========================
FAQ for CVE-2018-1002150
========================

Following are answers to some questions regarding CVE-2018-1002150
for Koji. If you haven’t already, you should read the
:doc:`announcement <CVE-2018-1002150>`.

If you have questions not covered here or in the announcement, please
ask them on the koji-devel mailing list.

    https://lists.fedorahosted.org/archives/list/koji-devel@lists.fedorahosted.org/

Q: Does this issue affect Koji clients or builders?

    The issue only affects the Koji hub.

Q: How can I tell if I’ve been attacked?

    We don’t know of any exploits in the wild. However, to be
    safe, we will release an intrusion detection document in a few
    days.

Q: Where are the fixed versions?

    | Koji versions before 1.12.0 are unaffected
    | For Koji 1.12, 1.12.1 and higher includes the fix
    | For Koji 1.13, 1.13.1 and higher includes the fix
    | For Koji 1.14, 1.14.1 and higher includes the fix
    | For Koji 1.15, 1.15.1 and higher includes the fix
    | Koji 1.16.0 and higher will include the fix

    You can find all of these versions on our releases page:

    https://pagure.io/koji/releases

Q: What about versions before 1.12.0?

    Koji versions before 1.12.0 are unaffected (they don't have the dist-repo
    feature). However, it would be wise to update your system to the current
    version.

Q: What can be done with this exploit?

    The attacker can trick Koji into moving files around. These can be
    almost any file that the httpd user can write. The attacker could
    use this to corrupt Koji’s file store or to reveal any secret files
    that the httpd user can read.

Q: Can the attacker execute arbitrary code?

    Not that we know of.

Q: Where can I get more help?

    You can ask questions on the koji-devel mailing list
    (`koji-devel@fedorahosted.org <mailto:koji-devel@fedorahosted.org>`_).

    For real time communication, we have the #koji IRC channel on
    `Freenode <https://freenode.net/>`_.
    The best time to ask would be during the Koji devel team
    “office hours”, which are held each Tuesday and Thursday from
    10-11am eastern time.