Thanks for the fix! This could have caused some serious issues, so glad we were able to address it ahead of time.

On Mon, Sep 13, 2021 at 5:06 AM Victor Stinner <vstinner@python.org> wrote:
Hi,

A bug has been identified and *fixed* in the OAuth-based
authentication code used on the Python bug tracker bugs.python.org
(BPO) to log in with GitHub, Launchpad or Google. Under some
conditions, it was possible to be logged as another person account. We
are only aware of a single user affected by the issue. We are not
aware of any account takeover.

All bugs at bugs.python.org are public: being logged as the wrong
account cannot give access to private bugs. The main risk is if an
attacker could be logged as an administrator (the "Coordinator" role)
which allows to change the bug tracker configuration and to change
accounts (add/remove roles, see/change the email address, etc.). We
are not aware of any abuse.

All OAuth accounts have been removed in the database to fully fix the
issue. Users using OAuth-based authentication must associate again
(once) their GitHub, Launchpad or Google account with their BPO
account.

A BPO account contains the following information: Name, Login Name,
GitHub Name, Organisation, Timezone, Homepage, Contributor Form
Received, Is Committer, E-mail address, Alternate E-mail addresses.
All fields but Name and Timezone are hidden to other accounts, only
coordinators can see all fields of other accounts. You can check in
the "Your Details" page for the your account change log.

Thanks Ammar Askar, Berker Peksa─č and Ee Durbin who fixed the bug!

Source code of bugs.python.org (Roundup fork):
https://github.com/psf/bpo-tracker-cpython

The OAuth-based authentication is an extension written for
bugs.python.org. The bug report and its fix:

* https://github.com/python/bugs.python.org/issues/64
* https://github.com/psf/bpo-tracker-cpython/commit/0a32e072aafca20c0bf51cf16fb6a7328cdd720a

Report issues with bugs.python.org:
https://github.com/python/bugs.python.org/issues

To report sensitive issues, write to: security@python.org

Victor
--
Night gathers, and now my watch begins. It shall not end until my death.
_______________________________________________
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-leave@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/CIXIB6EMN7HOPMXFJI7EBK7V7OPK4E7H/
Code of Conduct: http://python.org/psf/codeofconduct/