| |
@@ -0,0 +1,66 @@
|
| |
+ ========================
|
| |
+ FAQ for CVE-2018-1002161
|
| |
+ ========================
|
| |
+
|
| |
+ Following are answers to some questions regarding CVE-2018-1002161
|
| |
+ for Koji. If you haven’t already, you should read the
|
| |
+ :doc:`announcement <CVE-2018-1002161>`.
|
| |
+
|
| |
+ If you have questions not covered here or in the announcement, please
|
| |
+ ask them on the koji-devel mailing list.
|
| |
+
|
| |
+ https://lists.fedorahosted.org/archives/list/koji-devel@lists.fedorahosted.org/
|
| |
+
|
| |
+ Q: Does this issue affect Koji clients or builders?
|
| |
+
|
| |
+ The issue only affects the Koji hub.
|
| |
+
|
| |
+ Q: Which versions of Koji are affected?
|
| |
+
|
| |
+ All previous versions of Koji are affected, except for the legacy-py24
|
| |
+ branch because it contains no hub code.
|
| |
+
|
| |
+ Q: Where are the fixed versions?
|
| |
+
|
| |
+ | For Koji 1.11, 1.11.1 and higher include the fix
|
| |
+ | For Koji 1.12, 1.12.2 and higher include the fix
|
| |
+ | For Koji 1.13, 1.13.2 and higher include the fix
|
| |
+ | For Koji 1.14, 1.14.2 and higher include the fix
|
| |
+ | For Koji 1.15, 1.15.2 and higher include the fix
|
| |
+ | For Koji 1.16.2 and higher include the fix
|
| |
+
|
| |
+ You can find all of these versions on our releases page:
|
| |
+
|
| |
+ https://pagure.io/koji/releases
|
| |
+
|
| |
+ Q: What about older versions?
|
| |
+
|
| |
+ We have only backported the fix to Koji versions released in the past few
|
| |
+ years. If you are still using a very old version of Koji, we strongly
|
| |
+ recommend that you shut it down and migrate to a newer version.
|
| |
+
|
| |
+ Q: What can be done with this exploit?
|
| |
+
|
| |
+ The attacker can directly manipulate the database as they see fit. This
|
| |
+ would, among other things, allow them to gain the admin permission within
|
| |
+ Koji. They could destroy or corrupt the database, add new builds, replace
|
| |
+ existing builds, or any number of other things.
|
| |
+
|
| |
+ Q: Can the attacker execute arbitrary code?
|
| |
+
|
| |
+ On the hub, not that we know of.
|
| |
+
|
| |
+ However, they could create arbitrary tasks, which would be run by the build
|
| |
+ hosts.
|
| |
+
|
| |
+ Q: Where can I get more help?
|
| |
+
|
| |
+ You can ask questions on the koji-devel mailing list
|
| |
+ (`koji-devel@fedorahosted.org <mailto:koji-devel@fedorahosted.org>`_).
|
| |
+
|
| |
+ For real time communication, we have the #koji IRC channel on
|
| |
+ `Freenode <https://freenode.net/>`_.
|
| |
+ The best time to ask would be during the Koji devel team
|
| |
+ “office hours”, which are held each Tuesday and Thursday from
|
| |
+ 10-11am eastern time.
|
| |
+
|
| |
Fixes: #1183