CVE-2018-1002161 FAQ

2018-12-08 22:14:37 -05:00 · 2018-12-08 22:14:37 -05:00 · 158e668318
commit 158e668318
parent 5671aba4d4
1 changed files with 66 additions and 0 deletions
--- a/docs/source/CVE-2018-1002161-FAQ.rst
+++ b/docs/source/CVE-2018-1002161-FAQ.rst
@ -0,0 +1,66 @@
+========================
+FAQ for CVE-2018-1002161
+========================
+
+Following are answers to some questions regarding CVE-2018-1002161
+for Koji. If you haven’t already, you should read the
+:doc:`announcement <CVE-2018-1002161>`.
+
+If you have questions not covered here or in the announcement, please
+ask them on the koji-devel mailing list.
+
+    https://lists.fedorahosted.org/archives/list/koji-devel@lists.fedorahosted.org/
+
+Q: Does this issue affect Koji clients or builders?
+
+    The issue only affects the Koji hub.
+
+Q: Which versions of Koji are affected?
+
+    All previous versions of Koji are affected, except for the legacy-py24
+    branch because it contains no hub code.
+
+Q: Where are the fixed versions?
+
+    | For Koji 1.11, 1.11.1 and higher include the fix
+    | For Koji 1.12, 1.12.2 and higher include the fix
+    | For Koji 1.13, 1.13.2 and higher include the fix
+    | For Koji 1.14, 1.14.2 and higher include the fix
+    | For Koji 1.15, 1.15.2 and higher include the fix
+    | For Koji 1.16.2 and higher include the fix
+
+    You can find all of these versions on our releases page:
+
+    https://pagure.io/koji/releases
+
+Q: What about older versions?
+
+    We have only backported the fix to Koji versions released in the past few
+    years. If you are still using a very old version of Koji, we strongly
+    recommend that you shut it down and migrate to a newer version.
+
+Q: What can be done with this exploit?
+
+    The attacker can directly manipulate the database as they see fit. This
+    would, among other things, allow them to gain the admin permission within
+    Koji. They could destroy or corrupt the database, add new builds, replace
+    existing builds, or any number of other things.
+
+Q: Can the attacker execute arbitrary code?
+
+    On the hub, not that we know of.
+
+    However, they could create arbitrary tasks, which would be run by the build
+    hosts.
+
+Q: Where can I get more help?
+
+    You can ask questions on the koji-devel mailing list
+    (`koji-devel@fedorahosted.org <mailto:koji-devel@fedorahosted.org>`_).
+
+    For real time communication, we have the #koji IRC channel on
+    `Freenode <https://freenode.net/>`_.
+    The best time to ask would be during the Koji devel team
+    “office hours”, which are held each Tuesday and Thursday from
+    10-11am eastern time.
+