42 lines
1.1 KiB
ReStructuredText
42 lines
1.1 KiB
ReStructuredText
=============
|
|
CVE-2024-9427
|
|
=============
|
|
|
|
New XSS attack on kojiweb
|
|
|
|
Summary
|
|
-------
|
|
|
|
An unsanitized input allows for an XSS attack. Javascript code from a malicious
|
|
link could be reflected in the resulting web page. At present, we do not
|
|
believe that this can be used to submit an action or make a change in Koji due
|
|
to existing XSS protections in the code. Even so, this is a serious issue and
|
|
we recommend applying this update promptly.
|
|
|
|
Bug fix
|
|
-------
|
|
|
|
We are releasing updates for affected versions of Koji from within the
|
|
past year.
|
|
The following releases all contain the fix:
|
|
|
|
- 1.35.1
|
|
- 1.34.3
|
|
- 1.33.2
|
|
|
|
Anyone using a Koji version older than a year should update to a more
|
|
current version as soon as possible.
|
|
|
|
For users who have customized their Koji code, we recommend rebasing your work
|
|
onto the appropriate update release. Please see Koji
|
|
`issue #4204 <https://pagure.io/koji/issue/4204>`_ for the code details.
|
|
|
|
As with all changes to web code, you must restart httpd for the changes to
|
|
take effect.
|
|
|
|
Links
|
|
-----
|
|
|
|
Fixed versions can be found at our releases page:
|
|
|
|
https://pagure.io/koji/releases
|