particle-os/debian-koji
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

release notes and cve doc

Browse source
This commit is contained in:
Mike McLean 2024-10-04 06:54:20 -04:00
parent 6629adff0e
commit c539dfc9a6
6 changed files with 148 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

42
docs/source/CVEs/CVE-2024-9427.rst Normal file
View file

@ -0,0 +1,42 @@
=============
CVE-2024-9427
=============
New XSS attack on kojiweb
Summary
-------
An unsanitized input allows for an XSS attack. Javascript code from a malicious
link could be reflected in the resulting web page. At present, we do not
believe that this can be used to submit an action or make a change in Koji due
to existing XSS protections in the code. Even so, this is a serious issue and
we recommend applying this update promptly.
Bug fix
-------
We are releasing updates for affected versions of Koji from within the
past year.
The following releases all contain the fix:
- 1.35.1
- 1.34.3
- 1.33.2
Anyone using a Koji version older than a year should update to a more
current version as soon as possible.
For users who have customized their Koji code, we recommend rebasing your work
onto the appropriate update release. Please see Koji
`issue #4204 <https://pagure.io/koji/issue/4204>`_ for the code details.
As with all changes to web code, you must restart httpd for the changes to
take effect.
Links
-----
Fixed versions can be found at our releases page:
https://pagure.io/koji/releases

1
docs/source/CVEs/CVEs.rst
View file

@ -5,6 +5,7 @@ Koji CVEs
.. toctree:: .. toctree::
:titlesonly: :titlesonly:
CVE-2024-9427
CVE-2020-15856 CVE-2020-15856
CVE-2019-17109 CVE-2019-17109
CVE-2018-1002161 CVE-2018-1002161

3
docs/source/release_notes/release_notes.rst
View file

@ -5,9 +5,12 @@ Release Notes
.. toctree:: .. toctree::
:maxdepth: 1 :maxdepth: 1
release_notes_1.35.1
release_notes_1.35 release_notes_1.35
release_notes_1.34.3
release_notes_1.34.1 release_notes_1.34.1
release_notes_1.34 release_notes_1.34
release_notes_1.33.2
release_notes_1.33.1 release_notes_1.33.1
release_notes_1.33 release_notes_1.33
release_notes_1.32.1 release_notes_1.32.1

34
docs/source/release_notes/release_notes_1.33.2.rst Normal file
View file

@ -0,0 +1,34 @@
Koji 1.33.2 Release notes
=========================
This is a security update to backport the fix for :doc:`../CVEs/CVE-2024-9427`
to Koji 1.33.
Migrating from Koji 1.33.x
--------------------------
No special actions are needed to migrate from earlier 1.33 point releases.
Security Fixes
--------------
**web: XSS vulnerability**
| CVE: :doc:`../CVEs/CVE-2024-9427`
| Issue: https://pagure.io/koji/issue/4212
An unsanitized input allows for an XSS attack. Javascript code from a malicious
link could be reflected in the resulting web page. At present, we do not
believe that this can be used to submit an action or make a change in Koji due
to existing XSS protections in the code. Even so, this is a serious issue and
we recommend applying this update promptly.
Other Changes
-------------
There are no other significant changes in this release.
All changes can be found in `the roadmap <https://pagure.io/koji/roadmap/1.33.2/>`_.

34
docs/source/release_notes/release_notes_1.34.3.rst Normal file
View file

@ -0,0 +1,34 @@
Koji 1.34.3 Release notes
=========================
This is a security update to backport the fix for :doc:`../CVEs/CVE-2024-9427`
to Koji 1.34.
Migrating from Koji 1.34.x
--------------------------
No special actions are needed to migrate from earlier 1.34 point releases.
Security Fixes
--------------
**web: XSS vulnerability**
| CVE: :doc:`../CVEs/CVE-2024-9427`
| Issue: https://pagure.io/koji/issue/4211
An unsanitized input allows for an XSS attack. Javascript code from a malicious
link could be reflected in the resulting web page. At present, we do not
believe that this can be used to submit an action or make a change in Koji due
to existing XSS protections in the code. Even so, this is a serious issue and
we recommend applying this update promptly.
Other Changes
-------------
There are no other significant changes in this release.
All changes can be found in `the roadmap <https://pagure.io/koji/roadmap/1.34.3/>`_.

34
docs/source/release_notes/release_notes_1.35.1.rst Normal file
View file

@ -0,0 +1,34 @@
Koji 1.35.1 Release notes
=========================
All changes can be found in `the roadmap <https://pagure.io/koji/roadmap/1.35.1/>`_.
Most important changes are listed here.
Migrating from Koji 1.35.0
--------------------------
No special actions are needed.
Security Fixes
--------------
**web: XSS vulnerability**
| CVE: :doc:`../CVEs/CVE-2024-9427`
| Issue: https://pagure.io/koji/issue/4204
An unsanitized input allows for an XSS attack. Javascript code from a malicious
link could be reflected in the resulting web page. At present, we do not
believe that this can be used to submit an action or make a change in Koji due
to existing XSS protections in the code. Even so, this is a serious issue and
we recommend applying this update promptly.
Other Changes
-------------
There are no other significant changes in this release.
All changes can be found in `the roadmap <https://pagure.io/koji/roadmap/1.35.1/>`_.