|| ||Robyn Bergeron <rbergero-AT-redhat.com> |
|| ||announce-AT-lists.fedoraproject.org |
|| ||Fedora Project OpenID Security issue |
|| ||Thu, 13 Dec 2012 16:06:03 -0700|
|| ||Article, Thread
On 2012-12-12 we discovered a bug in the Fedora Project OpenID
provider. This bug was pulled in with a fix on 2012-10-23. We patched
this problem on 2012-12-12, shortly after its discovery.
While the bug was present, anyone with a valid Fedora Account System
(FAS) account who tried to log into a remote website using any FAS
OpenID identity would have that identity validated by FAS even if the
identity belonged to a *different FAS user*. The fix we put in place
rejects the attempt if the user who logs in does not own the identity
that they requested.
Potentially affected accounts have been notified directly with a list of
their OpenID site requests with time and date for review.
Note that the only applications that Fedora Infrastructure runs that are
a consumer of OpenID are ask.fedoraproject.org and the FUDCon Lawrence
registration app that runs on OpenShift. This bug in no way affected any
of the rest of Fedora Infrastructure.
We have taken the following steps moving forward:
* The bug has been hotfixed. The OpenID provider will now disallow using
an id different from your Fedora Account System id.
* We are working on upstream fixes to the account system to more
robustly handle cases around OpenID.
* We are working upstream to add additional logging so we can more
easily identify issues like this.
For more information about the Fedora Project OpenID provider, see:
We apologize for any inconvenience caused by this issue.
If you have any concerns or questions, please contact
announce mailing list
to post comments)