================
CVE-2018-1002161
================

SQL injection in multiple remote calls

.. toctree::
    :hidden:

    CVE-2018-1002161-FAQ


Summary
-------

This is a critical security bug.

Multiple xmlrpc call handlers in Koji’s hub code contain SQL injection bugs. By
passing carefully constructed arguments to these calls, an unauthenticated user
can issue arbitrary SQL commands to Koji’s database. This gives the attacker
broad ability to manipulate or destroy data.

There is no known workaround. All Koji admins are encouraged to update to a
fixed version as soon as possible.



Bug fix
-------

Note: because code fixes can take time to deploy, we recommend
that all admins shut down their Koji hub instances until the fix
can be applied.

We are releasing updates for several recent versions of Koji to fix this
bug. The following `releases <https://pagure.io/koji/releases>`_ all
contain the fix:

-  1.16.2
-  1.15.2
-  1.14.2
-  1.13.2
-  1.12.2
-  1.11.1

Note: the legacy-py24 branch is unaffected since it
is client-only (no hub).

For users who have customized their Koji code, we recommend rebasing
your work onto the appropriate update release. If this is not feasible,
the patch should be very easy to apply. Please see `issue
#1183 <https://pagure.io/koji/issue/1183>`_ for the code details.

As with all changes to hub code, you must restart httpd for the changes
to take effect.

Links
-----

Fixed versions can be found at our releases page:

    https://pagure.io/koji/releases

Questions and answers about this issue

    :doc:`CVE-2018-1002161-FAQ`