Earlier this week there was a important vulnerability discovered in
openssl. Please see previous announcements on this list for how to
update and secure your Fedora installs.
The vulnerability was announced late Monday afternoon, and by Monday
evening a fixed packages were available. Fedora Infrastructure folks
spent much of Monday night and Tuesday morning updating and rebooting
servers. Then, Tuesday, the last bunch of internal servers were also
updated. Our critical internet facing openssl using servers were
patched Monday evening as soon as the fixed package was available.
We have a number of security measures always in place, none of which
have indicated any compromise of user or system data. Additionally,
access to Fedora Infrastructure systems is by ssh key only (which is
not vulnerable to this attack) and 2 factor authentication is required
for any privileged access.
Fedora account system account holders are welcome to change their
passwords at any time (and this is a fine time while you are thinking
about it), but we will not be forcing all users to change their
passwords at this time.
We will also not be re-issuing our existing ssl certificates, we will
be replacing them as they expire. There is little proof that private
ssl keys can be compromised with this vulnerability and additionally
almost no browsers check revocation lists, so reissuing would do
Fedora account system account holders are encouraged to notify
admin(a)fedoraproject.org if they see any out of the ordinary activity on
their accounts (changes to Fedora accounts generate email to the
account holder). If you see a change you didn't initiate, please let us
I'd like to thank all the many Fedora Community members that helped us
produce and distribute updates and apply them to Fedora Infrastructure.
Vote on the proposals for talks you'd like to see at Flock:
Votes are not the only criterion for selection, but they're the most
important, so your opinion matters! Voting will be up for three weeks.
Thanks to lmacken, pingou, nirik, toshio, and threebean for gettingthis up
in the new, re-written voting app!
Hello again, Fedora community.
This is an update on Fedora's response to CVE-2014-0160 (aka
"Heartbleed"). This is a critical security vulnerability that requires
your immediate attention.
Updates are now available, and are being pushed to our mirror network.
The update announcements for Fedora 19 and Fedora 20 are available at:
Fedora 19: https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131...
Fedora 20: https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131...
Apply updates with
sudo yum upgrade openssl openssl-libs
or with your graphical package manager.
After applying the update, please make sure to restart all services
which use OpenSSL. You may find it easiest to simply restart your
system. However, if you prefer, you may restart any affected services
manually. You can get an overview of programs that need to be restarted
by using the command line tool
(This is included in the `yum-utils` package.) Restart all listed
programs until the output of needs-restarting is empty.
The Fedora Cloud images linked at
https://fedoraproject.org/en/get-fedora#cloud have been recreated with
the updated packages preinstalled.
Fixes have been applied to servers used in Fedora infrastructure and we
are investigating any further remediation which may be necessary.
Special thanks to Robert Mayr, Kévin Raymond, Dennis Gilmore, Matt
Miller, Paul Frields, Major Hayden, Kurt Seifried, Kevin Fenzi,
William Brown, Nick Bebout, Adam Williamson, Joachim Backes, Pádraig
Brady, Lokesh Mandvekar, David Strauss, Joop Braak, Michael
Cronenworth, Till Maas, Luke Macken, and others for effort in making
these updates available quickly.
- Robyn Bergeron
Greetings, Fedora community:
We're aware of the recently disclosed CVE-2014-0160 (aka
The issue affects the currently supported Fedora 19 and Fedora 20
releases. Updates for openssl packages are available now, and
mirrors near you will receive them shortly. If you do not want to
wait for your local mirror to get updates, you can retrieve and
install packages directly:
For Fedora 19 x86_64:
yum -y install koji
koji download-build --arch=x86_64 openssl-1.0.1e-37.fc19.1
yum localinstall openssl-1.0.1e-37.fc19.1.x86_64.rpm
For Fedora 20 x86_64:
yum -y install koji
koji download-build --arch=x86_64 openssl-1.0.1e-37.fc20.1
yum localinstall openssl-1.0.1e-37.fc20.1.x86_64.rpm
Substitute i686 for 32-bit systems, or armv7hl for ARM systems (F20
Package updates for mingw-openssl will receive fixes shortly and
we'll update the community when they are available. Note that
Fedora 18, which is no longer supported by the Fedora community, is
also affected by this issue. Fedora 17 and previous releases, also no
longer supported, are not affected by this issue.
Fedora Release Engineering is currently regenerating AMIs and
qcow2/kvm images to include the fix.
The Fedora Infrastructure team is working to assess any additional
impact, and will update the community as we develop more information.
Thanks for your patience as we work on this issue.
ACKNOWLEDGMENTS: Special thanks to Dennis Gilmore for quickly providing
package updates, and Major Hayden for providing the manual update