You are here
Home > Preporuke > Ranjivost programskog paketa OBS

Ranjivost programskog paketa OBS

  • Detalji os-a: LSU
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LSU

OBS 2.6.3, 2.5.7 and 2.4.8 released

These releases are fixing in first place a security issue which
allows to modify package sources without the sufficient permissions.

This leak exists in almost all OBS releases so far, esp. when
using “patch” command version 2.7 or later, which introduced
the git format patch handling.

This issue is tracked as CVE-2015-0796.

It was found by Marcus H�we. Thanks a lot for his work and
the way he reported it, allowing us to fix this fast and properly.
In case you want to see an exemplary good security leak analyses,
read bugzilla issue #941099 🙂

Updaters from any OBS 2.6 release can just ugrade the packages
and restart all services. Updaters from former releases should
read the README.UPDATERS file.

OBS update are available from the following projects:

The appliance can be downloaded from

Details from the Release Notes of 2.6.3:

Feature backports:

* backend: support using docker as build environment (not secure)


* none


* backend: validate results of external patch command. could be used
to modify packages without sufficiant permissions (bnc#941099, CVE-2015-0796)
* backend: fixing create pattern call in publisher
* backend: fix handling of host specific bsconfig.* files

Adrian Schroeter

SUSE Linux GmbH, GF: Felix Imend�rffer, Jane Smithard, Dilip Upmanyu, Graham Norton, HRB 21284 (AG N�rnberg)
Maxfeldstra�e 5
90409 N�rnberg

To unsubscribe, e-mail:
For additional commands, e-mail:

AutorTomislav Protega
Cert idNCERT-REF-2015-08-0030-ADV
ID izvornikaOBS
More in Preporuke
Višestruke ranjivosti jezgre operacijskog sustava

Otkrivene su višestruke ranjivosti u jezgri operacijskog sustava SUSE LE. Ranjivosti zahvaćaju razne dijelove jezgre, a ovisno o tipu ranjivosti,...