Note about mediawiki plugin

[Mike McGrath]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Many of you got an email yesterday concerning your fas username and
password.  Basically we have a custom plugin for our mediawiki install
(http://fedoraproject.org/wiki/).  That plugin still had some debug
logging enabled which was causing people who logged in to get their
username and password logged to the apache error logs.

That in itself isn't really a problem.  It's not good practice but its not
a breach or anything as long as no untrusted parties get ahold of those
logs.  Still I think people have an expectation that their passwords are
always secure and not stored unencrypted somewhere (I know I feel that
way) so we thought we'd let people know who's names we found in the logs
so they can change their password if they wish.

The logs were discovered after our outage a few days back.  While looking
for the cause of some 500 errors related to the db1->db3 switch, we
discovered the offending username/password combos.  After that Ricky paged
me, we talked a bit about what to do.  I went back to sleep to think on it
some and in the morning agreed with ricky.  We decided it best to just
remove the log lines and send an email out to everyone to let them know.

People in sysadmin-main and sysadmin-web have access to these logs (and
they're the groups charged with running the site) so as you can see, there
really was nothing to it.  I'm actually happy to say that we use
encrypted passwords everywhere now, before FAS2 came out that wasn't true.

So if anyone has any questions about what happened, direct them to this
email (it'll be in the public archives).  For the ultra paranoid here's
the specific commit diff:

http://tinyurl.com/69s8fd

Feel free to ask any questions on this list or to admin at fedoraproject.org.

	-Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklFQWwACgkQqbFkPBIFSq1aWACeKFRafayalnarsNrhmfFs0C6o
C6QAmgNeorUgcMKE4mWALDzlwcHE0xSH
=AAS6
-----END PGP SIGNATURE-----