Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Robyn Bergeron <rbergero <at> redhat.com>
Subject: fedoraproject.org Account System (FAS) security issue.
Newsgroups: gmane.linux.redhat.fedora.core.announce
Date: Thursday 9th May 2013 16:18:18 UTC (over 3 years ago)
Greetings.

A bug has been discovered in the Fedora Account system that could have
exposed some sensitive information to logged in users.

The bug is around the group view function of the account system. 

The bug has been present since 2008.

In order to view the private data, a attacker would have to:

* login to the account system with a valid FAS account.
* Go to a group with unapproved members
* manipulate the URL to get a json version of the unapproved members
  list.

The information exposed could include the following from unapproved
members of a group:

* salted sha512 encrypted password
* security questions (plaintext)
* security answers, however they would be gpg encrypted.
* Possibly other account data that was marked 'private' if the user had
  privacy set.

A hotfix for this bug has been made in our infrastructure,      
and a upstream release with the fix is expected later today.

Review of logs has shown no cases where this bug was used in our
production account system, however our staging version was also
vulnerable and we are unable to confirm the information was not
accessed there. Moving forward, additional logging will be added to our
staging infrastructure.

We recommend (but do not require) that all users take this time to
change their passwords, update their security questions/answers and 
review their other account information.


-Robyn Bergeron
-- 
announce mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/announce
 
CD: 3ms