| |
@@ -0,0 +1,49 @@
|
| |
+ ==============
|
| |
+ CVE-2019-17109
|
| |
+ ==============
|
| |
+
|
| |
+ Koji hub allows arbitrary upload destinations
|
| |
+
|
| |
+
|
| |
+ Summary
|
| |
+ -------
|
| |
+
|
| |
+ The way that the hub code validates upload paths allows for an attacker to
|
| |
+ choose an arbitrary destination for the uploaded file.
|
| |
+
|
| |
+ Uploading still requires login. However, an attacker with credentials could
|
| |
+ damage the integrity of the Koji system.
|
| |
+
|
| |
+ There is no known workaround. All Koji admins are encouraged to update to a
|
| |
+ fixed version as soon as possible.
|
| |
+
|
| |
+
|
| |
+
|
| |
+ Bug fix
|
| |
+ -------
|
| |
+
|
| |
+ We are releasing updates for each affected version of Koji to fix this bug.
|
| |
+ The following releases all contain the fix:
|
| |
+
|
| |
+ - 1.18.1
|
| |
+ - 1.17.1
|
| |
+ - 1.16.3
|
| |
+ - 1.15.3
|
| |
+ - 1.14.3
|
| |
+
|
| |
+ Note: the legacy-py24 branch is unaffected since it is client-only (no hub).
|
| |
+
|
| |
+ For users who have customized their Koji code, we recommend rebasing your work
|
| |
+ onto the appropriate update release. Please see Koji
|
| |
+ `issue #1634 <https://pagure.io/koji/issue/1634>`_ for the code details.
|
| |
+
|
| |
+ As with all changes to hub code, you must restart httpd for the changes to
|
| |
+ take effect.
|
| |
+
|
| |
+
|
| |
+ Links
|
| |
+ -----
|
| |
+
|
| |
+ Fixed versions can be found at our releases page:
|
| |
+
|
| |
+ https://pagure.io/koji/releases
|
| |
cve info page and 1.18.1 release notes