianAATTsuse.de- Update to version 2.10.3 Frontend:
* Support recent MySQL/MariaDB releases Backend:
* Fix redis service restart behaviour Shipment:
* Support for openSUSE Leap 15.2 and SLES 15 SP2
* Thu Apr 02 2020 enavarroAATTsuse.com- Update to version 2.10.2 Features ======== Backend:
* Support for zstd compressed Arch Linux packages Bugfixes ======== Frontend:
* Security update for gem rails (CVE-2020-5267)
* Thu Apr 02 2020 enavarroAATTsuse.com- Add missing changes made in 2.10.1 Features ======== Backend:
* EXPERIMENTAL: Add support for rpm-md modules (RHEL/CentOS 8 only). Modules can get enabled via· ExpandFlags: module:$MODULE_NAME in build configuration. Note: they tend to conflict.
* bs_publish: support Debian\'s InRelease file
* support zchunk compression for rpm-md metadata
* new systemd-nspawn backend
* Support zstd compression for rpm and deb Bugfixes ======== Frontend:
* Fix partial editor option hash defaults (obs#8018)
* Fixed inconsistent data on package undelete
* Sphinx startup fixes
* Fix maintained projects link Backend:
* Support openssl 1.1 and newer
* fix publisher sleeping behaviour (obs#8276)
* bs_publish: fix $rsync_extra_options handling (obs#8384)
* service expansion: tweak oldfiles handling (obs#7596)
* fix publishing of containers when no registry is configured Shipment:
* obsdodup starts after obsapisetup Bugfixes:
* Make cleanup_scm_cache cron job work again
* Fix LogRotate setup
* Thu Jul 04 2019 hvogelAATTsuse.com- Update to version 2.10 Features ======== Generic:
* replaced sysv init scripts with systemd files
* Add binary release tracking data for containers.
* Add support to collect performance metrics with InfluxDB
* Amazon EC2/ Microsoft Azure cloud upload support
* Text fields are stored as 4 byte UTF-8 which allows to use emojis. To use this feature, switch database.yml to utf8mb4 encoding
* Added `beta` environment in \'config/feature.yml\' to toggle features in the beta program.
* Bugowners of a project/package now receive notifications about new comments
* Request pre-approval support. Requests will be accepted when last review gets accepted.
* Support webhooks from gitlab
* Send requests creation to rabbitmq bus
* Admins can write Terms of Services, via the API, and they will be shown in the WebUI to users unless they acknowledge them. User Interface:
* Improved UI/UX for package live build log (hints & start/stop loading)
* Do not show excluded entries in package build results by default.
* Refactored the view of the binaries page that before was just a list of links that pointed to the details page. Now you can download the files and upload images to the cloud directly from here.
* Limit results for autocompletion queries to 50
* Include all results for autocompletion that match with the search string.
* Hide disabled repositories by default
* Excluded entries in package build results are not shown by default anymore.
* Use full author identities in generating changes entries
* Request descriptions are now mandatory to avoiding unnecessary requets Backend & build support:
* new publisher features - vagrant box publishing - zchunk compressed files in rpm-md metadata
* binary tracking improvements - tracking of appliances and containers
* container improvements - support multi-arch container manifest generation - kiwi profile handling - improved parsing of Dockerfiles - new OBS-AddTag and OBS-Imagerepo directives - take container with the highest version/release if there is a conflict over a tag - disk space savings with container layer deduplication - integrated container registry
* speed improvements - faster repository publishing and product generation - incremental project updates in the scheduler - reducred interconnect load due to a lastevents proxy
* odds and ends - obs-build: shell support in KVM - prjconf package exclude feature (\"onlybuild\") - sysrq and core dump support for KVM builds - support rpm\'s new \'^\' separator in version comparison - milestone numbering support in release handling Shipment:
* Require system gems (rake and rack) in api-deps package Bugfixes:
* Binary view now shows correct data for multibuild packages
* Source diffs with mixed encoding were causing failures when processing notification mails. This is fixed now.
* Improved explanatory text for role changes on request review page.
* Rails security update was patched (CVE-2019-5419).
* Added upper-limit to range to avoid long running queries in Webui::MonitorController.
* In WebUI, only admins are allowed to create DoD repositories.
* In WebUI, only admins are allowed to create sourceaccess/access repositories flags.
* Added missing authorization to move repository path in Webui::ProjectController.
* Require sourceaccess by default in `require_package`. Intentional changes: ====================
* always run services on expanded link sources
* The format of the OBS options.yml is now distinguishing between Rails environments. You can convert your old configuration by running: (cd /srv/www/obs/api/; rake migrate_options_yml)
* OBS is now using the lograge gem to generate production logs. We are now logging (in one line per request):
* Timestamp
* Request: Method + Controller + Action + Path + Params
* Response status
* Duration: Overall / View / DB
* Remote IP
* User login
* In previous releases it was possible to delete attributes through /source/
/_attribute/?namespace=OBS&name=VeryImportantProject (or similiar for packages). You need to follow the documentation now and the proper route is /source//_attribute/OBS:VeryImportantProject
* GET \'/attribute/:attribute\' route responded with a 400 when the attribute type did not exist. It now returns a 404 status.
* GET \'/source//_attribute\' allowed to filter by namespace. This was never documented and was removed now. \'/_attribute\' will return all attributes, while \'/_attribute/:attribute\' keeps returning only the given attribute (as documented)
* The \'commenter\' and \'commenters\' payload of Comment events used to contain user ids. They now contain the user login name instead. Run the data migrations to convert events in the old format: \'rails data:migrate RAILS_ENV=production\'
* Messages (for projects/packages) deprecated. The API routes below /message/ are deprecated and will be removed in the next version.
