1 |
On 04/09/2014 08:06 PM, Joseph wrote: |
2 |
> Is gentoo effected by this new 'Heartbleed' bug? |
3 |
> |
4 |
> "The Heartbleed Bug is a serious vulnerability in the popular OpenSSL |
5 |
> cryptographic software library...." |
6 |
> |
7 |
> http://heartbleed.com/ |
8 |
> |
9 |
|
10 |
Yes, upgrade your OpenSSL to the latest stable version, and if 1.0.1g |
11 |
isn't stable on your arch (it should be unless it's a weird one), unset |
12 |
USE=tls-heartbeat like Ralf said. |
13 |
|
14 |
But that's not your big problem. If you operate any servers, the private |
15 |
keys to any OpenSSL-backed service may have been compromised. So the old |
16 |
certificates all need to be revoked and new ones issued. That includes |
17 |
Apache, OpenVPN, Postfix, Dovecot -- all the big ones. Even if you don't |
18 |
run servers, other people do, and they were probably vulnerable. So any |
19 |
passwords you've used on the web in the past two years should be changed. |