particle-os/debian-koji
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
debian-koji/docs/source/CVEs/CVE-2018-1002150-FAQ.rst
Tomas Kopecek 989829eb79 split docs to subdirectories 
Fixes: https://pagure.io/koji/issue/1715
2019-11-07 11:31:54 -05:00

63 lines
2.1 KiB
ReStructuredText
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

========================
FAQ for CVE-2018-1002150
========================
Following are answers to some questions regarding CVE-2018-1002150
for Koji. If you havent already, you should read the
:doc:`announcement <CVE-2018-1002150>`.
If you have questions not covered here or in the announcement, please
ask them on the koji-devel mailing list.
https://lists.fedorahosted.org/archives/list/koji-devel@lists.fedorahosted.org/
Q: Does this issue affect Koji clients or builders?
The issue only affects the Koji hub.
Q: How can I tell if Ive been attacked?
We dont know of any exploits in the wild. However, to be
safe, we will release an intrusion detection document in a few
days.
Q: Where are the fixed versions?
| Koji versions before 1.12.0 are unaffected
| For Koji 1.12, 1.12.1 and higher includes the fix
| For Koji 1.13, 1.13.1 and higher includes the fix
| For Koji 1.14, 1.14.1 and higher includes the fix
| For Koji 1.15, 1.15.1 and higher includes the fix
| Koji 1.16.0 and higher will include the fix
You can find all of these versions on our releases page:
https://pagure.io/koji/releases
Q: What about versions before 1.12.0?
Koji versions before 1.12.0 are unaffected (they don't have the dist-repo
feature). However, it would be wise to update your system to the current
version.
Q: What can be done with this exploit?
The attacker can trick Koji into moving files around. These can be
almost any file that the httpd user can write. The attacker could
use this to corrupt Kojis file store or to reveal any secret files
that the httpd user can read.
Q: Can the attacker execute arbitrary code?
Not that we know of.
Q: Where can I get more help?
You can ask questions on the koji-devel mailing list
(`koji-devel@fedorahosted.org <mailto:koji-devel@fedorahosted.org>`_).
For real time communication, we have the #koji IRC channel on
`Freenode <https://freenode.net/>`_.
The best time to ask would be during the Koji devel team
“office hours”, which are held each Tuesday and Thursday from
10-11am eastern time.
Reference in a new issue View git blame Copy permalink