1 |
web version: https://infra-status.gentoo.org/notice/20140413-heartbleed |
2 |
|
3 |
|
4 |
Dear Users & Developers of Gentoo, |
5 |
|
6 |
Recent versions of OpenSSL were found to be affected by an information |
7 |
disclosure vulnerability related to TLS heartbeats, nicknamed |
8 |
'Heartbleed' [1]. |
9 |
It allows attackers to read up to 64kb of random server memory, possibly |
10 |
including passwords, session IDs or even private keys. |
11 |
|
12 |
Gentoo users should consult the related GLSA [2] for more information on |
13 |
how to address the issue on their machines. |
14 |
|
15 |
After the public disclosure on April 7, we have confirmed that several |
16 |
services provided by Gentoo Infrastructure were vulnerable as well. |
17 |
We have immediately updated the affected software, recreated private |
18 |
keys, reissued certificates, and invalidated all running user sessions. |
19 |
Despite these measures, we cannot exclude the possibility of attackers |
20 |
exploiting the issue during the time it was not publicly known to gain |
21 |
access to credentials or session IDs of our users. |
22 |
|
23 |
There are currently no indications this has happened. |
24 |
|
25 |
However, to be safe, we are asking you to reset your passwords used for |
26 |
Gentoo services within the next 7 days. |
27 |
|
28 |
Users & developers: |
29 |
------------------- |
30 |
You need to take action if you have an account on one or more of these |
31 |
sites: |
32 |
|
33 |
* blogs.gentoo.org |
34 |
* bugs.gentoo.org |
35 |
* forums.gentoo.org |
36 |
* wiki.gentoo.org |
37 |
|
38 |
Log in using your current credentials and use the reset password |
39 |
functionality: |
40 |
|
41 |
* blogs.gentoo.org: |
42 |
https://blogs.gentoo.org/wp-admin/profile.php |
43 |
* bugs.gentoo.org: |
44 |
https://bugs.gentoo.org/userprefs.cgi?tab=account |
45 |
* forums.gentoo.org: |
46 |
https://forums.gentoo.org/profile.php?mode=editprofile |
47 |
* wiki.gentoo.org: |
48 |
https://wiki.gentoo.org/index.php?title=Special:ChangePassword |
49 |
|
50 |
Developers: |
51 |
----------- |
52 |
You need to change your LDAP password (used for `perl_ldap' and the |
53 |
SMTP/IMAP/POP services [3]). |
54 |
To do that, log in to dev.gentoo.org via ssh and invoke `passwd'. |
55 |
|
56 |
Important: |
57 |
---------- |
58 |
If you don't update your credentials until April 19, 23:59 UTC, we will |
59 |
be removing your current password to avoid abuse. |
60 |
For our web services, you will then need to request a reset via email. |
61 |
We can not recover your account in case your email address on file is |
62 |
not current. |
63 |
For LDAP accounts, developers will need to be in possession of their SSH |
64 |
or GPG keys and contact infra for a normal password reset. |
65 |
|
66 |
Further help: |
67 |
------------- |
68 |
Contact infra-heartbleed@g.o for assistance or further information. |
69 |
|
70 |
|
71 |
Thanks, |
72 |
robbat2, a3li and the rest of the Infrastructure team |
73 |
|
74 |
|
75 |
References: |
76 |
----------- |
77 |
[1] Heartbleed: http://heartbleed.com |
78 |
[2] GLSA 201404-07: |
79 |
http://www.gentoo.org/security/en/glsa/glsa-201404-07.xml |
80 |
[3] New mail SSL certificates: |
81 |
https://wiki.gentoo.org/wiki/Project:Infrastructure/Developer_E-Mail |