* Deprecated Ratings. The following API routes are deprecated and will be removed in the next version: - GET /statistics/highest_rated?limit= - GET /statistics/rating// - PUT /statistics/rating//
* Project and package release operations used to return a 403 permission error also on configuration errors. This is a 404 now: - POST /source/?cmd=release - POST /source//?cmd=release
* Public route dropped for reading patchinfo - GET \'patchinfo/read_patchinfo\'
* Mon Apr 01 2019 dkangAATTsuse.com- Update to version 2.9.6 Bugfixes ======== Frontend:
* Rails security update was patched (CVE-2019-5419).
* Added upper-limit to range to avoid long running queries in Webui::MonitorController.
* In WebUI, only admins are allowed to create DoD repositories.
* In WebUI, only admins are allowed to create sourceaccess/access repositories flags.
* Added missing authorization to move repository path in Webui::ProjectController
* Require sourceaccess by default in `require_package`.
* Mon Oct 08 2018 hvogelAATTsuse.com- Update to version 2.9.5 Bugfixes ======== Frontend:
* Do not allow null characters in comments
* Prevent creation of a request with an ID attribute Backend:
* avoid wipebinaries in locked projects
* fixes for new genmeta scheduling strategy
* fixed usage of preinstallimages Features ======== Backend:
* obs_admin can trigger DoD repository meta data updates via --recheck-dod option
* Tue Jul 24 2018 bgeukenAATTsuse.com- Release of OBS – 2.9.4 Bugfixes ======== Frontend:
* Fixes permission check for bs requests with source projects that link to another project (bsc#1098934)
* Fixes permission check in the InitializeDevelPackage attribute codepath (bsc#1100217)
* Fix permission check of linked projects in BsRequestAction.check_action_permission
* Wed Jun 06 2018 bgeukenAATTsuse.com- 2.9.3 release: Features ======= Backend:
* Allow to use different scheduling strategy which handles large build dependency cycles better. Enable it via project config: BuildFlags: genmetaalgo:1 Bugfixes ======== Frontend:
* Fixes permission issue that allowd unpermitted users to trigger services via the webui.
* Permits setting the initial bs request state. This prevents setting the initial state to something else than \'new\' (CVE-2018-7689).
* Fixes permission check for project with \'InitializeDevelPackage\' attribute (CVE-2018-7688).
* Fixes rendering of requests with multiple submit requests. Previously switching tabs would not trigger a reload of the request content for the selected request. Backend:
* Debian fixes to 2.9 - publish ONIE binary and hashsum, enable Secure Boot EFI signing for Debian packages.
* New regex needssslcertforbuild for Debian builds
* Support publishing via rsync syntax (allows to specify port numbers)
* Make project config parser errors always visible
* Fix corner case on wiping binaries
* Improved .changes merge handling
* Don\'t publish unneeded files of appdata in meta data
* Fixing lost events on restarting schedulers
* Make errors by not reachable remote instances better visible.
* Wed Jun 06 2018 bgeukenAATTsuse.com- 2.9.2 release: Features ======== Frontend:
* Admins can now mark user to be managed locally instead via LDAP
* Cloud uploads can be managed (started, aborted and listed) via API Bugfixes ======== Frontend:
* Fixed issue in live build log that caused parts of the log being duplicated
* Upgrading from 2.8 to 2.9 caused remote repositories with same name to get deleted - If the instance got already upgraded and an interconnect is configured, it might be necessary to restore the database with data from the backend - This can be done with \'rake.ruby2.5 fix_project \'
* Wed Jun 06 2018 bgeukenAATTsuse.com- 2.9.1 release (= initial 2.9 release): Generic:
* image and container maintenance support, including binary tracking
* riscv64 hardware architecture support Frontend:
* New Kerberos authentication mode. Read how to setup Kerberos in the OBS Admin Guide: http://openbuildservice.org/help/manuals/obs-admin-guide/
* New job history page to see why a package was built.
* New GPG key details dialog.
* RSS Feeds for User\'s Notifications is now available.
* New Studio Express feature:
* New central page to branch image templates from.
* Add and edit repository and package lists in kiwi files.
* Edit kiwi image details: name, author, contact, specification.
* RabbitMQ support. OBS admins can configure their instance to send messages to a RabbitMQ server. Read more in the OBS Admin Guide.
* Receive email notifications for projects that are in your watchlist. Configure at /user/notifications.
* Improved UI/UX for configuration of notifications page. Now it shows a better layout and explanations to make this complex page easy to understand.
* Allow users to view the full diff of large changes.
* Remove the unused api_relative_url_root option from the options.yml file.
* release mechanism improvements: - manual maintenance release support (avoiding requests) - operation happen atomic for entire project now - support release of single multibuild container
* Ec2 cloud upload support for ec2 images (currently only available for OBS installations based on openSUSE 42.3) Backend:
* support showing source files in blame view (works also via links)
* support project copy with makeoriginolder option Backend:
* support showing source files in blame view (works also via links)
* support project copy with makeoriginolder option Backend:
* New build formats: - native container build based on DockerFile (beside exiting kiwi support) - FISSILE build format - AppImage build format
* freezelink command to freeze current sources accessed via project link
* support showing source files in blame view (works also via links)
* support project copy with makeoriginolder option
* support automatic vrev extending via project links
* Improved container support: - support build of layered containers by reusing existing contaienrs - support publishing to docker registry server - support container signing via notary server
* cloud upload server supporting Amazon EC2 and Microsoft Azure
* improved bootstrap cycle handling
* additional SHA256 checksum in source commit handling for security
* projects can be temporary suspended to avoid scheduling between multiple changes
* support AirBrake for reporting problems
* support new debian repository format
* support for building in openstack cloud
* Many smaller improvements in DownloadOnDemand and multibuild handling Shipment:
* To make use of the ec2 cloud upload feature you need to: - Install the obs-cloud-uploader package. Major bugfixes:
* Fix deletion of groups with users.
