Fixing security issues on OBS toolchain
Announcement ID: | SUSE-SU-2018:0065-1 |
---|---|
Rating: | important |
References: | |
Cross-References: | |
CVSS scores: |
|
Affected Products: |
|
An update that solves three vulnerabilities and has five security fixes can now be installed.
Description:
This OBS toolchain update fixes the following issues:
Package 'build':
- CVE-2017-14804: Improve file name check extractbuild (bsc#1069904)
- Fixed Dockerfile repository parsing
Package 'obs-service-source_validator':
- CVE-2017-9274: Don't use rpmbuild to extract sources, patches etc. from a spec (bnc#938556).
- CVE-2016-4007: Several maintained source services are vulnerable to code/paramter injection (bsc#967265)
- Update to version 0.7.
- Use spec_query instead of output_versions using the specfile parser from the build package (boo#1059858)
- obs-service-source_validator: several occurrences of uninitialized value (bsc#967610)
- hack for util-linux specfiles (bnc#891829)
- fix dependency to gnupg2 for Fedora (bnc#827480)
- exit if tmpdir creation fails (bnc#796918)
Package 'osc':
- Update to version 0.162.0.
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
SUSE Linux Enterprise Software Development Kit 11 SP4
zypper in -t patch sdksp4-build-13404=1
Package List:
-
SUSE Linux Enterprise Software Development Kit 11 SP4 (noarch)
- build-20171128-8.3.3
-
SUSE Linux Enterprise Software Development Kit 11 SP4 (s390x x86_64 i586 ppc64 ia64)
- osc-0.162.1-7.4.1
References:
- https://www.suse.com/security/cve/CVE-2016-4007.html
- https://www.suse.com/security/cve/CVE-2017-14804.html
- https://www.suse.com/security/cve/CVE-2017-9274.html
- https://bugzilla.suse.com/show_bug.cgi?id=1059858
- https://bugzilla.suse.com/show_bug.cgi?id=1069904
- https://bugzilla.suse.com/show_bug.cgi?id=796918
- https://bugzilla.suse.com/show_bug.cgi?id=827480
- https://bugzilla.suse.com/show_bug.cgi?id=891829
- https://bugzilla.suse.com/show_bug.cgi?id=938556
- https://bugzilla.suse.com/show_bug.cgi?id=967265
- https://bugzilla.suse.com/show_bug.cgi?id=967610