I want to pass along some additional information about this
vulnerability and how it affects Fedora Infrastructure.
Shortly after sending the announcement, it was confirmed that private
keys from SSL certs CAN be acquired by this vulnerability. Accordingly,
we WILL be reissuing all our SSL certificates. We have started this
process today, and will send another email when all of them are
If you have not yet changed your Fedora Account system password you may
wish to wait until we have finished replacing all SSL certificates.
Additionally, it was pointed out that Firefox does now use OCSP (Online
Certificate Status Protocol) by default. It should note revoked
certificates as long as it's able to reach the OSCP provider for that
Certificate Authority (if it cannot, it will assume the certificate is
Thanks for your patience as we work to keep Fedora resources secure.