* Fix notification generation with very big payloads.
* Create history element on priority raise of request.
* Fix huge bottleneck in notification emails.
* Fix setting of new attributes to a project or package. Wanted changes: ===============
* creating of repositories on branching has changed if repositories of the source refer each other. This gets recreated in new project.
* project copy is not adding the user anymore
* service dispatcher is used by default now
* The editing of a user\'s realname, email adress or password is no longer possible if LDAP mode is activated
* Unused ldap options in options.yml were dropped: - ldap_update_support - ldap_object_class - ldap_entry_base - ldap_sn_attr_required
* dropping of the project/package tag functionality/api
* password hashing algorithm was changed to bcrypt (blowfish)
* The backend notification plugin system is not used anymore. The RabbitMQ plugin is replaced with a RabbitMQ message bus implementation in the frontend, you can find details about this in the admin manual. The Hermes plugin is dropped without replacement as it was only used for notifications which the OBS is doing on it\'s own since quite some time.
* publish hook failures are handled as fatal failures now. => publisher will retry to publish
* Fri Sep 22 2017 esrolfeAATTsuse.de- openSUSE Build Service 2.8.4 Feature backports: ==================
* None Changes: ========
* None Bugfixes: =========
* [webui][api] In LDAP mode if the LDAP server closed the connection to obs and a user tried to login they would get an unauthorized response. This is fixed by reconnecting automatically.
* Wed Aug 30 2017 bgeukenAATTsuse.com- Update code and release notes
* Tue Aug 29 2017 bgeukenAATTsuse.com- OBS 2.8.3 release Feature backports: ==================
* [webui] All global roles are now shown on the admin user edit page and can be added / removed from user accounts
* [webui] LDAP Authentication is now officially supported Changes: ========
* Realname and email address of users can not be edited in LDAP mode Bugfixes: =========
* [webui] Admins that edited their accounts via the user/show page lost their admin role
* [api] fix config change of some /configuration values
* [backend] fix for new linux version format in bs_worker Notes for OBS setups with LDAP authentication: ============================================== Once LDAP mode is activated users can only log in via LDAP. To give admin rights to newly created LDAP users run following commands: \'cd /srv/www/obs/api\' \'bundle exec rake user:give_admin_rights tux RAILS_ENV=production\' See also http://openbuildservice.org/help/manuals/obs-admin-guide/obs.cha.administration.html#_obs_ldap_configuration
* Tue Jun 27 2017 bgeukenAATTsuse.com- OBS 2.8.2 release Feature backports: ==================
* None Changes: ========
* None Bugfixes: =========
* [webui] Fixes abort, rebuild and wipe commands which could operate on a package of a linked project instead of the local one.
* Tue May 09 2017 enavarroAATTsuse.com- OBS 2.8.1 release Feature backports: ==================
* [api][webui] Copy repositories when branching from a remote project Changes: ========
* Removed obsolete option api_relative_url_root
* [backend] Implements \'donotcreatecert\' option for _keyinfo Bugfixes: =========
* [webui] Fixes a bug in branch and submit dialog
* [webui] Fixes a bug in live build log when no architecture or repository parameter was given
* [webui] Fixes a bug in live build log when the package is a multibuild
* [backend] Handles arch dependencies correctly
* Fri Mar 31 2017 ammartinezAATTsuse.com- OBS 2.8.0 release Features ======== UI:
* Allow triggering services from the UI.
* Show a hint to project maintainers, when he/she is not a package maintainer of the target package of a request
* Main projects list is now filtered based on a configurable (by the admin) regular expression
* Users can download the public key and SSL certificate for a project via the project home page
* import of kiwi build descriptions is supported (obs-service-kiwi_import) API:
* Allow admins to lock or delete users and their home projects via new command
* Users can be declared as sub accounts of other users. Useful for automated scripts.
* New API route to get public key and SSL certificate: GET /source/:project_name/_keyinfo
* New feature toggle config file. Use config/feature.yml to enable/disable features in the OBS. Backend:
* multibuild: allow to build multiple jobs from one source package without the need of creating local links
* experimental support of snap package format
* workers are now also tracked when they went away (new states \"down\", \"away\" and \"dead\")
* worker capabilities can be requested
* usable workers can be requested with uncommited constraints
* functionality to remove published packages (osc unpublish)
* New obsservicedispatch service to handle source service runs in a queue and asynchron.
* preinstall images can be used for local building
* improved speed of diffing sources
* Support caching of pulled git sources Shipment:
* optional docker container to run source services is provided Wanted changes: ===============
* kiwi builds: build configuration changes from the project where the kiwi file is stored have always an effect now.
* maintenance_release requests are locking only the source packages on creation now. They don\'t lock the patchinfos. The project gets locked on release now.
* service wrapper script for LXC got replaced by a docker alternative Other changes =============
* Server side pagination on user show page for improving the performance.
