A bug has been identified and *fixed* in the OAuth-based
authentication code used on the Python bug tracker bugs.python.org
(BPO) to log in with GitHub, Launchpad or Google. Under some
conditions, it was possible to be logged as another person account. We
are only aware of a single user affected by the issue. We are not
aware of any account takeover.
All bugs at bugs.python.org are public: being logged as the wrong
account cannot give access to private bugs. The main risk is if an
attacker could be logged as an administrator (the "Coordinator" role)
which allows to change the bug tracker configuration and to change
accounts (add/remove roles, see/change the email address, etc.). We
are not aware of any abuse.
All OAuth accounts have been removed in the database to fully fix the
issue. Users using OAuth-based authentication must associate again
(once) their GitHub, Launchpad or Google account with their BPO
A BPO account contains the following information: Name, Login Name,
GitHub Name, Organisation, Timezone, Homepage, Contributor Form
Received, Is Committer, E-mail address, Alternate E-mail addresses.
All fields but Name and Timezone are hidden to other accounts, only
coordinators can see all fields of other accounts. You can check in
the "Your Details" page for the your account change log.
Thanks Ammar Askar, Berker Peksağ and Ee Durbin who fixed the bug!
Source code of bugs.python.org (Roundup fork):
The OAuth-based authentication is an extension written for
bugs.python.org. The bug report and its fix:
Report issues with bugs.python.org:
To report sensitive issues, write to: security(a)python.org
Night gathers, and now my watch begins. It shall not end until my death.