{
  "schema_version": "1.7.0",
  "id": "MGASA-2019-0144",
  "published": "2019-04-10T22:07:23Z",
  "modified": "2019-04-10T21:35:54Z",
  "summary": "Updated koji packages fix security vulnerability",
  "details": "Multiple xmlrpc call handlers in Koji’s hub code contain SQL injection\nbugs. By passing carefully constructed arguments to these calls, an\nunauthenticated user can issue arbitrary SQL commands to Koji’s database.\nThis gives the attacker broad ability to manipulate or destroy data\n(CVE-2018-1002161).\n",
  "upstream": [
    "CVE-2018-1002161"
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://advisories.mageia.org/MGASA-2019-0144.html"
    },
    {
      "type": "REPORT",
      "url": "https://bugs.mageia.org/show_bug.cgi?id=24421"
    },
    {
      "type": "ADVISORY",
      "url": "https://docs.pagure.org/koji/CVE-2018-1002161/"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZK4UFB6Q4EDKJYDCXJ7R43EBRSWBS3SR/"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Mageia:6",
        "name": "koji",
        "purl": "pkg:rpm/mageia/koji?arch=source&distro=mageia-6"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.2-1.mga6"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    }
  ],
  "credits": [
    {
      "name": "Mageia",
      "type": "COORDINATOR",
      "contact": [
        "https://wiki.mageia.org/en/Packages_Security_Team"
      ]
    }
  ]
}