* The way to identify spiders got changed. A separate configuration via apache is no longer required. See the Administration Guide.
* Frontend stack is using ruby 2.4 and rails 5.0.1 now
* Tue Mar 14 2017 bgeukenAATTsuse.com- OBS 2.7.4 release Feature backports: ==================
* none Changes: ========
* none Bugfixes: =========
* [api] Fix API permission check for creating and changing (POST) attributes
* [api] Fix API permission check for deleting (DELETE) attributes
* [webui] Invalidate cached session in LDAP mode
* [api][webui] Fail ldap authentification with empty password
* [webui] Fix repository removal when updating project meta fails with an error
* Fri Dec 23 2016 cbruckmayerAATTsuse.com- OBS 2.7.3 release Feature backports: ==================
* none Changes: ========
* Compability with OBS 2.8 remote instances Bugfixes: =========
* [api] Project meta data was corrupted after undelete
* [api] Raising access and sourceaccess permissions as admin is working again
* [backend] Download on demand sync fixes
* [webui] Fixed revert to a specified source revision
* Thu Aug 25 2016 cbruckmayerAATTsuse.com- OBS 2.7.2 release Feature backports: ==================
* none Changes: ========
* none Bugfixes: =========
* [webui][api] Sets bs_request_counter correctly
* [backend] bs_publish: unpublished hook added
* Fri Aug 12 2016 cbruckmayerAATTsuse.com- OBS 2.7.1 relase Feature backports: ==================
* none Changes: ========
* none Bugfixes: =========
* [webui][api] Update rails to version 4.2.7.1 to fix CVE-2016-6316 and CVE-2016-6317
* [webui] Users in not \'confirmed\' state were allowed to login
* [api] Users in not \'confirmed\' state were allowed to run services via former created token
* [backend] Fixing project copy which includes binaries
* [backend] worker supports jobs from OBS 2.8 scheduler
* [backend] support publishing of .vdi (VirtualBox image) files
* Tue May 31 2016 adrianAATTsuse.de- OBS 2.7.0 release
* Fri Apr 08 2016 adrianAATTsuse.de- prepare OBS 2.7.0 beta release
* Fri Jan 29 2016 adrianAATTsuse.de- OBS 2.6.8 release Feature backports: ==================
* none Changes: ========
* none Bugfixes: ========= This release fixes several potential CVEs reported in Ruby on Rails http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/
* [webui] Fixes CVE-2015-7576: Timing attack vulnerability in basic authentication in Action Controller.
* [webui] Fixes CVE-2016-0751: Possible Object Leak and Denial of Service attack in Action Pack
* [webui] Fixes CVE-2015-7577: Nested attributes rejection proc bypass in Active Record.
* [webui] Fixes CVE-2016-0752: Possible Information Leak Vulnerability in Action View
* [webui] Fixes CVE-2016-0753: Possible Input Validation Circumvention in Active Model
* [webui] Fixes CVE-2015-7581: Object leak vulnerability for wildcard controller routes in Action Pack
* [backend] fix local building inside a project on a remote OBS instance
* [backend] fix lost events on scheduler restart
* Fri Nov 06 2015 cbruckmayerAATTsuse.com- OBS 2.6.7 release Feature backports: ==================
* none Changes: ========
* backend: compability support with Download-on-Demand definitions from OBS 2.7 Bugfixes: =========
* webui: drop hardcoded opensuse email adress and link
* webui: fix XSS attack vector via User.realname (bnc#950932)
* webui: fix XSS attack vector via Projec.title (bnc#950932)
* webui: add spec & changes files code highlighting
* Tue Oct 13 2015 hvogelAATTsuse.com- OBS 2.6.6 release Feature backports: ==================
* none Changes: ========
* Keep enforce_project_keys/forceprojectkeys in sync Bugfixes: =========
* webui: fix XSS attack vector via project.title
* Fri Oct 09 2015 adrianAATTsuse.de- OBS 2.6.5 release Feature backports: ==================
* none Changes: ========
* webui: make the hint to interconnect more visible Bugfixes: =========
* webui: fix XSS attack vector via comments (bnc#947736 and CVE-2015-5966)
* config: fixed apache 2.4 config in template file
* Wed Sep 09 2015 adrianAATTsuse.de- OBS 2.6.4 release Feature backports: ==================
* none Changes: ========
* none Bugfixes: =========
* webui: fix read access to local files on server
* api: fix database connection leak caused by sphinx indexing
* backend: fix blocking ajax handler on getbinaries
* Wed Aug 12 2015 adrianAATTsuse.de- OBS 2.6.3 release Feature backports: ==================
* backend: support using docker as build environment (not secure) Changes: ========
* none Bugfixes: =========
* backend: validate results of external patch command. could be used to modify packages without sufficiant permissions (bnc#941099, CVE-2015-0796)
* backend: fixing create pattern call in publisher
* backend: fix handling of host specific bsconfig.
