Fixing security issues on OBS toolchain (important)

ID SUSE-SU-2018:0065-1
Type suse
Reporter Suse
Modified 2018-01-11T15:06:50


This OBS toolchain update fixes the following issues:

Package 'build':

  • CVE-2017-14804: Improve file name check extractbuild (bsc#1069904)
  • Fixed Dockerfile repository parsing

Package 'obs-service-source_validator':

  • CVE-2017-9274: Don't use rpmbuild to extract sources, patches etc. from a spec (bnc#938556).
  • CVE-2016-4007: Several maintained source services are vulnerable to code/paramter injection (bsc#967265)
  • Update to version 0.7.
  • Use spec_query instead of output_versions using the specfile parser from the build package (boo#1059858)
  • obs-service-source_validator: several occurrences of uninitialized value (bsc#967610)
  • hack for util-linux specfiles (bnc#891829)
  • fix dependency to gnupg2 for Fedora (bnc#827480)
  • exit if tmpdir creation fails (bnc#796918)

Package 'osc':

  • Update to version 0.162.0.