Fedora Infrastructure information on Openssl vulnerability (CVE-2014-0160/heartbleed)

Kevin Fenzi kevin at scrye.com
Fri Apr 11 20:15:08 UTC 2014


Earlier this week there was a important vulnerability discovered in
openssl. Please see previous announcements on this list for how to
update and secure your Fedora installs. 

The vulnerability was announced late Monday afternoon, and by Monday
evening a fixed packages were available. Fedora Infrastructure folks
spent much of Monday night and Tuesday morning updating and rebooting
servers. Then, Tuesday, the last bunch of internal servers were also
updated. Our critical internet facing openssl using servers were
patched Monday evening as soon as the fixed package was available. 

We have a number of security measures always in place, none of which
have indicated any compromise of user or system data. Additionally,
access to Fedora Infrastructure systems is by ssh key only (which is
not vulnerable to this attack) and 2 factor authentication is required
for any privileged access. 

Fedora account system account holders are welcome to change their
passwords at any time (and this is a fine time while you are thinking
about it), but we will not be forcing all users to change their
passwords at this time.

We will also not be re-issuing our existing ssl certificates, we will
be replacing them as they expire. There is little proof that private
ssl keys can be compromised with this vulnerability and additionally
almost no browsers check revocation lists, so reissuing would do
little good. 

Fedora account system account holders are encouraged to notify
admin at fedoraproject.org if they see any out of the ordinary activity on
their accounts (changes to Fedora accounts generate email to the
account holder). If you see a change you didn't initiate, please let us
know. 

I'd like to thank all the many Fedora Community members that helped us
produce and distribute updates and apply them to Fedora Infrastructure. 

Fedora Infrastructure. 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/announce/attachments/20140411/dd7aa264/attachment.sig>


More information about the announce mailing list