XSS attack on kojiweb


Web interface can be abused by XSS attack. Attackers can supply subversive HTTP
links containing malicious javascript code. Such links were not controlled
properly, so attackers can potentially force users to submit actions which were
not intended. Some actions which can be done via web UI can be destructive, so
updating to this version is highly recommended.

Bug fix

We are releasing updates for affected versions of Koji from within the
past year.
The following releases all contain the fix:

- 1.23.1
- 1.22.2
- 1.21.2

Anyone using a Koji version older than a year should update to a more
current version as soon as possible.

For users who have customized their Koji code, we recommend rebasing your work
onto the appropriate update release. Please see Koji
`issue #2645 <https://pagure.io/koji/issue/2645>`_ for the code details.

As with all changes to web code, you must restart httpd for the changes to
take effect.


Fixed versions can be found at our releases page: