On Fri, Oct 26, 2018 at 03:24:27PM +0800, Andrew Lee (李健秋) wrote:
> * CVE-2018-12466 probably not affected:
> - This pointed to the same commit in upstream github. And the url
> provided on the CVE listed vulnerable products that doesn't
> contains OBS 2.7.x:
> https://www.securityfocus.com/bid/104958
The affected versions listed on securityfocus.com are mostly meaningless,
I don't think there's real research behind them.
Better contact upstream to have them clarify the status for 2.7.
Also, I think it would be good if OBS as packaged in Debian would
explicitly state the scope of support/intended purpose (e.g.
in README.Debian).
This most probably isn't meant to operate a public service like
the one operated by SuSE? What's the intended scope/audience/use
case? Building a trusted source for a number of platforms/distros
or are untrusted uploads/permission management in scope?
Cheers,
Moritz
