Thanks for the fix! This could have caused some serious issues, so glad we were able to address it ahead of time.

On Mon, Sep 13, 2021 at 5:06 AM Victor Stinner <> wrote:

A bug has been identified and *fixed* in the OAuth-based
authentication code used on the Python bug tracker
(BPO) to log in with GitHub, Launchpad or Google. Under some
conditions, it was possible to be logged as another person account. We
are only aware of a single user affected by the issue. We are not
aware of any account takeover.

All bugs at are public: being logged as the wrong
account cannot give access to private bugs. The main risk is if an
attacker could be logged as an administrator (the "Coordinator" role)
which allows to change the bug tracker configuration and to change
accounts (add/remove roles, see/change the email address, etc.). We
are not aware of any abuse.

All OAuth accounts have been removed in the database to fully fix the
issue. Users using OAuth-based authentication must associate again
(once) their GitHub, Launchpad or Google account with their BPO

A BPO account contains the following information: Name, Login Name,
GitHub Name, Organisation, Timezone, Homepage, Contributor Form
Received, Is Committer, E-mail address, Alternate E-mail addresses.
All fields but Name and Timezone are hidden to other accounts, only
coordinators can see all fields of other accounts. You can check in
the "Your Details" page for the your account change log.

Thanks Ammar Askar, Berker Peksa─č and Ee Durbin who fixed the bug!

Source code of (Roundup fork):

The OAuth-based authentication is an extension written for The bug report and its fix:


Report issues with

To report sensitive issues, write to:

Night gathers, and now my watch begins. It shall not end until my death.
Python-Dev mailing list --
To unsubscribe send an email to
Message archived at
Code of Conduct: