Hey, Just for reference, we track some "details" in the security-tracker entry for CVE-2017-9274. SUSE did not only fix the obs-service-source_validate part, but in osc added a validation (in version 0.162.0) when using OBS 2.9 which is via commit:
https://github.com/openSUSE/osc/commit/f0325eb0b58c266eb0905ccf827dc7eb864378a1 apparently. Hope this additionally helps, Regards, Salvatore