Fedora Project OpenID Security issue

[Robyn Bergeron]

Greetings,

On 2012-12-12 we discovered a bug in the Fedora Project OpenID 
provider.  This bug was pulled in with a fix on 2012-10-23. We patched 
this problem on 2012-12-12, shortly after its discovery.

While the bug was present, anyone with a valid Fedora Account System 
(FAS) account who tried to log into a remote website using any FAS 
OpenID identity would have that identity validated by FAS even if the 
identity belonged to a *different FAS user*.  The fix we put in place 
rejects the attempt if the user who logs in does not own the identity 
that they requested.

Potentially affected accounts have been notified directly with a list of 
their OpenID site requests with time and date for review.

Note that the only applications that Fedora Infrastructure runs that are 
a consumer of OpenID are ask.fedoraproject.org and the FUDCon Lawrence 
registration app that runs on OpenShift. This bug in no way affected any 
of the rest of Fedora Infrastructure.

We have taken the following steps moving forward:

* The bug has been hotfixed. The OpenID provider will now disallow using 
an id different from your Fedora Account System id.

* We are working on upstream fixes to the account system to more 
robustly handle cases around OpenID.

* We are working upstream to add additional logging so we can more 
easily identify issues like this.

For more information about the Fedora Project OpenID provider, see:
http://fedoraproject.org/wiki/OpenID

We apologize for any inconvenience caused by this issue.

If you have any concerns or questions, please contact 
admin at fedoraproject.org.

-Robyn Bergeron