fedoraproject.org Account System (FAS) security issue.
rbergero at redhat.com
Thu May 9 16:18:18 UTC 2013
A bug has been discovered in the Fedora Account system that could have
exposed some sensitive information to logged in users.
The bug is around the group view function of the account system.
The bug has been present since 2008.
In order to view the private data, a attacker would have to:
* login to the account system with a valid FAS account.
* Go to a group with unapproved members
* manipulate the URL to get a json version of the unapproved members
The information exposed could include the following from unapproved
members of a group:
* salted sha512 encrypted password
* security questions (plaintext)
* security answers, however they would be gpg encrypted.
* Possibly other account data that was marked 'private' if the user had
A hotfix for this bug has been made in our infrastructure,
and a upstream release with the fix is expected later today.
Review of logs has shown no cases where this bug was used in our
production account system, however our staging version was also
vulnerable and we are unable to confirm the information was not
accessed there. Moving forward, additional logging will be added to our
We recommend (but do not require) that all users take this time to
change their passwords, update their security questions/answers and
review their other account information.
More information about the announce