53 lines
1.2 KiB
ReStructuredText
53 lines
1.2 KiB
ReStructuredText
==============
|
|
CVE-2019-17109
|
|
==============
|
|
|
|
Koji hub allows arbitrary upload destinations
|
|
|
|
|
|
Summary
|
|
-------
|
|
|
|
The way that the hub code validates upload paths allows for an attacker to
|
|
choose an arbitrary destination for the uploaded file.
|
|
|
|
Uploading still requires login. However, an attacker with credentials could
|
|
damage the integrity of the Koji system.
|
|
|
|
There is no known workaround. All Koji admins are encouraged to update to a
|
|
fixed version as soon as possible.
|
|
|
|
|
|
|
|
Bug fix
|
|
-------
|
|
|
|
We are releasing updates for affected versions of Koji from within the
|
|
past two years.
|
|
The following releases all contain the fix:
|
|
|
|
- 1.18.1
|
|
- 1.17.1
|
|
- 1.16.3
|
|
- 1.15.3
|
|
- 1.14.3
|
|
|
|
Note: the legacy-py24 branch is unaffected since it is client-only (no hub).
|
|
|
|
Anyone using a Koji version older than two years should update to a more
|
|
current version as soon as possible.
|
|
|
|
For users who have customized their Koji code, we recommend rebasing your work
|
|
onto the appropriate update release. Please see Koji
|
|
`issue #1634 <https://pagure.io/koji/issue/1634>`_ for the code details.
|
|
|
|
As with all changes to hub code, you must restart httpd for the changes to
|
|
take effect.
|
|
|
|
|
|
Links
|
|
-----
|
|
|
|
Fixed versions can be found at our releases page:
|
|
|
|
https://pagure.io/koji/releases
|