Opened 6 years ago

Closed 6 years ago

#10742 closed bug (fixed)

Websites vulnerable to heartbleed

Reported by: Coldfirex Owned by: umccullough
Priority: blocker Milestone:
Component: Website Version:
Keywords: Cc:
Blocked By: Blocking:
Has a Patch: no Platform: All

Description

FYI, I noticed that dev.haiku-os.org and haiku-os.org are both vulnerable to the HeartBleed vulnerability. It can be tested with: http://filippo.io/Heartbleed/

More info on openssl vulnerability: http://heartbleed.com/

Change History (7)

comment:1 by umccullough, 6 years ago

Owner: changed from haiku-web to zooey
Status: newassigned

I see that SUSE has already provided a patched openssl that we need to update to.

Assigning to Oliver to take care of if possible - barring that, I can run the updates tonight.

comment:2 by umccullough, 6 years ago

Owner: changed from zooey to umccullough
Status: assignedin-progress

Working on it now.

comment:3 by umccullough, 6 years ago

Resolution: fixed
Status: in-progressclosed

Updated vmweb, vmdev, vmrepo, and baron - you can verify with:

haiku-os.org dev.haiku-os.org cgit.haiku-os.org baron.haiku-os.org

comment:4 by axeld, 6 years ago

Resolution: fixed
Status: closedreopened

Thanks Urias, but I'm afraid that's only half of the story. We also need to update our certificates, as they may have been compromised.

comment:5 by umccullough, 6 years ago

Owner: changed from umccullough to haiku-web
Status: reopenedassigned

I'm not sure who will need to contact our CA and get the cert reissued, so I'm assigning back to haiku-web for now.

comment:6 by umccullough, 6 years ago

Owner: changed from haiku-web to umccullough

Ok, we've made some progress on this.

Today we generated a new private key, and obtained a new wildcard cert for *.haiku-os.org from GlobalSign.

Oliver has applied this new cert to all of our servers - so let me know if you still find any referencing the old StartCom cert (which is due to expire soon anyway).

Next steps are to get the old certificate revoked, and then notify everyone publicly that they *should* change their passwords for good measure.

comment:7 by umccullough, 6 years ago

Resolution: fixed
Status: assignedclosed

Old certificate should be successfully revoked now, closing this ticket (as I posted a news article as well).

Note: See TracTickets for help on using tickets.