SQL injection in multiple remote calls


This is a critical security bug.

Multiple xmlrpc call handlers in Koji’s hub code contain SQL injection bugs. By passing carefully constructed arguments to these calls, an unauthenticated user can issue arbitrary SQL commands to Koji’s database. This gives the attacker broad ability to manipulate or destroy data.

There is no known workaround. All Koji admins are encouraged to update to a fixed version as soon as possible.

Bug fix

Note: because code fixes can take time to deploy, we recommend that all admins shut down their Koji hub instances until the fix can be applied.

We are releasing updates for several recent versions of Koji to fix this bug. The following releases all contain the fix:

  • 1.16.2

  • 1.15.2

  • 1.14.2

  • 1.13.2

  • 1.12.2

  • 1.11.1

Note: the legacy-py24 branch is unaffected since it is client-only (no hub).

For users who have customized their Koji code, we recommend rebasing your work onto the appropriate update release. If this is not feasible, the patch should be very easy to apply. Please see issue #1183 for the code details.

As with all changes to hub code, you must restart httpd for the changes to take effect.