particle-os/debian-koji
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
debian-koji/docs/source/CVEs/CVE-2018-1002161-FAQ.rst
Tomas Kopecek 989829eb79 split docs to subdirectories 
Fixes: https://pagure.io/koji/issue/1715
2019-11-07 11:31:54 -05:00

65 lines
2.3 KiB
ReStructuredText
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

========================
FAQ for CVE-2018-1002161
========================
Following are answers to some questions regarding CVE-2018-1002161
for Koji. If you havent already, you should read the
:doc:`announcement <CVE-2018-1002161>`.
If you have questions not covered here or in the announcement, please
ask them on the koji-devel mailing list.
https://lists.fedorahosted.org/archives/list/koji-devel@lists.fedorahosted.org/
Q: Does this issue affect Koji clients or builders?
The issue only affects the Koji hub.
Q: Which versions of Koji are affected?
All previous versions of Koji are affected, except for the legacy-py24
branch because it contains no hub code.
Q: Where are the fixed versions?
| For Koji 1.11, 1.11.1 and higher include the fix
| For Koji 1.12, 1.12.2 and higher include the fix
| For Koji 1.13, 1.13.2 and higher include the fix
| For Koji 1.14, 1.14.2 and higher include the fix
| For Koji 1.15, 1.15.2 and higher include the fix
| For Koji 1.16.2 and higher include the fix
You can find all of these versions on our releases page:
https://pagure.io/koji/releases
Q: What about older versions?
We have only backported the fix to Koji versions released in the past few
years. If you are still using a very old version of Koji, we strongly
recommend that you shut it down and migrate to a newer version.
Q: What can be done with this exploit?
The attacker can directly manipulate the database as they see fit. This
would, among other things, allow them to gain the admin permission within
Koji. They could destroy or corrupt the database, add new builds, replace
existing builds, or any number of other things.
Q: Can the attacker execute arbitrary code?
On the hub, not that we know of.
However, they could create arbitrary tasks, which would be run by the build
hosts.
Q: Where can I get more help?
You can ask questions on the koji-devel mailing list
(`koji-devel@fedorahosted.org <mailto:koji-devel@fedorahosted.org>`_).
For real time communication, we have the #koji IRC channel on
`Freenode <https://freenode.net/>`_.
The best time to ask would be during the Koji devel team
“office hours”, which are held each Tuesday and Thursday from
10-11am eastern time.
Reference in a new issue View git blame Copy permalink