+ ==============

+ CVE-2019-17109

+ ==============

+ 

+ Koji hub allows arbitrary upload destinations

+ 

+ 

+ Summary

+ -------

+ 

+ The way that the hub code validates upload paths allows for an attacker to

+ choose an arbitrary destination for the uploaded file.

+ 

+ Uploading still requires login. However, an attacker with credentials could

+ damage the integrity of the Koji system.

+ 

+ There is no known workaround. All Koji admins are encouraged to update to a

+ fixed version as soon as possible.

+ 

+ 

+ 

+ Bug fix

+ -------

+ 

+ We are releasing updates for each affected version of Koji to fix this bug.

+ The following releases all contain the fix:

+ 

+ - 1.18.1

+ - 1.17.1

+ - 1.16.3

+ - 1.15.3

+ - 1.14.3

+ 

+ Note: the legacy-py24 branch is unaffected since it is client-only (no hub).

+ 

+ For users who have customized their Koji code, we recommend rebasing your work

+ onto the appropriate update release. Please see Koji

+ `issue #1634 <https://pagure.io/koji/issue/1634>`_ for the code details.

+ 

+ As with all changes to hub code, you must restart httpd for the changes to

+ take effect.

+ 

+ 

+ Links

+ -----

+ 

+ Fixed versions can be found at our releases page:

+ 

+     https://pagure.io/koji/releases

+     CVE-2019-17109

+ release = '1.18.1'

+     release_notes_1.18.1

+ Koji 1.18.1 Release Notes

+ =========================

+ 

+ Koji 1.18.1 is a bugfix release for Koji 1.18.

+ The purpose of this release is address  :doc:`CVE-2019-17109`.

+ 

+ 

+ Issues fixed in 1.18.1

+ ----------------------

+ 

+ - `Issue 1634 <https://pagure.io/koji/issue/1634>`_ --

+   possible to upload file to a path other than work directory

+ Version: 1.18.1

+     version="1.18.1",