there was a security update of copr-frontend which fixes problem with
leaking of webhook secrets which are used to generate
Basically, it was possible to get webhook_secret of another project simply
by forking it.
You could then launch builds for that project :/.
Also, the Integration page (formerly 'Webhooks') was accessible for foreign
under a direct URL if you knew what that URL should look like (it wasn't
that difficult to guess).
This is the page where pagure api token for flagging pull requests and
commits is being inserted.
If you have already setup this integration with an api token generated at a
I recommend to revoke the currently used api token and generate a new one.
For the webhook leak, we have added command copr-cli new-webhook-secret
So I recommend regenerating your webhook secrets with this command and
Github/Gitlab/Bitbucket webhooks on your sourceforge.
The new copr-cli and python-copr package (both are needed) with the new
command are available here:
You should also be able to install them from updates-testing shortly.
In the attachment, you can find list of people, whose project has been
forked, which means
that somebody else shares their webhook secret.
Sorry for these problems. We are going to carefully audit the whole
now and make sure the code is clean of any further issues of this kind.