CVE-2019-17109 announcement text
This commit is contained in:
Mike McLean
parent
91d6f0b607
commit
f2f3d19998
2 changed files with 50 additions and 0 deletions
49
docs/source/CVE-2019-17109.rst
Normal file
49
docs/source/CVE-2019-17109.rst
Normal file
|
|
@ -0,0 +1,49 @@
|
|||
==============
|
||||
CVE-2019-17109
|
||||
==============
|
||||
|
||||
Koji hub allows arbitrary upload destinations
|
||||
|
||||
|
||||
Summary
|
||||
-------
|
||||
|
||||
The way that the hub code validates upload paths allows for an attacker to
|
||||
choose an arbitrary destination for the uploaded file.
|
||||
|
||||
Uploading still requires login. However, an attacker with credentials could
|
||||
damage the integrity of the Koji system.
|
||||
|
||||
There is no known workaround. All Koji admins are encouraged to update to a
|
||||
fixed version as soon as possible.
|
||||
|
||||
|
||||
|
||||
Bug fix
|
||||
-------
|
||||
|
||||
We are releasing updates for each affected version of Koji to fix this bug.
|
||||
The following releases all contain the fix:
|
||||
|
||||
- 1.18.1
|
||||
- 1.17.1
|
||||
- 1.16.3
|
||||
- 1.15.3
|
||||
- 1.14.3
|
||||
|
||||
Note: the legacy-py24 branch is unaffected since it is client-only (no hub).
|
||||
|
||||
For users who have customized their Koji code, we recommend rebasing your work
|
||||
onto the appropriate update release. Please see Koji
|
||||
`issue #1634 <https://pagure.io/koji/issue/1634>`_ for the code details.
|
||||
|
||||
As with all changes to hub code, you must restart httpd for the changes to
|
||||
take effect.
|
||||
|
||||
|
||||
Links
|
||||
-----
|
||||
|
||||
Fixed versions can be found at our releases page:
|
||||
|
||||
https://pagure.io/koji/releases
|
||||
|
|
@ -5,6 +5,7 @@ Koji CVEs
|
|||
.. toctree::
|
||||
:titlesonly:
|
||||
|
||||
CVE-2019-17109
|
||||
CVE-2018-1002161
|
||||
CVE-2018-1002150
|
||||
CVE-2017-1002153
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue