| 1 |
web version: https://infra-status.gentoo.org/notice/20140413-heartbleed |
| 2 |
|
| 3 |
|
| 4 |
Dear Users & Developers of Gentoo, |
| 5 |
|
| 6 |
Recent versions of OpenSSL were found to be affected by an information |
| 7 |
disclosure vulnerability related to TLS heartbeats, nicknamed |
| 8 |
'Heartbleed' [1]. |
| 9 |
It allows attackers to read up to 64kb of random server memory, possibly |
| 10 |
including passwords, session IDs or even private keys. |
| 11 |
|
| 12 |
Gentoo users should consult the related GLSA [2] for more information on |
| 13 |
how to address the issue on their machines. |
| 14 |
|
| 15 |
After the public disclosure on April 7, we have confirmed that several |
| 16 |
services provided by Gentoo Infrastructure were vulnerable as well. |
| 17 |
We have immediately updated the affected software, recreated private |
| 18 |
keys, reissued certificates, and invalidated all running user sessions. |
| 19 |
Despite these measures, we cannot exclude the possibility of attackers |
| 20 |
exploiting the issue during the time it was not publicly known to gain |
| 21 |
access to credentials or session IDs of our users. |
| 22 |
|
| 23 |
There are currently no indications this has happened. |
| 24 |
|
| 25 |
However, to be safe, we are asking you to reset your passwords used for |
| 26 |
Gentoo services within the next 7 days. |
| 27 |
|
| 28 |
Users & developers: |
| 29 |
------------------- |
| 30 |
You need to take action if you have an account on one or more of these |
| 31 |
sites: |
| 32 |
|
| 33 |
* blogs.gentoo.org |
| 34 |
* bugs.gentoo.org |
| 35 |
* forums.gentoo.org |
| 36 |
* wiki.gentoo.org |
| 37 |
|
| 38 |
Log in using your current credentials and use the reset password |
| 39 |
functionality: |
| 40 |
|
| 41 |
* blogs.gentoo.org: |
| 42 |
https://blogs.gentoo.org/wp-admin/profile.php |
| 43 |
* bugs.gentoo.org: |
| 44 |
https://bugs.gentoo.org/userprefs.cgi?tab=account |
| 45 |
* forums.gentoo.org: |
| 46 |
https://forums.gentoo.org/profile.php?mode=editprofile |
| 47 |
* wiki.gentoo.org: |
| 48 |
https://wiki.gentoo.org/index.php?title=Special:ChangePassword |
| 49 |
|
| 50 |
Developers: |
| 51 |
----------- |
| 52 |
You need to change your LDAP password (used for `perl_ldap' and the |
| 53 |
SMTP/IMAP/POP services [3]). |
| 54 |
To do that, log in to dev.gentoo.org via ssh and invoke `passwd'. |
| 55 |
|
| 56 |
Important: |
| 57 |
---------- |
| 58 |
If you don't update your credentials until April 19, 23:59 UTC, we will |
| 59 |
be removing your current password to avoid abuse. |
| 60 |
For our web services, you will then need to request a reset via email. |
| 61 |
We can not recover your account in case your email address on file is |
| 62 |
not current. |
| 63 |
For LDAP accounts, developers will need to be in possession of their SSH |
| 64 |
or GPG keys and contact infra for a normal password reset. |
| 65 |
|
| 66 |
Further help: |
| 67 |
------------- |
| 68 |
Contact infra-heartbleed@g.o for assistance or further information. |
| 69 |
|
| 70 |
|
| 71 |
Thanks, |
| 72 |
robbat2, a3li and the rest of the Infrastructure team |
| 73 |
|
| 74 |
|
| 75 |
References: |
| 76 |
----------- |
| 77 |
[1] Heartbleed: http://heartbleed.com |
| 78 |
[2] GLSA 201404-07: |
| 79 |
http://www.gentoo.org/security/en/glsa/glsa-201404-07.xml |
| 80 |
[3] New mail SSL certificates: |
| 81 |
https://wiki.gentoo.org/wiki/Project:Infrastructure/Developer_E-Mail |
Archives