* files
* Wed Apr 08 2015 adrianAATTsuse.de- OBS 2.6.2 release Feature backports: ==================
* none Changes: ========
* dispatcher sends no armv7 jobs to aarch64 build hosts anymore Bugfixes: =========
* webui: depends on rubygem-redcarpet 3.2.3, fixes possible XSS attack (boo#926328)
* Thu Mar 12 2015 adrianAATTsuse.de- OBS 2.6.1 release Feature backports: ==================
* support static links for vmx/vmdk files Changes: ========
* none Bugfixes: =========
* api: fix handling of special chars in maintenance package names
* api: do not allow to overwrite existing groups via wrong route
* api: fix first time login when using LDAP
* webui: fix user icon fetching as done by google bot
* webui: fix display issues (github issues obs#320, obs#711, obs#806)
* backend: fix arbitrary command execution in service daemon (CVE-2015-0778)
* backend: fix lxc support in worker
* backend: fix event handling when using multiple backend servers
* backend: fix publishing of vmx files
* Wed Feb 04 2015 adrianAATTsuse.de- OBS 2.6.0 release - details are in the release notes
* Fri Dec 12 2014 adrianAATTsuse.de- update to OBS 2.6 RC 1 (2.5.95)
* Tue Nov 04 2014 adrianAATTsuse.de- update to OBS 2.6 Beta 1 (2.5.90)
* Tue Jul 02 2013 adrianAATTsuse.de- fix build- drop lighttpd configs- environment/
*rb files are non-noreplace now, all config options went into options.yml and configuration.xml
* Mon Jun 10 2013 adrianAATTsuse.de- starting OBS pre-2.5 snapshots- require the createrepo version which got used in the testsuite
* Fri Jun 29 2012 adrianAATTsuse.de- update to OBS 2.3.2 Feature backports: ==================
* none Changes: ========
* support xz compressed kiwi images
* documentation and theming updates
* do not leave out sourceaccess protected package on branching (bnc#766119) Bugfixes: =========
* fixed dieing source ajax source when doing OBS interconnect
* removal of not expandable _link files is working now
* package meta data on project copy takes all elements now, except person, group and devel.
* initial webui database setup on appliance works now
* no error when using appliance without OBS LVM volume group
* webui is able to store OBS configuration now.
* Thu May 31 2012 adrianAATTsuse.de- update to OBS 2.3.1 Feature backports: ==================
* Support remote product build tree building
* Make kiwi support packages configurable. Defaults are: Substitute: kiwi-setup:image kiwi createrepo tar Substitute: kiwi-setup:product kiwi Changes: ========
* Support Order: handling also during preinstall (for Fedora 17)
* Added Fedora-17 default target
* bnc and fate issue tags are also accepted with whitespace: bnc #123 (This requires to run migrations on api).
* Increased timeouts for OBS inter connects Bugfixes: =========
* Use right architecture on spec file parsing when project configuration contains a \"Target:\" line
* Fixed warning messages about \'nextstate\' in dispatcher
* Fixed urls in webui to www.open-build-service.org
* Init script fixes for automatic deployment of workers
* Fixed debian handling for exporting sources
* Fri Apr 20 2012 adrianAATTsuse.de- OBS 2.3 RC5, (version 2.2.995) - various documentation updates - fixed request diffing for \"updatelink\" requests - fixed various update and first start problems - fixed various crashes in webui - critical backend fix for sending data with trailing \\0 after 8192 boundaries
* Tue Apr 10 2012 adrianAATTsuse.de- OBS 2.3 RC4, (version 2.2.994) - serialized diffing, protects the server against DoS
* Wed Apr 04 2012 adrianAATTsuse.de- OBS 2.3 RC3, (version 2.2.993) - fixed standalone obsworker installation - some init script fixes - minor webui fixes - _patchinfo creation fix on maintenance request accept
* Fri Mar 30 2012 adrianAATTsuse.de- OBS 2.3 RC2, (version 2.2.992) - fixed regression in \"none\" repo type support - fixed database corruption for maintenance projects - fixes for webui patchinfo editor
* Mon Mar 26 2012 adrianAATTsuse.de- OBS 2.3 RC2, (version 2.2.991) - \"none\" repo type support - fix for creating new user with local database - fix search publish functionality - fixed priority handling in scheduler
* Wed Mar 21 2012 adrianAATTsuse.de- OBS 2.3 RC1, (version 2.2.990)
* Mon Mar 19 2012 adrianAATTsuse.de- update to current git, version 2.2.131
* OBS 2.3 interconnect fix
* fixed access-disabled maintenance handling
* debian source publish handling fixes from \"Hector Oron\"
* Thu Mar 15 2012 adrianAATTsuse.de- update to current git, version 2.2.130
* new unlock method via command instead of meta data edit
* various maintenance handling fixes
* Wed Mar 14 2012 adrianAATTsuse.de- update to current git, version 2.2.129
* support for publishing binaries in subdirectories
* fixed handling of local linked packages on branching
* release handling fixes
* webui layout fixes
