doc: Additional docs for CVE-CVE-2020-15856

Fixes: https://pagure.io/koji/issue/2707
2021-02-22 14:57:46 +01:00 · 2021-02-22 14:57:46 +01:00 · dc18c7e8c2
commit dc18c7e8c2
parent cc35903b96
2 changed files with 43 additions and 0 deletions
--- a/docs/source/CVEs/CVE-2020-15856.rst
+++ b/docs/source/CVEs/CVE-2020-15856.rst
@ -0,0 +1,42 @@
+==============
+CVE-2020-15856
+==============
+
+XSS attack on kojiweb
+
+Summary
+-------
+
+Web interface can be abused by XSS attack. Attackers can supply subversive HTTP
+links containing malicious javascript code. Such links were not controlled
+properly, so attackers can potentially force users to submit actions which were
+not intended. Some actions which can be done via web UI can be destructive, so
+updating to this version is highly recommended.
+
+Bug fix
+-------
+
+We are releasing updates for affected versions of Koji from within the
+past year.
+The following releases all contain the fix:
+
+- 1.23.1
+- 1.22.2
+- 1.21.2
+
+Anyone using a Koji version older than a year should update to a more
+current version as soon as possible.
+
+For users who have customized their Koji code, we recommend rebasing your work
+onto the appropriate update release. Please see Koji
+`issue #2645 <https://pagure.io/koji/issue/2645>`_ for the code details.
+
+As with all changes to web code, you must restart httpd for the changes to
+take effect.
+
+Links
+-----
+
+Fixed versions can be found at our releases page:
+
+    https://pagure.io/koji/releases
--- a/docs/source/CVEs/CVEs.rst
+++ b/docs/source/CVEs/CVEs.rst
@ -5,6 +5,7 @@ Koji CVEs
 .. toctree::
    :titlesonly:

+    CVE-2020-15856
    CVE-2019-17109
    CVE-2018-1002161
    CVE-2018-1002150