Source: open-build-service
Followup-For: Bug #911797
Hi, Thanks for reporting these. I've checked and found:
* CVE-2018-12477 not affected:
- This is 3rd party that wasn't packaged in our open-build-service
package:
https://github.com/openSUSE/obs-service-refresh_patches
* CVE-2018-12478 not affected:
- This is 3rd party that wasn't packaged in our open-build-service
package:
https://github.com/openSUSE/obs-service-replace_using_package_version
* CVE-2018-12479 needs to forward upstream:
- This probably need a backport patch. Patches from the pull request
wasn't apply on our OBS 2.7.4:
https://github.com/openSUSE/open-build-service/pull/5880
* CVE-2018-12467 needs to forward upstream:
- This probably need a backport patch. Patches that only found
in master branch on upstream github. Doesn't find in 2.9 and 2.7
branches on upstream. The patch wasn't able to apply on our
OBS 2.7.4:
https://github.com/openSUSE/open-build-service/commit/f57b660f49f830006766a8d4abc3b4af6e178063
* CVE-2018-12466 probably not affected:
- This pointed to the same commit in upstream github. And the url
provided on the CVE listed vulnerable products that doesn't
contains OBS 2.7.x:
https://www.securityfocus.com/bid/104958
Best regards,
-Andrew
