From c539dfc9a6780e21915b10f2c85c8aed6b9463ad Mon Sep 17 00:00:00 2001 From: Mike McLean Date: Fri, 4 Oct 2024 06:54:20 -0400 Subject: [PATCH] release notes and cve doc --- docs/source/CVEs/CVE-2024-9427.rst | 42 +++++++++++++++++++ docs/source/CVEs/CVEs.rst | 1 + docs/source/release_notes/release_notes.rst | 3 ++ .../release_notes/release_notes_1.33.2.rst | 34 +++++++++++++++ .../release_notes/release_notes_1.34.3.rst | 34 +++++++++++++++ .../release_notes/release_notes_1.35.1.rst | 34 +++++++++++++++ 6 files changed, 148 insertions(+) create mode 100644 docs/source/CVEs/CVE-2024-9427.rst create mode 100644 docs/source/release_notes/release_notes_1.33.2.rst create mode 100644 docs/source/release_notes/release_notes_1.34.3.rst create mode 100644 docs/source/release_notes/release_notes_1.35.1.rst diff --git a/docs/source/CVEs/CVE-2024-9427.rst b/docs/source/CVEs/CVE-2024-9427.rst new file mode 100644 index 00000000..06a24cd0 --- /dev/null +++ b/docs/source/CVEs/CVE-2024-9427.rst @@ -0,0 +1,42 @@ +============= +CVE-2024-9427 +============= + +New XSS attack on kojiweb + +Summary +------- + +An unsanitized input allows for an XSS attack. Javascript code from a malicious +link could be reflected in the resulting web page. At present, we do not +believe that this can be used to submit an action or make a change in Koji due +to existing XSS protections in the code. Even so, this is a serious issue and +we recommend applying this update promptly. + +Bug fix +------- + +We are releasing updates for affected versions of Koji from within the +past year. +The following releases all contain the fix: + +- 1.35.1 +- 1.34.3 +- 1.33.2 + +Anyone using a Koji version older than a year should update to a more +current version as soon as possible. + +For users who have customized their Koji code, we recommend rebasing your work +onto the appropriate update release. Please see Koji +`issue #4204 `_ for the code details. + +As with all changes to web code, you must restart httpd for the changes to +take effect. + +Links +----- + +Fixed versions can be found at our releases page: + + https://pagure.io/koji/releases diff --git a/docs/source/CVEs/CVEs.rst b/docs/source/CVEs/CVEs.rst index b746f273..e25fba30 100644 --- a/docs/source/CVEs/CVEs.rst +++ b/docs/source/CVEs/CVEs.rst @@ -5,6 +5,7 @@ Koji CVEs .. toctree:: :titlesonly: + CVE-2024-9427 CVE-2020-15856 CVE-2019-17109 CVE-2018-1002161 diff --git a/docs/source/release_notes/release_notes.rst b/docs/source/release_notes/release_notes.rst index a4f06f12..742420b1 100644 --- a/docs/source/release_notes/release_notes.rst +++ b/docs/source/release_notes/release_notes.rst @@ -5,9 +5,12 @@ Release Notes .. toctree:: :maxdepth: 1 + release_notes_1.35.1 release_notes_1.35 + release_notes_1.34.3 release_notes_1.34.1 release_notes_1.34 + release_notes_1.33.2 release_notes_1.33.1 release_notes_1.33 release_notes_1.32.1 diff --git a/docs/source/release_notes/release_notes_1.33.2.rst b/docs/source/release_notes/release_notes_1.33.2.rst new file mode 100644 index 00000000..1ee55958 --- /dev/null +++ b/docs/source/release_notes/release_notes_1.33.2.rst @@ -0,0 +1,34 @@ + +Koji 1.33.2 Release notes +========================= + +This is a security update to backport the fix for :doc:`../CVEs/CVE-2024-9427` +to Koji 1.33. + + +Migrating from Koji 1.33.x +-------------------------- + +No special actions are needed to migrate from earlier 1.33 point releases. + + +Security Fixes +-------------- + +**web: XSS vulnerability** + +| CVE: :doc:`../CVEs/CVE-2024-9427` +| Issue: https://pagure.io/koji/issue/4212 + +An unsanitized input allows for an XSS attack. Javascript code from a malicious +link could be reflected in the resulting web page. At present, we do not +believe that this can be used to submit an action or make a change in Koji due +to existing XSS protections in the code. Even so, this is a serious issue and +we recommend applying this update promptly. + + +Other Changes +------------- + +There are no other significant changes in this release. +All changes can be found in `the roadmap `_. diff --git a/docs/source/release_notes/release_notes_1.34.3.rst b/docs/source/release_notes/release_notes_1.34.3.rst new file mode 100644 index 00000000..30c5dbd2 --- /dev/null +++ b/docs/source/release_notes/release_notes_1.34.3.rst @@ -0,0 +1,34 @@ + +Koji 1.34.3 Release notes +========================= + +This is a security update to backport the fix for :doc:`../CVEs/CVE-2024-9427` +to Koji 1.34. + + +Migrating from Koji 1.34.x +-------------------------- + +No special actions are needed to migrate from earlier 1.34 point releases. + + +Security Fixes +-------------- + +**web: XSS vulnerability** + +| CVE: :doc:`../CVEs/CVE-2024-9427` +| Issue: https://pagure.io/koji/issue/4211 + +An unsanitized input allows for an XSS attack. Javascript code from a malicious +link could be reflected in the resulting web page. At present, we do not +believe that this can be used to submit an action or make a change in Koji due +to existing XSS protections in the code. Even so, this is a serious issue and +we recommend applying this update promptly. + + +Other Changes +------------- + +There are no other significant changes in this release. +All changes can be found in `the roadmap `_. diff --git a/docs/source/release_notes/release_notes_1.35.1.rst b/docs/source/release_notes/release_notes_1.35.1.rst new file mode 100644 index 00000000..9b26afa1 --- /dev/null +++ b/docs/source/release_notes/release_notes_1.35.1.rst @@ -0,0 +1,34 @@ + +Koji 1.35.1 Release notes +========================= + +All changes can be found in `the roadmap `_. +Most important changes are listed here. + + +Migrating from Koji 1.35.0 +-------------------------- + +No special actions are needed. + + +Security Fixes +-------------- + +**web: XSS vulnerability** + +| CVE: :doc:`../CVEs/CVE-2024-9427` +| Issue: https://pagure.io/koji/issue/4204 + +An unsanitized input allows for an XSS attack. Javascript code from a malicious +link could be reflected in the resulting web page. At present, we do not +believe that this can be used to submit an action or make a change in Koji due +to existing XSS protections in the code. Even so, this is a serious issue and +we recommend applying this update promptly. + + +Other Changes +------------- + +There are no other significant changes in this release. +All changes can be found in `the roadmap `_.