Upstream has issued an advisory on February 21: https://docs.pagure.org/koji/CVE-2018-1002161/ The issue is fixed upstream in 1.12.2 and 1.16.2. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Status comment: (none) => Fixed upstream in 1.12.2 and 1.16.2
Fixed in koji-1.17.0-1.mga7 in Cauldron by Neal.
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6
Updated package uploaded for Mageia 6 by Neal. Advisory: ======================== Updated koji packages fix security vulnerability: Multiple xmlrpc call handlers in Koji’s hub code contain SQL injection bugs. By passing carefully constructed arguments to these calls, an unauthenticated user can issue arbitrary SQL commands to Koji’s database. This gives the attacker broad ability to manipulate or destroy data (CVE-2018-1002161). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1002161 https://docs.pagure.org/koji/CVE-2018-1002161/ ======================== Updated packages in core/updates_testing: ======================== koji-1.12.2-1.mga6 koji-hub-1.12.2-1.mga6 koji-hub-plugins-1.12.2-1.mga6 koji-builder-1.12.2-1.mga6 koji-vm-1.12.2-1.mga6 koji-utils-1.12.2-1.mga6 koji-web-1.12.2-1.mga6 from koji-1.12.2-1.mga6.src.rpm
Assignee: ngompa13 => qa-bugsCC: (none) => ngompa13
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. Tried at CLI $ koji -h Usage: koji [global-options] command [command-options-and-arguments] Common commands: build, download-build, help, latest-pkg, list-targets, search Options: -h, --help show this help message and exit -c FILE, --config=FILE use alternate configuration file -p PROFILE, --profile=PROFILE specify a configuration profile and loads more $ koji --help-commands Available commands: admin commands: add-external-repo Create an external repo and/or add one to a tag add-group Add a group to a tag add-group-pkg Add a package to a group's package listing add-group-req Add a group to a group's required list etc...... Tried to find some easy example, but concluded I would need some days-weeks o study, so abandoning this to people with more knowledge or experience on the subject.
CC: (none) => herman.viaene
Fedora has issued an advisory for this on February 25: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZK4UFB6Q4EDKJYDCXJ7R43EBRSWBS3SR/
Keywords: (none) => advisoryCC: (none) => davidwhodgins
Validating based on packages all updating cleanly using qarepo.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA6-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0144.html
Status: NEW => RESOLVEDResolution: (none) => FIXED