Koji 1.19.0 is out. Thanks to everyone who contributed!
You can read the release notes here:
https://docs.pagure.org/koji/release_notes_1.19/
Highlights:
* Support multiple realms by kerberos auth
* GSSAPI authentication checks kerberos principal
* Add cronjob for sessions table maintenance
* Rework update of reserved builds
* Add listCG RPC
* Add user edit command
* Show inheritance flags in list-tag-inheritance output
You can view the 1.19 roadmap at https://pagure.io/koji/roadmap/1.19/
For the current roadmap, see https://pagure.io/koji/roadmap
You can download this and other releases at https://pagure.io/koji/releases
CVE-2019-17109
koji hub allows arbitrary upload destinations
Summary
The way that the hub code validates upload paths allows for an attacker to
choose an arbitrary destination for the uploaded file.
Uploading still requires login. However, an attacker with credentials could
damage the integrity of the Koji system.
There is no known workaround. All Koji admins are encouraged to update to a
fixed version as soon as possible.
Bug fix
We are releasing updates for each affected version of Koji to fix this bug.
The following releases <https://pagure.io/koji/releases> all contain the
fix:
-
1.18.1
-
1.17.1
-
1.16.3
-
1.15.3
-
1.14.3
Note: the legacy-py24 branch is unaffected since it is client-only (no hub).
For users who have customized their Koji code, we recommend rebasing your
work onto the appropriate update release. Please see Koji issue 1634
<https://pagure.io/koji/issue/1634> for the code details.
As with all changes to hub code, you must restart httpd for the changes to
take effect.
Links
Fixed versions can be found at our releases page:
https://pagure.io/koji/releases