An update for obs-server is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3
Security Advisory
openeuler-security@openeuler.org
openEuler security committee
openEuler-SA-2022-1674
Final
1.0
1.0
2022-05-25
Initial
2022-05-25
2022-05-25
openEuler SA Tool V1.0
2022-05-25
obs-server security update
An update for obs-server is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3.
The Open Build Service (OBS) backend is used to store all sources and binaries.It also calculates the need for new build jobs and distributes it.
Security Fix(es):
A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations. This can be used to gain information from the server that can be abused to escalate to Admin privileges on OBS. This issue affects: SUSE Open Build Service Open Build Service versions prior to 2.10.13.(CVE-2022-21949)
An update for obs-server is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
High
obs-server
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1674
https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-21949
https://nvd.nist.gov/vuln/detail/CVE-2022-21949
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP3
obs-server-2.10.11-3.oe1.src.rpm
obs-server-2.10.11-3.oe1.src.rpm
obs-api-2.10.11-3.oe1.noarch.rpm
obs-common-2.10.11-3.oe1.noarch.rpm
obs-server-2.10.11-3.oe1.noarch.rpm
obs-api-2.10.11-3.oe1.noarch.rpm
obs-common-2.10.11-3.oe1.noarch.rpm
obs-server-2.10.11-3.oe1.noarch.rpm
A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations. This can be used to gain information from the server that can be abused to escalate to Admin privileges on OBS. This issue affects: SUSE Open Build Service Open Build Service versions prior to 2.10.13.
2022-05-25
CVE-2022-21949
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP3
openEuler-22.03-LTS
High
8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
obs-server security update
2022-05-25
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1674