* Fri Mar 09 2012 adrianAATTsuse.de- update to current git, version 2.2.128
* incident request expansion
* additional protection against mass-assignment injection
* further webui request view fine tuning
* minor fixes in backend
* Fri Mar 02 2012 adrianAATTsuse.de- update to current git, version 2.2.127
* fixed multiarch handling in aggregate
* webui request view fixes
* init script fixes
* Thu Feb 23 2012 adrianAATTsuse.de- update to current git, version 2.2.126
* webui has new request view
* patchinfo \"stopped\" and \"issue undocumented\" feature
* Tue Feb 21 2012 adrianAATTsuse.de- update to current git, version 2.2.125
* fixed maintenance incident request merge
* fixed urls in issue diffs
* Fri Feb 17 2012 adrianAATTsuse.de- update to current git, version 2.2.124
* INCOMPATIBLE changes in issue handling api
* webui support search for issues in packages
* enhanced xpath query support for issues
* Thu Feb 16 2012 adrianAATTsuse.de- update to current git, version 2.2.123
* fixed qemu cross build job assigning
* new maintenance incident handling
* Mon Feb 13 2012 adrianAATTsuse.de- update to current git, version 2.2.121
* various appliance and initial-setup fixes
* Thu Feb 09 2012 adrianAATTsuse.de- update to current git, version 2.2.120
* fixed native build of arm, mips and sh4
* fixed service files on request handling
* maintenance incident merge changes
* Thu Feb 02 2012 adrianAATTsuse.de- update to current git, version 2.2.119
* critical api branch fix
* webui maintenance improvements
* Mon Jan 30 2012 adrianAATTsuse.de- update to current git, version 2.2.117
* webui maintenance fixes
* recursive removal of repository
* fixed issue tracker api
* Thu Jan 26 2012 adrianAATTsuse.de- update to current git, version 2.2.116
* appliance fixes
* Tue Jan 24 2012 adrianAATTsuse.de- update to current git, version 2.2.115
* improved issue tracking support
* new webui testsuite got merged
* a number of maintenance handling features
* Thu Jan 12 2012 adrianAATTsuse.de- update to current git, version 2.2.114
* issue tracking support for all packages
* Wed Jan 11 2012 adrianAATTsuse.de- update to current git, version 2.2.113
* support for releasing local linked packages
* Tue Jan 10 2012 adrianAATTsuse.de- update to current git, version 2.2.112
* issue tracker fixes
* rdoc task updates- require Rails 2.3.14
* Mon Jan 09 2012 adrianAATTsuse.de- update to current git, version 2.2.111
* branch code improvements for SLE like setups
* Thu Dec 22 2011 adrianAATTsuse.de- update to current git, version 2.2.110
* bugfix christmas edition
* Wed Dec 21 2011 adrianAATTsuse.de- update to current git, version 2.2.109
* fixed delayed job crash
* fixed broken requests on re-open
* fast product build
* Tue Dec 20 2011 adrianAATTsuse.de- update to current git, version 2.2.108
* new declined -> revoked/reopen/superceded handling
* bugfixes in maintenance area
* drop sysconfig.obs-worker, merged with -server.
* regression to satisfy 12.2 check: obs-worker MUST be installed now
* Tue Dec 13 2011 adrianAATTsuse.de- update to current git, version 2.2.106
* improvements in issue tracker code
* binary upload feature
* supporting links for new packages (no existing target)
* Mon Dec 05 2011 adrianAATTsuse.de- update to current git, version 2.2.105
* new, faster obs-worker product build code
* maintenance release resign support
* Thu Dec 01 2011 adrianAATTsuse.de- update to current git, version 2.2.104
* fixed special cases of branch command
* fixed project copy with binaries
* Wed Nov 30 2011 adrianAATTsuse.de- update to current git, version 2.2.103
* fdatasync also for solv files, requires new BSSolv
* Mon Nov 28 2011 adrianAATTsuse.de- update to current git, version 2.2.102
* scheduler is using fdatasync now
* Fri Nov 25 2011 adrianAATTsuse.de- update to current git, version 2.2.101
* fixed vrev handling on maintenance release
* Fri Nov 25 2011 adrianAATTsuse.de- update to current git, version 2.2.100
* using issue_tracker data in backend
* Tue Nov 22 2011 adrianAATTsuse.de- update to current git, version 2.2.98
* new branch code
* Thu Nov 17 2011 adrianAATTsuse.de- update to current git, version 2.2.97
* fixing schema validation
* issue tracker support
* Sun Nov 13 2011 mikhail.zabaluevAATTgmail.com- de-ghosted important configuration files for webui
* Fri Nov 11 2011 adrianAATTsuse.de- update to current git, version 2.2.96
* many webui changes, esp. improved diff support
* incompatible patchinfo format changes (was marked as experimental)
* Mon Oct 31 2011 adrianAATTsuse.de- update to current git, version 2.2.95
* many cleanups, getting near to RC1 ...
* Thu Oct 20 2011 adrianAATTsuse.de- update to current git, version 2.2.94
* distro release support
* Tue Oct 18 2011 adrianAATTsuse.de- update to current git, version 2.2.93
* new source md5sum trigger mechanism. WARNING: this will trigger a rebuild of all packages with links!
