SUSE alert openSUSE-SU-2026:0108-1 (obs-service-set_version)

From:
             
 
maintenance@opensuse.org
To:
             
 
security-announce@lists.opensuse.org
Subject:
             
 
openSUSE-SU-2026:0108-1: moderate: Security update for obs-service-set_version
Date:
             
 
Mon, 30 Mar 2026 15:06:00 +0200
Message-ID:
             
 
<20260330130600.C4D6CFDC6@maintenance.suse.de>
Archive-link:
             
 
Article

   openSUSE Security Update: Security update for obs-service-set_version
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2026:0108-1
Rating:             moderate
References:         #1072359 #1212476 #866966 
Cross-References:   CVE-2014-0593
Affected Products:
                    openSUSE Backports SLE-15-SP7
______________________________________________________________________________

   An update that solves one vulnerability and has two fixes
   is now available.

Description:

   This update for obs-service-set_version fixes the following issues:

   - Update to version 0.6.6:
     * Hardcode "0" as release for PKGBUILD as well

   - expand __python3 with python3 to work outside suse rpm packaging

   - Update to version 0.6.5:
     * Update spec file to the one used in the packaging
     * Move revision detection into _revision_detect

   - Fix shebang of the script to use the explicit version of Python
     (boo#1212476).

   - Update to version 0.6.4:
     * Treat LegacyVersion as InvalidVersion
     * Add testing python 3.10 - 3.12

   - Update to version 0.6.3:
     * [dist] import spec file from O:S:U
     * Mute warning about missing EMAIL env variable in unit tests
     * Fix unit tests
     * Replace invalid use of os.errno with errno module
     * Replace @VERSION@ placeholders in .dsc files
     * Remove usage of deprecated imp module with importlib
     * Detect revision and set pkgrel for Arch packages

   - add support for AL2023

   - Builds on CentOS_[5678] and possibly other distros failed because their
     'rpm' didn't recognize the "Recommends:" tag. I've wrapped that tag in
     an "%if 0%{?suse_version}" to work around it. Build is now passing on
     the CentOS distros.

   - Update to version 0.6.2:
     * Avoid the Flake8 warning and restore conditional import

   - Update to version 0.6.1:
     * Handle already converted versions gracefully
     * Flake8 fixes (missing import)
     * Test python3 by default

   - Update to version 0.6.0:
     * Test against Python 3.10 which is the Tumbleweed default
     * Remove TravisCI - we switched to GitHub Actions
     * handle removed packaging.version.LegacyVersion (Fixes #83)

   - simplifiy conditions for all rhel like distros to skip testsuite

   - Update to version 0.5.14:
     * changed debugging output to logging module
     * Explicitely specifying --fromfile should win over .obsinfo
     * Add new switch --fromfile
     * Add zst to recognized suffixes (zstd support)

   - Update to version 0.5.13:
     * add license file
     * fixing suffixes - remove backslashes
     * fix suffixes to begin with a dot
     * enhanced debug mode
     * tests for directory pristine-tar

   - Update to version 0.5.12:
     * debian: set script shebang to python3
     * debian: add python3 as a runtime dependency
     * conditionally define PYTHON in Makefile
     * debian: use python3 for building
     * try to fix set_version:157:13: E117 over-indented (comment)

   - Modified .spec file to better suit Fedora OS (let's just assume all
     Fedora versions has python 3)

   - Update to version 0.5.11:
     * try to fix set_version:157:13: E117 over-indented (comment)

   - enable test suite by default
     * if it does not build, it can also not be executed on the distro
   - fix requires for SLE 12 distro

   - Changed source files to support python 3

   - fix for Fedora 30/Rawhide

   - for now obs_scm_testsuite only for > 1315, needed python stuff not
     available otherwise

   - Update to version 0.5.11:
     * fix code to pass flake8 tests for python3
     * fix zipfile crash also for python2.7
     * avoid error with latest flake8 about unused variable
     * allow running tests with python3
     * second place where zip file handling can crash
     * avoid crashes due to false is_zipfile() response
     * Add python-flake8 to test suite package list
     * Fix indentation of condition
     * Fix basename to match documentation (#54)

   - Update to version 0.5.10:
     * fix zipfile crash also for python2.7

   - Wrap make check in bcond obs_scm_testsuite

   - Update to version 0.5.9:
     * avoid crashes due to false is_zipfile() response
   - enable test suite

   - Update to version 0.5.8:
     * fixes boo#1072359
     * code cleanup and some refactoring
     * cli options --debug and --regex
     * new targets (test/clean) for Makefile
     * initial .gitignore
     * Mention that tests may take some time in README.md
     * Fix pip/zypper tests for python3
     * enforce files to be decoded as UTF-8
     * Don't let version check get beyond path boundary
     * Slightly reorganize README.md file

   - add requires to python3, since Leap 15.0 still does not have the
     fileprovides

   - Update to version 0.5.7:
     * added gitignore
     * added target 'clean' in Makefile
     * Added new target 'test' to Makefile
     * fix flake8 error 'do not use bare except'
     * Reverting patch for setlocale as it breaks in containers

