LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Distributions page

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fedora Project OpenID Security issue

[Posted December 18, 2012 by ris]

From:  Robyn Bergeron <rbergero-AT-redhat.com>
To:  announce-AT-lists.fedoraproject.org
Subject:  Fedora Project OpenID Security issue
Date:  Thu, 13 Dec 2012 16:06:03 -0700
Message-ID:  <50CA5F5B.6070203@redhat.com>
Archive-link:  Article, Thread 

Greetings,

On 2012-12-12 we discovered a bug in the Fedora Project OpenID 
provider.  This bug was pulled in with a fix on 2012-10-23. We patched 
this problem on 2012-12-12, shortly after its discovery.

While the bug was present, anyone with a valid Fedora Account System 
(FAS) account who tried to log into a remote website using any FAS 
OpenID identity would have that identity validated by FAS even if the 
identity belonged to a *different FAS user*.  The fix we put in place 
rejects the attempt if the user who logs in does not own the identity 
that they requested.

Potentially affected accounts have been notified directly with a list of 
their OpenID site requests with time and date for review.

Note that the only applications that Fedora Infrastructure runs that are 
a consumer of OpenID are ask.fedoraproject.org and the FUDCon Lawrence 
registration app that runs on OpenShift. This bug in no way affected any 
of the rest of Fedora Infrastructure.

We have taken the following steps moving forward:

* The bug has been hotfixed. The OpenID provider will now disallow using 
an id different from your Fedora Account System id.

* We are working on upstream fixes to the account system to more 
robustly handle cases around OpenID.

* We are working upstream to add additional logging so we can more 
easily identify issues like this.

For more information about the Fedora Project OpenID provider, see:
http://fedoraproject.org/wiki/OpenID

We apologize for any inconvenience caused by this issue.

If you have any concerns or questions, please contact 
admin@fedoraproject.org.

-Robyn Bergeron

-- 
announce mailing list
announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/announce
(Log in to post comments)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds