SQL injection in multiple remote calls
This is a critical security bug.
Multiple xmlrpc call handlers in Koji’s hub code contain SQL injection bugs. By
passing carefully constructed arguments to these calls, an unauthenticated user
can issue arbitrary SQL commands to Koji’s database. This gives the attacker
broad ability to manipulate or destroy data.
There is no known workaround. All Koji admins are encouraged to update to a
fixed version as soon as possible.
We are releasing updates for each affected version of Koji to fix this bug. The following releases all contain the fix:
1.16.2
1.15.2
1.14.2
1.13.2
1.12.2
1.11.1
Note: the legacy-py24 branch is unaffected since it is client-only (no hub).
For users who have customized their Koji code, we recommend rebasing your work onto the appropriate update release. If this is not feasible, the patch should be very easy to apply. Please see Koji issue 1183 for the code details.
As with all changes to hub code, you must restart httpd for the changes to take effect.
Fixed versions can be found at our releases page:
https://pagure.io/koji/releases
Questions and answers about this issue