Hey all; a cross post from the announcement list at https://groups.google.com/forum/#!topic/rustlang-security-announcements/BK_3gbXhSn4

That link contains a signed version with our PGP key, as well.

The Rust team was recently notified of a security vulnerability affecting

crates.io. It has since been resolved, and there is no indication that the bug

has been exploited. For most users, no action need be taken at this time,

though users who have renamed their GitHub accounts since publishing to

crates.io are recommended to validate their published crates according to

details below.

The vulnerability worked as follows: if a user with a crates.io login renamed

their GitHub account then another GitHub user could claim the old username (on

GitHub) and then log into the existing crates.io account. This would result in

full access to publish or yank crates under that account.

The flaw was that crates.io tracked users by username, instead of by unique ID.

The issue has since been fixed by tracking GitHub users by unique ID rather

than by username. This ID is persistent across renames and prevents new users

on GitHub from logging into existing accounts on crates.io. Implementing this

fix involved filling in all existing crates.io users’ GitHub user IDs.

Though we have no indication that the bug has been exploited, due to the nature

of the vulnerability we cannot know whether any users were compromised.

As a precaution, if you have logged into crates.io and subsequently renamed

your GitHub account prior to Friday, August 12, 2016, we recommend that you log

into crates.io and check that the set of crates under your account is what you

expect. If somebody were to be affected by this vulnerability, the symptom they

would see is that entire crates they had previously owned and published would

no longer be owned by them, their account under the old name having been

transferred to another user. Again, we have no indication this has happened,

but if you believe you have been affected please report it to the Rust

security email address.

Many thanks to Carol Nichols || Goulding (@carols10cents) for responsibly

reporting this and helping us identify and test a fix! The timeline of

events is as follows: