Websites vulnerable to heartbleed

[Coldfirex]

FYI, I noticed that dev.haiku-os.org and haiku-os.org are both vulnerable to the HeartBleed vulnerability. It can be tested with: ​http://filippo.io/Heartbleed/

More info on openssl vulnerability: ​http://heartbleed.com/

[umccullough]

I see that SUSE has already provided a patched openssl that we need to update to.

Assigning to Oliver to take care of if possible - barring that, I can run the updates tonight.

[umccullough]

Working on it now.

[umccullough]

Updated vmweb, vmdev, vmrepo, and baron - you can verify with:

haiku-os.org dev.haiku-os.org cgit.haiku-os.org baron.haiku-os.org

[axeld]

Thanks Urias, but I'm afraid that's only half of the story. We also need to update our certificates, as they may have been compromised.

[umccullough]

I'm not sure who will need to contact our CA and get the cert reissued, so I'm assigning back to haiku-web for now.

[umccullough]

Ok, we've made some progress on this.

Today we generated a new private key, and obtained a new wildcard cert for *.haiku-os.org from GlobalSign.

Oliver has applied this new cert to all of our servers - so let me know if you still find any referencing the old StartCom cert (which is due to expire soon anyway).

Next steps are to get the old certificate revoked, and then notify everyone publicly that they *should* change their passwords for good measure.

[umccullough]

Old certificate should be successfully revoked now, closing this ticket (as I posted a news article as well).