* fixes to support openSUSE 12.1
* Wed Oct 05 2011 adrianAATTsuse.de- update to current git, version 2.2.92
* fixed updateinfo.xml generation
* added openSUSE:Factory:ARM as default target
* Thu Sep 08 2011 adrianAATTsuse.de- update to current git, version 2.2.91
* fix for died schedulers on creating deltas
* Fri Jul 22 2011 adrianAATTsuse.de- update to current git, version 2.2.90
* 2.3 Beta 3
* obs-common is part of obs-api package now
* using nokigiri as XML handler to fix ruby crashes
* Fri Jul 01 2011 adrianAATTsuse.de- update to current git, version 2.2.85
* large number of bugfixes after Beta 2
* Tue Jun 07 2011 adrianAATTsuse.de- update to current git, version 2.2.82
* new source service handling is used
* Thu May 26 2011 adrianAATTsuse.de- update to current git, version 2.2.81
* new branding name Open Build Service is used
* Mon May 16 2011 adrianAATTsuse.de- update to current git, version 2.2.81
* some important fixes after beta 1 to get openSUSE maintenance rolling
* Mon May 09 2011 adrianAATTsuse.de- update to current git, version 2.2.77
* cleanup in maintenance are to become beta ready
* Wed May 04 2011 adrianAATTsuse.de- update to current git, version 2.2.76
* bugfixes
* Fri Apr 29 2011 adrianAATTsuse.de- update to current git, version 2.2.75
* delta rpm support for maintenance updates
* new webui request views
* regression fixes
* Wed Apr 20 2011 adrianAATTsuse.de- update to current git, version 2.2.74
* support for generic authentification proxy
* maintenance feature work
* larger amount of bugfixes
* Fri Apr 15 2011 adrianAATTsuse.de- update to current git, version 2.2.73
* fix crashes on large file uploads with mod_rails under apache
* Tue Apr 12 2011 adrianAATTsuse.de- update to current git, version 2.2.72- finalized the apache2 switch, please read README files for details
* Wed Apr 06 2011 adrianAATTsuse.de- update to current git, version 2.2.71-
*
*
*
* Change from lighttpd to apache2 as default web server
*
*
*
*
* Mon Apr 04 2011 adrianAATTsuse.de- update to current git, version 2.2.70
* new architecture controller
* new reject request feature
* general cleanups in error handling
* Mon Mar 28 2011 adrianAATTsuse.de- update to current git, version 2.2.69
* regression fixes, should work with old config files again
* Thu Mar 24 2011 adrianAATTsuse.de- update to current git, version 2.2.68
* kvm appliance build fixes
* maintenance release support
* Thu Mar 24 2011 adrianAATTsuse.de- update to current git, version 2.2.67
* appliances fixes from Jan-Simon
* releasetarget handling support
* Mon Mar 21 2011 adrianAATTsuse.de- update to current git, version 2.2.66
* appliance updates from Jan-Simon
* Fri Mar 18 2011 adrianAATTsuse.de- update to current git, version 2.2.65
* Thu Mar 03 2011 adrianAATTsuse.de- update to current git, version 2.2.64
* maintenance release handling support
* Mon Feb 28 2011 adrianAATTsuse.de- update to current git, version 2.2.63
* backend support for maintenance features
* Fri Feb 25 2011 adrianAATTsuse.de- update to current git, version 2.2.62
* more maintenance support work, api is in theory feature complete
* Tue Feb 22 2011 adrianAATTsuse.de- update to current git, version 2.2.61
* more maintenance support work
* Mon Feb 14 2011 adrianAATTsuse.de- update to current git, version 2.2.60
* we skip 2.2 release
* more regression fixes for 2.2 features
* first maintenance features
* mobile handheld web view
* Thu Jan 27 2011 adrianAATTsuse.de- update to current git, version 2.1.80
* more regression fixes
* protect against loosing every binary on misconfigured source server
* project wide source service support
* Mon Jan 24 2011 adrianAATTsuse.de- update to current git, version 2.1.79
* plenty regression fixes
* Sat Jan 22 2011 adrianAATTsuse.de- update to current git, version 2.1.78
* fix hangups of webui and lighttpd
* Wed Jan 19 2011 adrianAATTsuse.de- update to current git, version 2.1.77
* fast search calls again, requires new and incompatible obs-common package
* Tue Jan 18 2011 adrianAATTsuse.de- update to current git, version 2.1.76
* permission handling got bigger changes
* Wed Jan 05 2011 adrianAATTsuse.de- update to current git, version 2.1.74
* a number of webui updates
* appliance fixes
* Mon Jan 03 2011 adrianAATTsuse.de- update to current git, version 2.1.72
* Wed Dec 29 2010 adrianAATTsuse.de- update to current git, version 2.1.71
* Thu Dec 09 2010 adrianAATTsuse.de- update to current git, version 2.1.69
* fixing file system permissions for new installations
* Wed Dec 08 2010 adrianAATTsuse.de- update to current git, version 2.1.68.
* obswebuidelayed is obsolete
* Mon Dec 06 2010 adrianAATTsuse.de- update to current git, version 2.1.67.
* plenty webui fixes and improvements from Sascha
* Mon Nov 29 2010 adrianAATTsuse.de- update to current git, version 2.1.66.
* OBS interconnect client fixed again
* Mon Nov 29 2010 adrianAATTsuse.de- update to current git, version 2.1.65.
* Jan-Simons project read access protection code got merged
* Thu Nov 25 2010 adrianAATTsuse.de- update to current git, version 2.1.64.
* new api content validation introduced
* Thu Nov 18 2010 adrianAATTsuse.de- update to current git, version 2.1.63.
