Followup on Fedora Infrastructure information on Openssl vulnerability (CVE-2014-0160/heartbleed)

Kevin Fenzi kevin at scrye.com
Sat Apr 12 21:12:12 UTC 2014


Greetings. 

I want to pass along some additional information about this
vulnerability and how it affects Fedora Infrastructure. 

Shortly after sending the announcement, it was confirmed that private
keys from SSL certs CAN be acquired by this vulnerability. Accordingly,
we WILL be reissuing all our SSL certificates. We have started this
process today, and will send another email when all of them are
reissued. 

If you have not yet changed your Fedora Account system password you may
wish to wait until we have finished replacing all SSL certificates. 

Additionally, it was pointed out that Firefox does now use OCSP (Online
Certificate Status Protocol) by default. It should note revoked
certificates as long as it's able to reach the OSCP provider for that
Certificate Authority (if it cannot, it will assume the certificate is
valid). 

Thanks for your patience as we work to keep Fedora resources secure. 

kevin


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/announce/attachments/20140412/8ef56afe/attachment.sig>


More information about the announce mailing list