* [gentoo-dev-announce] Action required: Password reset on all Gentoo services
@ 2014-04-13 9:51 Alex Legler
0 siblings, 0 replies; only message in thread
From: Alex Legler @ 2014-04-13 9:51 UTC (permalink / raw
To: gentoo-announce, gentoo-core, gentoo-dev-announce
[-- Attachment #1: Type: text/plain, Size: 2859 bytes --]
web version: https://infra-status.gentoo.org/notice/20140413-heartbleed
Dear Users & Developers of Gentoo,
Recent versions of OpenSSL were found to be affected by an information
disclosure vulnerability related to TLS heartbeats, nicknamed
'Heartbleed' [1].
It allows attackers to read up to 64kb of random server memory, possibly
including passwords, session IDs or even private keys.
Gentoo users should consult the related GLSA [2] for more information on
how to address the issue on their machines.
After the public disclosure on April 7, we have confirmed that several
services provided by Gentoo Infrastructure were vulnerable as well.
We have immediately updated the affected software, recreated private
keys, reissued certificates, and invalidated all running user sessions.
Despite these measures, we cannot exclude the possibility of attackers
exploiting the issue during the time it was not publicly known to gain
access to credentials or session IDs of our users.
There are currently no indications this has happened.
However, to be safe, we are asking you to reset your passwords used for
Gentoo services within the next 7 days.
Users & developers:
-------------------
You need to take action if you have an account on one or more of these
sites:
* blogs.gentoo.org
* bugs.gentoo.org
* forums.gentoo.org
* wiki.gentoo.org
Log in using your current credentials and use the reset password
functionality:
* blogs.gentoo.org:
https://blogs.gentoo.org/wp-admin/profile.php
* bugs.gentoo.org:
https://bugs.gentoo.org/userprefs.cgi?tab=account
* forums.gentoo.org:
https://forums.gentoo.org/profile.php?mode=editprofile
* wiki.gentoo.org:
https://wiki.gentoo.org/index.php?title=Special:ChangePassword
Developers:
-----------
You need to change your LDAP password (used for `perl_ldap' and the
SMTP/IMAP/POP services [3]).
To do that, log in to dev.gentoo.org via ssh and invoke `passwd'.
Important:
----------
If you don't update your credentials until April 19, 23:59 UTC, we will
be removing your current password to avoid abuse.
For our web services, you will then need to request a reset via email.
We can not recover your account in case your email address on file is
not current.
For LDAP accounts, developers will need to be in possession of their SSH
or GPG keys and contact infra for a normal password reset.
Further help:
-------------
Contact infra-heartbleed@gentoo.org for assistance or further information.
Thanks,
robbat2, a3li and the rest of the Infrastructure team
References:
-----------
[1] Heartbleed: http://heartbleed.com
[2] GLSA 201404-07:
http://www.gentoo.org/security/en/glsa/glsa-201404-07.xml
[3] New mail SSL certificates:
https://wiki.gentoo.org/wiki/Project:Infrastructure/Developer_E-Mail
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 901 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2014-04-13 17:22 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-04-13 9:51 [gentoo-dev-announce] Action required: Password reset on all Gentoo services Alex Legler
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox