66 lines
1.5 KiB
ReStructuredText
66 lines
1.5 KiB
ReStructuredText
================
|
||
CVE-2018-1002161
|
||
================
|
||
|
||
SQL injection in multiple remote calls
|
||
|
||
.. toctree::
|
||
:hidden:
|
||
|
||
CVE-2018-1002161-FAQ
|
||
|
||
|
||
Summary
|
||
-------
|
||
|
||
This is a critical security bug.
|
||
|
||
Multiple xmlrpc call handlers in Koji’s hub code contain SQL injection bugs. By
|
||
passing carefully constructed arguments to these calls, an unauthenticated user
|
||
can issue arbitrary SQL commands to Koji’s database. This gives the attacker
|
||
broad ability to manipulate or destroy data.
|
||
|
||
There is no known workaround. All Koji admins are encouraged to update to a
|
||
fixed version as soon as possible.
|
||
|
||
|
||
|
||
Bug fix
|
||
-------
|
||
|
||
Note: because code fixes can take time to deploy, we recommend
|
||
that all admins shut down their Koji hub instances until the fix
|
||
can be applied.
|
||
|
||
We are releasing updates for several recent versions of Koji to fix this
|
||
bug. The following `releases <https://pagure.io/koji/releases>`_ all
|
||
contain the fix:
|
||
|
||
- 1.16.2
|
||
- 1.15.2
|
||
- 1.14.2
|
||
- 1.13.2
|
||
- 1.12.2
|
||
- 1.11.1
|
||
|
||
Note: the legacy-py24 branch is unaffected since it
|
||
is client-only (no hub).
|
||
|
||
For users who have customized their Koji code, we recommend rebasing
|
||
your work onto the appropriate update release. If this is not feasible,
|
||
the patch should be very easy to apply. Please see `issue
|
||
#1183 <https://pagure.io/koji/issue/1183>`_ for the code details.
|
||
|
||
As with all changes to hub code, you must restart httpd for the changes
|
||
to take effect.
|
||
|
||
Links
|
||
-----
|
||
|
||
Fixed versions can be found at our releases page:
|
||
|
||
https://pagure.io/koji/releases
|
||
|
||
Questions and answers about this issue
|
||
|
||
:doc:`CVE-2018-1002161-FAQ`
|