* Fri Nov 12 2010 adrianAATTsuse.de- update to 2.1.62:
* new dependencies to erubis and rails_xss
* Thu Nov 11 2010 adrianAATTsuse.de- update to 2.1.61:
* no major features
* Tue Nov 09 2010 adrianAATTsuse.de- update to 2.1.60:
* first 2.2 Alpha snapshot
* Mon Oct 18 2010 adrianAATTsuse.de- update to final 2.1.0
* no code changes
* Thu Oct 14 2010 adrianAATTsuse.de- update to current 2.1 branch snapshot, version 2.0.107
* 2.1 RC 2 - Fixing branch by attribute call, supporting also project links - scheduler cleanup for delayed project handling
* Tue Oct 12 2010 adrianAATTsuse.de- update to current 2.1 branch snapshot, version 2.0.106 - 2.1 RC 1
* small fixes only
* Thu Oct 07 2010 adrianAATTsuse.de- update to current 2.1 branch snapshot, version 2.0.105 - 2.1 Beta 3
* source access control fixes
* user authentification fixes
* Fri Oct 01 2010 adrianAATTsuse.de- update to current 2.1 branch snapshot, version 2.0.104 - 2.1 Beta 2
* source access control fixes
* allow admin to control new user registration
* Mon Sep 20 2010 adrianAATTsuse.de- update to current snapshot, version 2.0.102 last before 2.1 beta 1
* Thu Sep 09 2010 adrianAATTsuse.de- update to current snapshot, version 2.0.99
* Mon Sep 06 2010 adrianAATTsuse.de- update to current snapshot, version 2.0.96
* Fri Sep 03 2010 adrianAATTsuse.de- update to current snapshot, version 2.0.95
* Thu Sep 02 2010 adrianAATTsuse.de- update to current snapshot, version 2.0.94
* Fri Aug 27 2010 adrianAATTsuse.de- update to current git, version 2.0.92
* webui switches to MySQL default
* Tue Aug 24 2010 adrianAATTsuse.de- update to current git, version 2.0.91
* Fri Aug 20 2010 adrianAATTsuse.de- update to current git, version 2.0.90
* still alpha state
* webui: source history browser
* webui: submit request creation
* Mon Aug 16 2010 adrianAATTsuse.de- update to current git, version 2.0.89
* Thu Aug 05 2010 adrianAATTsuse.de- update to current git, version 2.0.88
* Fri Jul 30 2010 adrianAATTsuse.de- update to current git, version 2.0.87
* Wed Jul 21 2010 adrianAATTsuse.de- update to current git, version 2.0.86
* Tue Jul 13 2010 adrianAATTsuse.de- update to current git, version 2.0.85
* Mon Jul 05 2010 adrianAATTsuse.de- update to current git, version 2.0.84
* reworked flag handling in api
* switch to rails 2.3.8
* Thu Jul 01 2010 adrianAATTsuse.de- update to current git, version 2.0.83
* lots of fixes after extending test suite
* notification system is now pluggable
* Mon Jun 28 2010 adrianAATTsuse.de- update to current git, version 2.0.82
* Fri Jun 25 2010 adrianAATTsuse.de- update to current git, version 2.0.81
* Mon Jun 14 2010 adrianAATTsuse.de- very first snapshot for 2.1 release
* read permission control feature
* Wed Jun 09 2010 adrianAATTsuse.de- 2.0
* fixed download file support in webui
* fixed package checkout from remote instance
* Mon Jun 07 2010 adrianAATTsuse.de- 1.9.92 (2.0 Beta 3)
* basic proxy support for backend
* signd setup support for appliance
* bugfixes
* Fri May 28 2010 adrianAATTnovell.com- 1.9.91 (2.0 Beta 2)
* New patchinfo editor
* bugfixes
* Sat May 22 2010 adrianAATTsuse.de- 1.9.70 snapshot
* feature complete 2.0 snapshot
* Mon May 17 2010 adrianAATTsuse.de- 1.9.63 snapshot
* Fri May 07 2010 adrianAATTsuse.de- 1.9.61 snapshot
* obs-worker becomes noarch for openSUSE 11.2 and later
* Thu Apr 29 2010 adrianAATTsuse.de- 1.9.60 snapshot
* Tue Mar 16 2010 adrianAATTsuse.de- 1.7.53 snapshot
* Mon Mar 08 2010 adrianAATTsuse.de- 1.7.52 snapshot
* group handling support
* attribute type permission handling
* reworked permission handling
* default reviewer support
* product build cache support
* Thu Mar 04 2010 adrianAATTsuse.de- 1.7.51 snapshot of 2.0(aka 1.8)
* reworked LDAP support by David Greaves- ruby-ldap is used instead of rubygem-net-ldap now
* Thu Feb 18 2010 adrianAATTsuse.de- very first 1.8 snapshot
* first merges for new WEBUI
* LDAP authentification support from Luke Imhoff(Cray)
* Wed Feb 10 2010 adrianAATTsuse.de- apply current 1.7 Branch diff
* fixes kvm check in worker init script
* fix DoS when having binary data in build description files
* fixes possible scheduler crash
* Mon Feb 08 2010 adrianAATTsuse.de- OBS 1.7.0
* Wed Feb 03 2010 adrianAATTsuse.de- OBS 1.7.0 RC 1
* Tue Jan 26 2010 adrianAATTsuse.de- OBS 1.7.0 beta 3
* Tue Jan 19 2010 adrianAATTsuse.de- change SLP nameing theme from obs. to obs: to make obs browseable
* Fri Jan 15 2010 adrianAATTsuse.de- OBS 1.7.0 beta 2- Requires Ruby on Rails 2.3.5 now
* Fri Nov 06 2009 mrueckertAATTsuse.de- added rails_enforce_proper_version.patch: make sure we really require rails 2.1.2. using ~> 2.1 is just wrong.
* Wed Oct 28 2009 chrisAATTcomputersalat.de- added bs_srcserver patch o needed for local obs when using openSUSE.org: projects and you want to do local builds via \'osc build\'
* Tue Aug 11 2009 adrianAATTsuse.de- Really handling the directory -> symlink conversation correctly.
* Thu Jun 25 2009 mrueckertAATTnovell.com- disable the broken part of the pre script- buildrequire \"build\" to avoid dangling symlink warnings
* Fri Jun 19 2009 adrianAATTlocalhost- Update to final 1.6.0 release
* Wed Apr 22 2009 adrianAATTsuse.de- drop own build script version and reuse the version from build package instead. This drops also the unwanted dependency to bash-static again
* Wed Apr 15 2009 adrianAATTsuse.de- update to version 1.6 beta 2
* Thu Apr 09 2009 frohAATTsuse.de- take sysconfig template from svn to fix #490258 in the package.