An update that solves three vulnerabilities and has two fixes is now available.
Description:
This OBS toolchain update fixes the following issues:
Package 'build':
- CVE-2010-4226: force use of bsdtar for VMs (bnc#665768) - CVE-2017-14804: Improve file name check extractbuild (bsc#1069904) - switch baselibs scheme for debuginfo packages from foo-debuginfo-32bit to foo-32bit-debuginfo (fate#323217)
Package 'obs-service-source_validator': - CVE-2017-9274: Don't use rpmbuild to extract sources, patches etc. from a spec (bnc#938556). - Update to version 0.7 - use spec_query instead of output_versions using the specfile parser from the build package (boo#1059858)
Package 'osc': - update to version 0.162.0 - add Recommends: ca-certificates to enable TLS verification without manually installing them. (bnc#1061500)
This update was imported from the SUSE:SLE-12:Update update project.
Patch Instructions:
To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product:
- openSUSE Leap 42.3:
zypper in -t patch openSUSE-2017-1360=1
- openSUSE Leap 42.2:
zypper in -t patch openSUSE-2017-1360=1
To bring your system up-to-date, use "zypper patch".