Bug#942146: koji: CVE-2019-17109
Salvatore Bonaccorso
carnil at debian.org
Sun Jan 5 20:02:20 GMT 2020
Hi Holger!
On Thu, Oct 10, 2019 at 10:57:50PM +0200, Salvatore Bonaccorso wrote:
> The following vulnerability was published for koji.
>
> CVE-2019-17109[0]:
> | Koji through 1.18.0 allows remote Directory Traversal, with resultant
> | Privilege Escalation.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2019-17109
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17109
> [1] https://pagure.io/koji/issue/1634
> [2] https://docs.pagure.org/koji/CVE-2019-17109/
>
> Please adjust the affected versions in the BTS as needed.
Any news on this issue? AFAICT, the issue is fixed as well in 1.16.3,
so the smaller jump should be possible. Once fixed in unstable, can
you adress the issue as well via point release? (I just have marked it
as no-dsa in the security-tracker now, but let us know if you disagree
and think we should release a DSA).
Regards,
Salvatore
More information about the Reproducible-builds
mailing list