release notes and cve doc

2024-10-04 06:54:20 -04:00 · 2024-10-04 06:54:20 -04:00 · c539dfc9a6
commit c539dfc9a6
parent 6629adff0e
6 changed files with 148 additions and 0 deletions
--- a/docs/source/CVEs/CVE-2024-9427.rst
+++ b/docs/source/CVEs/CVE-2024-9427.rst
@ -0,0 +1,42 @@
+=============
+CVE-2024-9427
+=============
+
+New XSS attack on kojiweb
+
+Summary
+-------
+
+An unsanitized input allows for an XSS attack. Javascript code from a malicious
+link could be reflected in the resulting web page. At present, we do not
+believe that this can be used to submit an action or make a change in Koji due
+to existing XSS protections in the code. Even so, this is a serious issue and
+we recommend applying this update promptly.
+
+Bug fix
+-------
+
+We are releasing updates for affected versions of Koji from within the
+past year.
+The following releases all contain the fix:
+
+- 1.35.1
+- 1.34.3
+- 1.33.2
+
+Anyone using a Koji version older than a year should update to a more
+current version as soon as possible.
+
+For users who have customized their Koji code, we recommend rebasing your work
+onto the appropriate update release. Please see Koji
+`issue #4204 <https://pagure.io/koji/issue/4204>`_ for the code details.
+
+As with all changes to web code, you must restart httpd for the changes to
+take effect.
+
+Links
+-----
+
+Fixed versions can be found at our releases page:
+
+    https://pagure.io/koji/releases
--- a/docs/source/CVEs/CVEs.rst
+++ b/docs/source/CVEs/CVEs.rst
@ -5,6 +5,7 @@ Koji CVEs
 .. toctree::
    :titlesonly:

+    CVE-2024-9427
    CVE-2020-15856
    CVE-2019-17109
    CVE-2018-1002161
--- a/docs/source/release_notes/release_notes.rst
+++ b/docs/source/release_notes/release_notes.rst
@ -5,9 +5,12 @@ Release Notes
 .. toctree::
    :maxdepth: 1

+    release_notes_1.35.1
    release_notes_1.35
+    release_notes_1.34.3
    release_notes_1.34.1
    release_notes_1.34
+    release_notes_1.33.2
    release_notes_1.33.1
    release_notes_1.33
    release_notes_1.32.1
--- a/docs/source/release_notes/release_notes_1.33.2.rst
+++ b/docs/source/release_notes/release_notes_1.33.2.rst
@ -0,0 +1,34 @@
+
+Koji 1.33.2 Release notes
+=========================
+
+This is a security update to backport the fix for :doc:`../CVEs/CVE-2024-9427`
+to Koji 1.33.
+
+
+Migrating from Koji 1.33.x
+--------------------------
+
+No special actions are needed to migrate from earlier 1.33 point releases.
+
+
+Security Fixes
+--------------
+
+**web: XSS vulnerability**
+
+| CVE: :doc:`../CVEs/CVE-2024-9427`
+| Issue: https://pagure.io/koji/issue/4212
+
+An unsanitized input allows for an XSS attack. Javascript code from a malicious
+link could be reflected in the resulting web page. At present, we do not
+believe that this can be used to submit an action or make a change in Koji due
+to existing XSS protections in the code. Even so, this is a serious issue and
+we recommend applying this update promptly.
+
+
+Other Changes
+-------------
+
+There are no other significant changes in this release.
+All changes can be found in `the roadmap <https://pagure.io/koji/roadmap/1.33.2/>`_.
--- a/docs/source/release_notes/release_notes_1.34.3.rst
+++ b/docs/source/release_notes/release_notes_1.34.3.rst
@ -0,0 +1,34 @@
+
+Koji 1.34.3 Release notes
+=========================
+
+This is a security update to backport the fix for :doc:`../CVEs/CVE-2024-9427`
+to Koji 1.34.
+
+
+Migrating from Koji 1.34.x
+--------------------------
+
+No special actions are needed to migrate from earlier 1.34 point releases.
+
+
+Security Fixes
+--------------
+
+**web: XSS vulnerability**
+
+| CVE: :doc:`../CVEs/CVE-2024-9427`
+| Issue: https://pagure.io/koji/issue/4211
+
+An unsanitized input allows for an XSS attack. Javascript code from a malicious
+link could be reflected in the resulting web page. At present, we do not
+believe that this can be used to submit an action or make a change in Koji due
+to existing XSS protections in the code. Even so, this is a serious issue and
+we recommend applying this update promptly.
+
+
+Other Changes
+-------------
+
+There are no other significant changes in this release.
+All changes can be found in `the roadmap <https://pagure.io/koji/roadmap/1.34.3/>`_.
--- a/docs/source/release_notes/release_notes_1.35.1.rst
+++ b/docs/source/release_notes/release_notes_1.35.1.rst
@ -0,0 +1,34 @@
+
+Koji 1.35.1 Release notes
+=========================
+
+All changes can be found in `the roadmap <https://pagure.io/koji/roadmap/1.35.1/>`_.
+Most important changes are listed here.
+
+
+Migrating from Koji 1.35.0
+--------------------------
+
+No special actions are needed.
+
+
+Security Fixes
+--------------
+
+**web: XSS vulnerability**
+
+| CVE: :doc:`../CVEs/CVE-2024-9427`
+| Issue: https://pagure.io/koji/issue/4204
+
+An unsanitized input allows for an XSS attack. Javascript code from a malicious
+link could be reflected in the resulting web page. At present, we do not
+believe that this can be used to submit an action or make a change in Koji due
+to existing XSS protections in the code. Even so, this is a serious issue and
+we recommend applying this update promptly.
+
+
+Other Changes
+-------------
+
+There are no other significant changes in this release.
+All changes can be found in `the roadmap <https://pagure.io/koji/roadmap/1.35.1/>`_.