Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Heartbleed fallout: Action required: Password reset on all Gentoo services
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
jmbsvicetto
Moderator
Moderator


Joined: 27 Apr 2005
Posts: 4734
Location: Angra do Heroísmo (PT)

PostPosted: Sun Apr 13, 2014 4:02 pm    Post subject: Heartbleed fallout: Action required: Password reset on all G Reply with quote

Recent versions of OpenSSL were found to be affected by an information disclosure vulnerability related to TLS heartbeats, nicknamed Heartbleed. It allows attackers to read up to 64kb of random server memory, possibly including passwords, session IDs or even private keys.

Gentoo users should consult the related GLSA for more information on how to address the issue on their machines.

After the public disclosure on April 7, we have confirmed that several services provided by Gentoo Infrastructure were vulnerable as well. We have immediately updated the affected software, recreated private keys, reissued certificates, and invalidated all running user sessions. Despite these measures, we cannot exclude the possibility of attackers exploiting the issue during the time it was not publicly known to gain access to credentials or session IDs of our users. There are currently no indications this has happened.

However, to be safe, we are asking you to reset your passwords used for Gentoo services within the next 7 days.

Users & developers:

You need to take action if you have an account on one or more of these sites:

  • blogs.gentoo.org
  • bugs.gentoo.org
  • forums.gentoo.org
  • wiki.gentoo.org

Log in using your current credentials and use the reset password functionality:

Developers:

You need to change your LDAP password (used for perl_ldap and the SMTP/IMAP/POP services). To do that, log in to dev.gentoo.org via ssh and invoke passwd.

Important:

If you don't update your credentials until April 19, 23:59 UTC, we will be removing your current password to avoid abuse.
For our web services, you will then need to request a reset via email. We can not recover your account in case your email address on file is not current.
For LDAP accounts, developers will need to be in possession of their SSH or GPG keys and contact infra for a normal password reset.
Further help:

Contact infra-heartbleed@gentoo.org for assistance or further information.

For the Infra team
_________________
Jorge.

Your twisted, but hopefully friendly daemon.
AMD64 / x86 / Sparc Gentoo
Help answer || emwrap.sh
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum