FAQ for CVE-2018-1002161

Following are answers to some questions regarding CVE-2018-1002161
for Koji. If you haven’t already, you should read the
:doc:`announcement <CVE-2018-1002161>`.

If you have questions not covered here or in the announcement, please
ask them on the koji-devel mailing list.


Q: Does this issue affect Koji clients or builders?

    The issue only affects the Koji hub.

Q: Which versions of Koji are affected?

    All previous versions of Koji are affected, except for the legacy-py24
    branch because it contains no hub code.

Q: Where are the fixed versions?

    | For Koji 1.11, 1.11.1 and higher include the fix
    | For Koji 1.12, 1.12.2 and higher include the fix
    | For Koji 1.13, 1.13.2 and higher include the fix
    | For Koji 1.14, 1.14.2 and higher include the fix
    | For Koji 1.15, 1.15.2 and higher include the fix
    | For Koji 1.16.2 and higher include the fix

    You can find all of these versions on our releases page:


Q: What about older versions?

    We have only backported the fix to Koji versions released in the past few
    years. If you are still using a very old version of Koji, we strongly
    recommend that you shut it down and migrate to a newer version.

Q: What can be done with this exploit?

    The attacker can directly manipulate the database as they see fit. This
    would, among other things, allow them to gain the admin permission within
    Koji. They could destroy or corrupt the database, add new builds, replace
    existing builds, or any number of other things.

Q: Can the attacker execute arbitrary code?

    On the hub, not that we know of.

    However, they could create arbitrary tasks, which would be run by the build

Q: Where can I get more help?

    You can ask questions on the koji-devel mailing list
    (`koji-devel@fedorahosted.org <mailto:koji-devel@fedorahosted.org>`_).

    For real time communication, we have the #koji IRC channel on
    `Freenode <https://freenode.net/>`_.
    The best time to ask would be during the Koji devel team
    “office hours”, which are held each Tuesday and Thursday from
    10-11am eastern time.