{"affected":[{"ecosystem_specific":{"binaries":[{"build":"20171128-8.3.3","osc":"0.162.1-7.4.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Software Development Kit 11 SP4","name":"build","purl":"pkg:rpm/suse/build&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"20171128-8.3.3"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"build":"20171128-8.3.3","osc":"0.162.1-7.4.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Software Development Kit 11 SP4","name":"osc","purl":"pkg:rpm/suse/osc&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.162.1-7.4.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This OBS toolchain update fixes the following issues:\n\nPackage 'build':\n\n- CVE-2017-14804: Improve file name check extractbuild (bsc#1069904)\n- Fixed Dockerfile repository parsing\n\nPackage 'obs-service-source_validator':\n\n- CVE-2017-9274: Don't use rpmbuild to extract sources, patches etc. from a spec (bnc#938556).\n- CVE-2016-4007: Several maintained source services are vulnerable to code/paramter injection (bsc#967265)\n- Update to version 0.7.\n- Use spec_query instead of output_versions using the specfile parser from the build package (boo#1059858)\n- obs-service-source_validator: several occurrences of uninitialized value (bsc#967610)\n- hack for util-linux specfiles (bnc#891829)\n- fix dependency to gnupg2 for Fedora (bnc#827480)\n- exit if tmpdir creation fails (bnc#796918)\n\n\nPackage 'osc':\n\n- Update to version 0.162.0.\n","id":"SUSE-SU-2018:0065-1","modified":"2018-01-11T10:25:14Z","published":"2018-01-11T10:25:14Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2018/suse-su-20180065-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1059858"},{"type":"REPORT","url":"https://bugzilla.suse.com/1069904"},{"type":"REPORT","url":"https://bugzilla.suse.com/796918"},{"type":"REPORT","url":"https://bugzilla.suse.com/827480"},{"type":"REPORT","url":"https://bugzilla.suse.com/891829"},{"type":"REPORT","url":"https://bugzilla.suse.com/938556"},{"type":"REPORT","url":"https://bugzilla.suse.com/967265"},{"type":"REPORT","url":"https://bugzilla.suse.com/967610"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-4007"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-14804"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2017-9274"}],"related":["CVE-2016-4007","CVE-2017-14804","CVE-2017-9274"],"summary":"Fixing security issues on OBS toolchain","upstream":["CVE-2016-4007","CVE-2017-14804","CVE-2017-9274"]}