   - Update to version 0.5.7:
     * workaround for python3 locale problems in factory
     * add a hint to flake8
     * satisfy flake8
     * skip also sha256sums check for Arch

   - switch to python3 for less ancient distros

   - Avoid half-converting Debian native pkgs to non-native pkgs
   - Simplify the pip version handling
   - travis: Do not use "--use-mirrors" when using pip
   - travis: Test python 3.6

   - try to avoid python-packaging to support non-SUSE distros

   - Update to version 0.5.6:
     * strip \n from version in obsinfo

   - Update to version 0.5.5:
     * read version from .obsinfo file if available
     * Add support for Collax build recipes

   - Update to version 0.5.4:
     * support obscpio archives
     * do not strip release number in debian, but setting it back

   - Update to version 0.5.3:
     * VersionDetector._autodetect: prioritize the directory name over the
       file name

   - Update to version 0.5.3:
     * Don't add unconverted_version unconditionally

   - Update to version 0.5.3:
     + Use old version from testing data instead of hardcoding
     + Fix replacement of empty tags
     + Fix empty version checks for debian/changelog
     + fix when switching from .dev to non-dev version

   - Update to version 0.5.3:
     + Set pkgver and pkgrel for PKGBUILD files (fixes #21)
     + Fix python3 compat

   - Update to version 0.5.2:
     + fix it ... it only worked with "disabledrun" mode by luck

   - Update to version 0.5.1:
     + Make python-packaging runtime dep optional
     + Fix %setup handling for python spec files

   - Recommends python-packaging

   - Require python-packaging

   - Update to version 0.5.0:
     + Add Makefile with install target
     + Change debian source format to 'native'
     + Fix tar file detection for PKGBUILD
     + Add Testsuite and README.md
     + - empty dummy commit to test travis hook
     + Disable py26, enable py{33,34} for tests
     + Add basic test for debian changelogs
     + Add travis build status image to README
     + Also do negative test for debian/changelog
     + Move testdata to .json files
     + Move _write_tarfile() to base test class
     + Remove python 2.6 compat import
     + Reuse test data for debian changelog tests
     + Rewrite set_version in python
     + Install devscripts in travis-ci test env
     + Restructure version detection code
     + Allow files in test tarballs
     + Add package type detection for python
     + Add version converter for python packages
     + Run python version converter tests with dpkg
     + Add function to add or replace a %define
     + Fix problem with replacing tags in spec files
     + Add function to replace %{version} in %setup
     + Add custom line support for _write_specfile func
     + Finally use version conversion for python packages
     + Skip some tests if zypper or dpkg are unavailable
     + Use python binary from virtualenv

   - Update to version 0.4.2:
     + Release 0.4.2 - Update Debian changelog

   - Update to version 0.4.2:
     + the extension needs to be \.
     + test with defined() at ./set_version line 118.
     + Fix processing of --file parameter
     + Add support for setting the version in debian.changelog
     + Sort local file list based on modification time (newest first)

   - Update to version 0.4.1:
     + Add support to automatically detect version based on Debian changelog
       file
     + Initial debianization
     + Handle PKGBUILD files generated by services

   - Update to version 0.4.1:
     + - drop old bash version
     + - fix PKGBUILD version setting
     + fix help text
     + support detection from tar ball content
     + use warnings pragma
     + - replace bash script with a more secure perl version
     + fix urgent quoting bugs
     + Be more liberal in root-dir version detection

   - Update to version 0.4.1:
     + - drop old bash version
     + - fix PKGBUILD version setting
     + fix help text

   - Update to version 0.4.0:
     + support detection from tar ball content
     + use warnings pragma

   - Update to version 0.4.0: This is a rewrite in perl This fixes also a sed
     commandline injection (boo#866966 CVE-2014-0593)

   - Update to version 0.3.3:
     + ERROR: git log --pretty=format:%s --no-merges 4b090f0cad..4fc9fcb0c2
       failed; aborting!

   - Update to version 0.3.3:
     + - drop two echo lines which can be used to run random commands

   - Update to version 0.3.2:
     + Be more liberal in root-dir version detection

   - Update to version 0.3.1:
     + Check tarball content's root-dir for version
     + Use a for-loop for different endings

   - Move service to github.com/openSUSE/obs-service-set_version
   - Add _service file to update package from there
   - Drop local sources and use tarball from source services

   - Take Debian version and revision number from debian.changelog file

   - add support for PKGBUILD aka Arch Linux files

   - Preserve whitespaces in Version: and Requires: lines

   - only change the first occurrence of Version: header
   - output useful info during run
   - when auto-detecting the version, use the newest matching file

   - patch License to follow spdx.org standard

   - add --basename to usage help text

   - do not delete mandriva/fedora macros in release when reset the release
     number

   - support detecting the version from *.tbz2 files

   - initial package of service
   - fix set version, when also release number is reset


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP7:

      zypper in -t patch openSUSE-2026-108=1



Package List:

   - openSUSE Backports SLE-15-SP7 (noarch):

      obs-service-set_version-0.6.6-bp157.2.1


References:

   https://www.suse.com/security/cve/CVE-2014-0593.html
   https://bugzilla.suse.com/1072359
   https://bugzilla.suse.com/1212476
   https://bugzilla.suse.com/866966