An update for obs-server is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-1674 Final 1.0 1.0 2022-05-25 Initial 2022-05-25 2022-05-25 openEuler SA Tool V1.0 2022-05-25 obs-server security update An update for obs-server is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3. The Open Build Service (OBS) backend is used to store all sources and binaries.It also calculates the need for new build jobs and distributes it. Security Fix(es): A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations. This can be used to gain information from the server that can be abused to escalate to Admin privileges on OBS. This issue affects: SUSE Open Build Service Open Build Service versions prior to 2.10.13.(CVE-2022-21949) An update for obs-server is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High obs-server https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1674 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-21949 https://nvd.nist.gov/vuln/detail/CVE-2022-21949 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 obs-server-2.10.11-3.oe1.src.rpm obs-server-2.10.11-3.oe1.src.rpm obs-api-2.10.11-3.oe1.noarch.rpm obs-common-2.10.11-3.oe1.noarch.rpm obs-server-2.10.11-3.oe1.noarch.rpm obs-api-2.10.11-3.oe1.noarch.rpm obs-common-2.10.11-3.oe1.noarch.rpm obs-server-2.10.11-3.oe1.noarch.rpm A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations. This can be used to gain information from the server that can be abused to escalate to Admin privileges on OBS. This issue affects: SUSE Open Build Service Open Build Service versions prior to 2.10.13. 2022-05-25 CVE-2022-21949 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS High 8.8 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H obs-server security update 2022-05-25 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1674