Greetings.
A bug has been discovered in the Fedora Account system that could have exposed some sensitive information to logged in users.
The bug is around the group view function of the account system.
The bug has been present since 2008.
In order to view the private data, a attacker would have to:
* login to the account system with a valid FAS account. * Go to a group with unapproved members * manipulate the URL to get a json version of the unapproved members list.
The information exposed could include the following from unapproved members of a group:
* salted sha512 encrypted password * security questions (plaintext) * security answers, however they would be gpg encrypted. * Possibly other account data that was marked 'private' if the user had privacy set.
A hotfix for this bug has been made in our infrastructure, and a upstream release with the fix is expected later today.
Review of logs has shown no cases where this bug was used in our production account system, however our staging version was also vulnerable and we are unable to confirm the information was not accessed there. Moving forward, additional logging will be added to our staging infrastructure.
We recommend (but do not require) that all users take this time to change their passwords, update their security questions/answers and review their other account information.
-Robyn Bergeron
announce@lists.stg.fedoraproject.org