Thanks for the fix! This could have caused some serious issues, so glad we were able to address it ahead of time.
On Mon, Sep 13, 2021 at 5:06 AM Victor Stinner <vstin...@python.org> wrote: > Hi, > > A bug has been identified and *fixed* in the OAuth-based > authentication code used on the Python bug tracker bugs.python.org > (BPO) to log in with GitHub, Launchpad or Google. Under some > conditions, it was possible to be logged as another person account. We > are only aware of a single user affected by the issue. We are not > aware of any account takeover. > > All bugs at bugs.python.org are public: being logged as the wrong > account cannot give access to private bugs. The main risk is if an > attacker could be logged as an administrator (the "Coordinator" role) > which allows to change the bug tracker configuration and to change > accounts (add/remove roles, see/change the email address, etc.). We > are not aware of any abuse. > > All OAuth accounts have been removed in the database to fully fix the > issue. Users using OAuth-based authentication must associate again > (once) their GitHub, Launchpad or Google account with their BPO > account. > > A BPO account contains the following information: Name, Login Name, > GitHub Name, Organisation, Timezone, Homepage, Contributor Form > Received, Is Committer, E-mail address, Alternate E-mail addresses. > All fields but Name and Timezone are hidden to other accounts, only > coordinators can see all fields of other accounts. You can check in > the "Your Details" page for the your account change log. > > Thanks Ammar Askar, Berker Peksağ and Ee Durbin who fixed the bug! > > Source code of bugs.python.org (Roundup fork): > https://github.com/psf/bpo-tracker-cpython > > The OAuth-based authentication is an extension written for > bugs.python.org. The bug report and its fix: > > * https://github.com/python/bugs.python.org/issues/64 > * > https://github.com/psf/bpo-tracker-cpython/commit/0a32e072aafca20c0bf51cf16fb6a7328cdd720a > > Report issues with bugs.python.org: > https://github.com/python/bugs.python.org/issues > > To report sensitive issues, write to: secur...@python.org > > Victor > -- > Night gathers, and now my watch begins. It shall not end until my death. > _______________________________________________ > Python-Dev mailing list -- python-dev@python.org > To unsubscribe send an email to python-dev-le...@python.org > https://mail.python.org/mailman3/lists/python-dev.python.org/ > Message archived at > https://mail.python.org/archives/list/python-dev@python.org/message/CIXIB6EMN7HOPMXFJI7EBK7V7OPK4E7H/ > Code of Conduct: http://python.org/psf/codeofconduct/ >
_______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/OH7V7GJ6GTQJM3OBIXZ72IZXA4KSLVVH/ Code of Conduct: http://python.org/psf/codeofconduct/
