The 1.17 roadmap is cleared and things seem to be working. I've started the
PR for the release here:
I'll be working on the release notes and testing. If you're planning on
deploying 1.17, now is a good time to test.
SQL injection in multiple remote calls
This is a critical security bug.
Multiple xmlrpc call handlers in Koji’s hub code contain SQL injection
passing carefully constructed arguments to these calls, an unauthenticated
can issue arbitrary SQL commands to Koji’s database. This gives the attacker
broad ability to manipulate or destroy data.
There is no known workaround. All Koji admins are encouraged to update to a
fixed version as soon as possible.
We are releasing updates for each affected version of Koji to fix this bug.
The following releases <https://pagure.io/koji/releases> all contain the
Note: the legacy-py24 branch is unaffected since it is client-only (no hub).
For users who have customized their Koji code, we recommend rebasing your
work onto the appropriate update release. If this is not feasible, the
patch should be very easy to apply. Please see Koji issue 1183
<https://pagure.io/koji/issue/1183> for the code details.
As with all changes to hub code, you must restart httpd for the changes to
Fixed versions can be found at our releases page:
Questions and answers about this issue
I was reading in the source about callnum and wondering: what is the
purpose of callnum?
Is it a security feature, or just a way to maintain write operation order?
It looks like Koji writes a new callnum integer to the database for
every authenticated RPC, even if that RPC is only doing a read-only
operation like getBuild.