Hello,

there was a security update of copr-frontend which fixes problem with
leaking of webhook secrets which are used to generate Github/Gitlab/Bitbucket
webhook urls.

Basically, it was possible to get webhook_secret of another project simply by forking it.
You could then launch builds for that project :/.

Also, the Integration page (formerly 'Webhooks') was accessible for foreign projects
under a direct URL if you knew what that URL should look like (it wasn't that difficult to guess).

This is the page where pagure api token for flagging pull requests and commits is being inserted.

If you have already setup this integration with an api token generated at a pagure instance,
I recommend to revoke the currently used api token and generate a new one.

For the webhook leak, we have added command copr-cli new-webhook-secret <copr>

So I recommend regenerating your webhook secrets with this command and resetting your
Github/Gitlab/Bitbucket webhooks on your sourceforge.

The new copr-cli and python-copr package (both are needed) with the new `new-webhook-secret`
command are available here: https://copr.fedorainfracloud.org/coprs/g/copr/copr/

You should also be able to install them from updates-testing shortly.

In the attachment, you can find list of people, whose project has been forked, which means
that somebody else shares their webhook secret.

Updates:
copr-frontend: https://bodhi.fedoraproject.org/updates/FEDORA-2018-9efcbc194b
copr-backend: https://bodhi.fedoraproject.org/updates/FEDORA-2018-8821da2c15
python-copr: https://bodhi.fedoraproject.org/updates/FEDORA-2018-393d4b16fc
copr-cli: https://bodhi.fedoraproject.org/updates/FEDORA-2018-72094a49b4

Sorry for these problems. We are going to carefully audit the whole code-base
now and make sure the code is clean of any further issues of this kind.

Copr team