#2717 doc: Additional docs for CVE-CVE-2020-15856
Merged a year ago by tkopecek. Opened a year ago by tkopecek.
tkopecek/koji issue2707  into  master

@@ -0,0 +1,42 @@ 

+ ==============

+ CVE-2020-15856

+ ==============

+ 

+ XSS attack on kojiweb

+ 

+ Summary

+ -------

+ 

+ Web interface can be abused by XSS attack. Attackers can supply subversive HTTP

+ links containing malicious javascript code. Such links were not controlled

+ properly, so attackers can potentially force users to submit actions which were

+ not intended. Some actions which can be done via web UI can be destructive, so

+ updating to this version is highly recommended.

+ 

+ Bug fix

+ -------

+ 

+ We are releasing updates for affected versions of Koji from within the

+ past year.

+ The following releases all contain the fix:

+ 

+ - 1.23.1

+ - 1.22.2

+ - 1.21.2

+ 

+ Anyone using a Koji version older than a year should update to a more

+ current version as soon as possible.

+ 

+ For users who have customized their Koji code, we recommend rebasing your work

+ onto the appropriate update release. Please see Koji

+ `issue #2645 <https://pagure.io/koji/issue/2645>`_ for the code details.

+ 

+ As with all changes to web code, you must restart httpd for the changes to

+ take effect.

+ 

+ Links

+ -----

+ 

+ Fixed versions can be found at our releases page:

+ 

+     https://pagure.io/koji/releases

@@ -5,6 +5,7 @@ 

  .. toctree::

      :titlesonly:

  

+     CVE-2020-15856

      CVE-2019-17109

      CVE-2018-1002161

      CVE-2018-1002150

Metadata Update from @tkopecek:
- Pull-request tagged with: doc, no_qe

a year ago

Commit 9a23368 fixes this pull-request

Pull-Request has been merged by tkopecek

a year ago