From 79921c892236d5630579ff1ee17449b828a3b3cb Mon Sep 17 00:00:00 2001 From: Mike McLean Date: Oct 09 2019 14:59:01 +0000 Subject: PR#1688: clarify fixed/affected versions in cve announcement Merges #1688 https://pagure.io/koji/pull-request/1688 --- diff --git a/docs/source/CVE-2019-17109.rst b/docs/source/CVE-2019-17109.rst index 87ac142..9784167 100644 --- a/docs/source/CVE-2019-17109.rst +++ b/docs/source/CVE-2019-17109.rst @@ -22,7 +22,8 @@ fixed version as soon as possible. Bug fix ------- -We are releasing updates for each affected version of Koji to fix this bug. +We are releasing updates for affected versions of Koji from within the +past two years. The following releases all contain the fix: - 1.18.1 @@ -33,6 +34,9 @@ The following releases all contain the fix: Note: the legacy-py24 branch is unaffected since it is client-only (no hub). +Anyone using a Koji version older than two years should update to a more +current version as soon as possible. + For users who have customized their Koji code, we recommend rebasing your work onto the appropriate update release. Please see Koji `issue #1634 `_ for the code details.