Opened 11 years ago
Closed 11 years ago
#10742 closed bug (fixed)
Websites vulnerable to heartbleed
Reported by: | Coldfirex | Owned by: | umccullough |
---|---|---|---|
Priority: | blocker | Milestone: | |
Component: | Website | Version: | |
Keywords: | Cc: | ||
Blocked By: | Blocking: | ||
Platform: | All |
Description
FYI, I noticed that dev.haiku-os.org and haiku-os.org are both vulnerable to the HeartBleed vulnerability. It can be tested with: http://filippo.io/Heartbleed/
More info on openssl vulnerability: http://heartbleed.com/
Change History (7)
comment:1 by , 11 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:2 by , 11 years ago
Owner: | changed from | to
---|---|
Status: | assigned → in-progress |
Working on it now.
comment:3 by , 11 years ago
Resolution: | → fixed |
---|---|
Status: | in-progress → closed |
Updated vmweb, vmdev, vmrepo, and baron - you can verify with:
haiku-os.org dev.haiku-os.org cgit.haiku-os.org baron.haiku-os.org
comment:4 by , 11 years ago
Resolution: | fixed |
---|---|
Status: | closed → reopened |
Thanks Urias, but I'm afraid that's only half of the story. We also need to update our certificates, as they may have been compromised.
comment:5 by , 11 years ago
Owner: | changed from | to
---|---|
Status: | reopened → assigned |
I'm not sure who will need to contact our CA and get the cert reissued, so I'm assigning back to haiku-web for now.
comment:6 by , 11 years ago
Owner: | changed from | to
---|
Ok, we've made some progress on this.
Today we generated a new private key, and obtained a new wildcard cert for *.haiku-os.org from GlobalSign.
Oliver has applied this new cert to all of our servers - so let me know if you still find any referencing the old StartCom cert (which is due to expire soon anyway).
Next steps are to get the old certificate revoked, and then notify everyone publicly that they *should* change their passwords for good measure.
comment:7 by , 11 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Old certificate should be successfully revoked now, closing this ticket (as I posted a news article as well).
I see that SUSE has already provided a patched openssl that we need to update to.
Assigning to Oliver to take care of if possible - barring that, I can run the updates tonight.