Bug#942146: koji: CVE-2019-17109
On Thu, Jan 23, 2020 at 07:46:49PM +, Holger Levsen wrote: > On Thu, Jan 23, 2020 at 08:42:03PM +0100, Moritz Muehlenhoff wrote: > > Let's remove it in the upcoming stretch/buster point releases, then? > > seems reasonable to me. Can you please file RM bugs against release.debian.org? Typically it's best if they are done by the maintainer. Cheers, Moritz
Bug#942146: koji: CVE-2019-17109
On Thu, Jan 23, 2020 at 08:42:03PM +0100, Moritz Muehlenhoff wrote: > Let's remove it in the upcoming stretch/buster point releases, then? seems reasonable to me. -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Bug#942146: koji: CVE-2019-17109
On Thu, Jan 23, 2020 at 04:37:15PM +, Holger Levsen wrote: > Hi Salvatore, > > On Sun, Jan 05, 2020 at 09:02:20PM +0100, Salvatore Bonaccorso wrote: > > Any news on this issue? AFAICT, the issue is fixed as well in 1.16.3, > > so the smaller jump should be possible. Once fixed in unstable, can > > you adress the issue as well via point release? > > I think it's pointless to have 1.16.x in unstable and newer koji needs > newer dnf (and some other stuff, iirc), which isnt packaged in Debian, > so this is not as straightforward as it seems. > > I'm also not sure there are many (or any?) users of koji from stable. If > I were to use it, I would use koji from Fedora... > https://qa.debian.org/popcon.php?package=koji seems to confirm this. Let's remove it in the upcoming stretch/buster point releases, then? Cheers, Moritz
Bug#942146: koji: CVE-2019-17109
Hi Salvatore, On Sun, Jan 05, 2020 at 09:02:20PM +0100, Salvatore Bonaccorso wrote: > Any news on this issue? AFAICT, the issue is fixed as well in 1.16.3, > so the smaller jump should be possible. Once fixed in unstable, can > you adress the issue as well via point release? I think it's pointless to have 1.16.x in unstable and newer koji needs newer dnf (and some other stuff, iirc), which isnt packaged in Debian, so this is not as straightforward as it seems. I'm also not sure there are many (or any?) users of koji from stable. If I were to use it, I would use koji from Fedora... https://qa.debian.org/popcon.php?package=koji seems to confirm this. -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Bug#942146: koji: CVE-2019-17109
Hi Holger! On Thu, Oct 10, 2019 at 10:57:50PM +0200, Salvatore Bonaccorso wrote: > The following vulnerability was published for koji. > > CVE-2019-17109[0]: > | Koji through 1.18.0 allows remote Directory Traversal, with resultant > | Privilege Escalation. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2019-17109 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17109 > [1] https://pagure.io/koji/issue/1634 > [2] https://docs.pagure.org/koji/CVE-2019-17109/ > > Please adjust the affected versions in the BTS as needed. Any news on this issue? AFAICT, the issue is fixed as well in 1.16.3, so the smaller jump should be possible. Once fixed in unstable, can you adress the issue as well via point release? (I just have marked it as no-dsa in the security-tracker now, but let us know if you disagree and think we should release a DSA). Regards, Salvatore
Bug#942146: koji: CVE-2019-17109
Source: koji Version: 1.16.2-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://pagure.io/koji/issue/1634 Hi, The following vulnerability was published for koji. CVE-2019-17109[0]: | Koji through 1.18.0 allows remote Directory Traversal, with resultant | Privilege Escalation. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-17109 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17109 [1] https://pagure.io/koji/issue/1634 [2] https://docs.pagure.org/koji/CVE-2019-17109/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
