-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Many of you got an email yesterday concerning your fas username and password. Basically we have a custom plugin for our mediawiki install (http://fedoraproject.org/wiki/). That plugin still had some debug logging enabled which was causing people who logged in to get their username and password logged to the apache error logs. That in itself isn't really a problem. It's not good practice but its not a breach or anything as long as no untrusted parties get ahold of those logs. Still I think people have an expectation that their passwords are always secure and not stored unencrypted somewhere (I know I feel that way) so we thought we'd let people know who's names we found in the logs so they can change their password if they wish. The logs were discovered after our outage a few days back. While looking for the cause of some 500 errors related to the db1->db3 switch, we discovered the offending username/password combos. After that Ricky paged me, we talked a bit about what to do. I went back to sleep to think on it some and in the morning agreed with ricky. We decided it best to just remove the log lines and send an email out to everyone to let them know. People in sysadmin-main and sysadmin-web have access to these logs (and they're the groups charged with running the site) so as you can see, there really was nothing to it. I'm actually happy to say that we use encrypted passwords everywhere now, before FAS2 came out that wasn't true. So if anyone has any questions about what happened, direct them to this email (it'll be in the public archives). For the ultra paranoid here's the specific commit diff: http://tinyurl.com/69s8fd Feel free to ask any questions on this list or to admin@xxxxxxxxxxxxxxxxxx -Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAklFQWwACgkQqbFkPBIFSq1aWACeKFRafayalnarsNrhmfFs0C6o C6QAmgNeorUgcMKE4mWALDzlwcHE0xSH =AAS6 -----END PGP SIGNATURE----- _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
