From cdd3483b808dbd68d326128d4ed01f112a0cbda4 Mon Sep 17 00:00:00 2001 From: Mike McLean Date: Oct 09 2019 14:45:31 +0000 Subject: PR#1687: Docs updates for CVE-2019-17109 Merges #1687 https://pagure.io/koji/pull-request/1687 --- diff --git a/docs/source/CVE-2019-17109.rst b/docs/source/CVE-2019-17109.rst new file mode 100644 index 0000000..87ac142 --- /dev/null +++ b/docs/source/CVE-2019-17109.rst @@ -0,0 +1,49 @@ +============== +CVE-2019-17109 +============== + +Koji hub allows arbitrary upload destinations + + +Summary +------- + +The way that the hub code validates upload paths allows for an attacker to +choose an arbitrary destination for the uploaded file. + +Uploading still requires login. However, an attacker with credentials could +damage the integrity of the Koji system. + +There is no known workaround. All Koji admins are encouraged to update to a +fixed version as soon as possible. + + + +Bug fix +------- + +We are releasing updates for each affected version of Koji to fix this bug. +The following releases all contain the fix: + +- 1.18.1 +- 1.17.1 +- 1.16.3 +- 1.15.3 +- 1.14.3 + +Note: the legacy-py24 branch is unaffected since it is client-only (no hub). + +For users who have customized their Koji code, we recommend rebasing your work +onto the appropriate update release. Please see Koji +`issue #1634 `_ for the code details. + +As with all changes to hub code, you must restart httpd for the changes to +take effect. + + +Links +----- + +Fixed versions can be found at our releases page: + + https://pagure.io/koji/releases diff --git a/docs/source/CVEs.rst b/docs/source/CVEs.rst index 4b4d9aa..86b06ab 100644 --- a/docs/source/CVEs.rst +++ b/docs/source/CVEs.rst @@ -5,6 +5,7 @@ Koji CVEs .. toctree:: :titlesonly: + CVE-2019-17109 CVE-2018-1002161 CVE-2018-1002150 CVE-2017-1002153 diff --git a/docs/source/conf.py b/docs/source/conf.py index 09d63f5..8281521 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -56,7 +56,7 @@ copyright = u'2017, Mike McLean, Mike B, Dennis Gilmore, Mathieu Bridon, Ian McL # The short X.Y version. version = '1.18' # The full version, including alpha/beta/rc tags. -release = '1.18.0' +release = '1.18.1' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. diff --git a/docs/source/release_notes.rst b/docs/source/release_notes.rst index e1ea496..dfbf632 100644 --- a/docs/source/release_notes.rst +++ b/docs/source/release_notes.rst @@ -5,6 +5,7 @@ Release Notes .. toctree:: :maxdepth: 1 + release_notes_1.18.1 release_notes_1.18 release_notes_1.17 release_notes_1.16.2 diff --git a/docs/source/release_notes_1.18.1.rst b/docs/source/release_notes_1.18.1.rst new file mode 100644 index 0000000..94e6b6b --- /dev/null +++ b/docs/source/release_notes_1.18.1.rst @@ -0,0 +1,12 @@ +Koji 1.18.1 Release Notes +========================= + +Koji 1.18.1 is a bugfix release for Koji 1.18. +The purpose of this release is address :doc:`CVE-2019-17109`. + + +Issues fixed in 1.18.1 +---------------------- + +- `Issue 1634 `_ -- + possible to upload file to a path other than work directory diff --git a/koji.spec b/koji.spec index 9f538d3..0ba006f 100644 --- a/koji.spec +++ b/koji.spec @@ -81,7 +81,7 @@ %define release %{baserelease} %endif Name: koji -Version: 1.18.0 +Version: 1.18.1 Release: %{release}%{?dist} License: LGPLv2 and GPLv2+ # the included arch lib from yum's rpmUtils is GPLv2+ diff --git a/setup.py b/setup.py index 69c8555..8029da9 100644 --- a/setup.py +++ b/setup.py @@ -32,7 +32,7 @@ def get_install_requires(): setup( name="koji", - version="1.18.0", + version="1.18.1", description=("Koji is a system for building and tracking RPMS. The base" " package contains shared libraries and the command-line" " interface."),