-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUMMARY: Vulnerability identified and fixed in FAS. No effect on package content, the Fedora OS, or general users. The Fedora Infrastructure team identified a serious vulnerability in the Fedora Account System (FAS) web application. This flaw would allow a specifically formatted HTTP request to be authenticated as any requested user. The flaw was caused by a logic problem wherein the FAS web application would accept client certificates that were not intended to be supported. If the authenticated user had appropriate privileges, the attacker would then be able to add, edit, or remove user or group information. The flaw has been patched and verified fixed in the production FAS. Other users of FAS have been notified. The Infrastructure team is still investigating FAS logs for user and group changes, and other historical records that would be affected by exploiting this issue. However, at the time of this writing, the team has no reason to believe the flaw has been exploited. Specifically, the team is confident package content in the Fedora product is not affected by this flaw. For example, activities related to package content in dist-git generate notices to maintainers, and the discovered flaw would not allow an attacker to circumvent these or other safeguards. Also, this flaw is irrelevant to users of the Fedora operating system who do not use FAS. At this time, we are not requiring any remedial action from FAS account holders. If our investigation reveals any additional relevant information, we’ll provide an update to the community. This issue has been assigned as CVE-2016-1000038. - -- Paul W. Frields Fedora Engineering Manager -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFXqNwirNvJN70RNxcRAhfeAKDQlEPs25Dn+9gbd1lb8cLjs/yY5wCgmEVU 6039NSNcEkaFgJz4DG2Cy18= =fEZK -----END PGP SIGNATURE----- -- announce mailing list announce@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/announce@xxxxxxxxxxxxxxxxxxxxxxx
