CVE-2018-1002161 announcement text

docs/source/CVE-2018-1002161.rst

@@ -0,0 +1,66 @@
+================
+CVE-2018-1002161
+================
+
+SQL injection in multiple remote calls
+
+.. toctree::
+    :hidden:
+
+    CVE-2018-1002161-FAQ
+
+
+Summary
+-------
+
+This is a critical security bug.
+
+Multiple xmlrpc call handlers in Koji’s hub code contain SQL injection bugs. By
+passing carefully constructed arguments to these calls, an unauthenticated user
+can issue arbitrary SQL commands to Koji’s database. This gives the attacker
+broad ability to manipulate or destroy data.
+
+There is no known workaround. All Koji admins are encouraged to update to a
+fixed version as soon as possible.
+
+
+
+Bug fix
+-------
+
+Note: because code fixes can take time to deploy, we recommend
+that all admins shut down their Koji hub instances until the fix
+can be applied.
+
+We are releasing updates for several recent versions of Koji to fix this
+bug. The following `releases <https://pagure.io/koji/releases>`_ all
+contain the fix:
+
+-  1.16.2
+-  1.15.2
+-  1.14.2
+-  1.13.2
+-  1.12.2
+-  1.11.1
+
+Note: the legacy-py24 branch is unaffected since it
+is client-only (no hub).
+
+For users who have customized their Koji code, we recommend rebasing
+your work onto the appropriate update release. If this is not feasible,
+the patch should be very easy to apply. Please see `issue
+#1183 <https://pagure.io/koji/issue/1183>`_ for the code details.
+
+As with all changes to hub code, you must restart httpd for the changes
+to take effect.
+
+Links
+-----
+
+Fixed versions can be found at our releases page:
+
+    https://pagure.io/koji/releases
+
+Questions and answers about this issue
+
+    :doc:`CVE-2018-1002161-FAQ`