-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUMMARY: Vulnerability identified and fixed in FAS. No effect on
package content, the Fedora OS, or general users.
The Fedora Infrastructure team identified a serious vulnerability in
the Fedora Account System (FAS) web application. This flaw would allow
a specifically formatted HTTP request to be authenticated as any
requested user. The flaw was caused by a logic problem wherein the FAS
web application would accept client certificates that were not
intended to be supported. If the authenticated user had appropriate
privileges, the attacker would then be able to add, edit, or remove
user or group information.
The flaw has been patched and verified fixed in the production
FAS. Other users of FAS have been notified. The Infrastructure team is
still investigating FAS logs for user and group changes, and other
historical records that would be affected by exploiting this
issue. However, at the time of this writing, the team has no reason to
believe the flaw has been exploited.
Specifically, the team is confident package content in the Fedora
product is not affected by this flaw. For example, activities related
to package content in dist-git generate notices to maintainers, and
the discovered flaw would not allow an attacker to circumvent these or
other safeguards. Also, this flaw is irrelevant to users of the Fedora
operating system who do not use FAS.
At this time, we are not requiring any remedial action from FAS
account holders. If our investigation reveals any additional relevant
information, we’ll provide an update to the community.
This issue has been assigned as CVE-2016-1000038.
- --
Paul W. Frields
Fedora Engineering Manager
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFXqNwirNvJN70RNxcRAhfeAKDQlEPs25Dn+9gbd1lb8cLjs/yY5wCgmEVU
6039NSNcEkaFgJz4DG2Cy18=
=fEZK
-----END PGP SIGNATURE-----