FAQ for CVE-2018-1002161¶
Following are answers to some questions regarding CVE-2018-1002161 for Koji. If you haven’t already, you should read the announcement.
If you have questions not covered here or in the announcement, please ask them on the koji-devel mailing list.
Q: Does this issue affect Koji clients or builders?
The issue only affects the Koji hub.
Q: Which versions of Koji are affected?
All previous versions of Koji are affected, except for the legacy-py24 branch because it contains no hub code.
Q: Where are the fixed versions?
For Koji 1.11, 1.11.1 and higher include the fixFor Koji 1.12, 1.12.2 and higher include the fixFor Koji 1.13, 1.13.2 and higher include the fixFor Koji 1.14, 1.14.2 and higher include the fixFor Koji 1.15, 1.15.2 and higher include the fixFor Koji 1.16.2 and higher include the fix
You can find all of these versions on our releases page:
Q: What about older versions?
We have only backported the fix to Koji versions released in the past few years. If you are still using a very old version of Koji, we strongly recommend that you shut it down and migrate to a newer version.
Q: What can be done with this exploit?
The attacker can directly manipulate the database as they see fit. This would, among other things, allow them to gain the admin permission within Koji. They could destroy or corrupt the database, add new builds, replace existing builds, or any number of other things.
Q: Can the attacker execute arbitrary code?
On the hub, not that we know of.
However, they could create arbitrary tasks, which would be run by the build hosts.
Q: Where can I get more help?