| |
@@ -0,0 +1,42 @@
|
| |
+ ==============
|
| |
+ CVE-2020-15856
|
| |
+ ==============
|
| |
+
|
| |
+ XSS attack on kojiweb
|
| |
+
|
| |
+ Summary
|
| |
+ -------
|
| |
+
|
| |
+ Web interface can be abused by XSS attack. Attackers can supply subversive HTTP
|
| |
+ links containing malicious javascript code. Such links were not controlled
|
| |
+ properly, so attackers can potentially force users to submit actions which were
|
| |
+ not intended. Some actions which can be done via web UI can be destructive, so
|
| |
+ updating to this version is highly recommended.
|
| |
+
|
| |
+ Bug fix
|
| |
+ -------
|
| |
+
|
| |
+ We are releasing updates for affected versions of Koji from within the
|
| |
+ past year.
|
| |
+ The following releases all contain the fix:
|
| |
+
|
| |
+ - 1.23.1
|
| |
+ - 1.22.2
|
| |
+ - 1.21.2
|
| |
+
|
| |
+ Anyone using a Koji version older than a year should update to a more
|
| |
+ current version as soon as possible.
|
| |
+
|
| |
+ For users who have customized their Koji code, we recommend rebasing your work
|
| |
+ onto the appropriate update release. Please see Koji
|
| |
+ `issue #2645 <https://pagure.io/koji/issue/2645>`_ for the code details.
|
| |
+
|
| |
+ As with all changes to web code, you must restart httpd for the changes to
|
| |
+ take effect.
|
| |
+
|
| |
+ Links
|
| |
+ -----
|
| |
+
|
| |
+ Fixed versions can be found at our releases page:
|
| |
+
|
| |
+ https://pagure.io/koji/releases
|
| |
tkopecek
commented 3 years ago
Fixes: https://pagure.io/koji/issue/2707