From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id E4EAC138A1F for ; Sun, 13 Apr 2014 17:22:50 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A4CD4E09DE; Sun, 13 Apr 2014 17:22:49 +0000 (UTC) Received: from mail.a3li.li (sawfish.a3li.li [89.238.78.10]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3D34DE09EE; Sun, 13 Apr 2014 09:51:36 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.a3li.li (Postfix) with ESMTP id 84921225759; Sun, 13 Apr 2014 11:51:34 +0200 (CEST) X-Virus-Scanned: amavisd-new at a3li.li Received: from mail.a3li.li ([127.0.0.1]) by localhost (stingray.a3li.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IRjRUD93TaIb; Sun, 13 Apr 2014 11:51:25 +0200 (CEST) Received: from [192.168.2.119] (p54947C0E.dip0.t-ipconnect.de [84.148.124.14]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.a3li.li (Postfix) with ESMTPSA id 7EEC9225754; Sun, 13 Apr 2014 11:51:25 +0200 (CEST) Message-ID: <534A5E25.2050202@gentoo.org> Date: Sun, 13 Apr 2014 11:51:33 +0200 From: Alex Legler Reply-To: infra-heartbleed@gentoo.org User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo development announcement list X-BeenThere: gentoo-dev-announce@lists.gentoo.org MIME-Version: 1.0 To: gentoo-announce@lists.gentoo.org, gentoo-core@lists.gentoo.org, gentoo-dev-announce@lists.gentoo.org Subject: [gentoo-dev-announce] Action required: Password reset on all Gentoo services X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="NdEgNl2NGq8arCGOGnnNvOLioPdH8eWqo" X-Archives-Salt: e3bc6ef9-17e8-4a3c-80cc-8930ec5853f5 X-Archives-Hash: c43716b8751c820bda6b71edfc6127e0 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --NdEgNl2NGq8arCGOGnnNvOLioPdH8eWqo Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable web version: https://infra-status.gentoo.org/notice/20140413-heartbleed Dear Users & Developers of Gentoo, Recent versions of OpenSSL were found to be affected by an information disclosure vulnerability related to TLS heartbeats, nicknamed 'Heartbleed' [1]. It allows attackers to read up to 64kb of random server memory, possibly including passwords, session IDs or even private keys. Gentoo users should consult the related GLSA [2] for more information on how to address the issue on their machines. After the public disclosure on April 7, we have confirmed that several services provided by Gentoo Infrastructure were vulnerable as well. We have immediately updated the affected software, recreated private keys, reissued certificates, and invalidated all running user sessions. Despite these measures, we cannot exclude the possibility of attackers exploiting the issue during the time it was not publicly known to gain access to credentials or session IDs of our users. There are currently no indications this has happened. However, to be safe, we are asking you to reset your passwords used for Gentoo services within the next 7 days. Users & developers: ------------------- You need to take action if you have an account on one or more of these sites: * blogs.gentoo.org * bugs.gentoo.org * forums.gentoo.org * wiki.gentoo.org Log in using your current credentials and use the reset password functionality: * blogs.gentoo.org: https://blogs.gentoo.org/wp-admin/profile.php * bugs.gentoo.org: https://bugs.gentoo.org/userprefs.cgi?tab=3Daccount * forums.gentoo.org: https://forums.gentoo.org/profile.php?mode=3Deditprofile * wiki.gentoo.org: https://wiki.gentoo.org/index.php?title=3DSpecial:ChangePassword Developers: ----------- You need to change your LDAP password (used for `perl_ldap' and the SMTP/IMAP/POP services [3]). To do that, log in to dev.gentoo.org via ssh and invoke `passwd'. Important: ---------- If you don't update your credentials until April 19, 23:59 UTC, we will be removing your current password to avoid abuse. For our web services, you will then need to request a reset via email. We can not recover your account in case your email address on file is not current. For LDAP accounts, developers will need to be in possession of their SSH or GPG keys and contact infra for a normal password reset. Further help: ------------- Contact infra-heartbleed@gentoo.org for assistance or further information= =2E Thanks, robbat2, a3li and the rest of the Infrastructure team References: ----------- [1] Heartbleed: http://heartbleed.com [2] GLSA 201404-07: http://www.gentoo.org/security/en/glsa/glsa-201404-07.xml [3] New mail SSL certificates: https://wiki.gentoo.org/wiki/Project:Infrastructure/Developer_E-Mail --NdEgNl2NGq8arCGOGnnNvOLioPdH8eWqo Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTSl4qAAoJEDa6ZWES7jAA9MoQAJcNBs47pqlUKp0J+AYxTGnG P1MBlaSCtL0rQc6sv7oH7+Dy9n8Gi+UTRrTdWPy2Qd8mGuG+TQ0AXPSiCCsxMG4Y rIMuswGEGsyzh1uGUIGxe1Pc9zKsb37mnsY/wMHNNZtPnEUnYCzBFYmas4RU0UIc y6YAiCsN64NEuwMj0Fut1V1hq18woj3cpax9OkK17usUvsnuXV/+eczMEuIBHOu5 QeLfwHgjnWyJ6Fwtba9nF4mqpBoHQM2FGx9lnrklhoCLvxIzSegatSyoXReTcpG9 b5b5B1izk9fqsXg55aMtgh5nUfeckoJj2qeo1x6nW/x65S59EYdsvvoUK9M5HcAm aVmOBcHqoxgwEvYylPpRGM3c/m1hd36lHuEy09DDA3oXiPKmCCNU5BoL06xmkB6+ /+4OkUgCz1zzpW0J2jjdhg40ZXFdWjmBMVopsb+Cfla5X9JsXk/B9vdEBE1NNfJC X60aPbYud/oDDVj4yzyTxiWjTNmciGgQhDAXz38gPxdcleFNjOHYssOguVPaiUN6 EfDWoa8TOVjLQu22L6EaoWSTnlXbatQT8bitmjuPPeLPGJ5Eo6GHw1cY6beuEbpa tyPf10sYJgZGGa86Z7fJCDFEL96EMbsN7RvF+jQnDcJsFdW1q3Bu8NuBP4Vw/HcQ PeaKJSFXLDEUP+4naJI1 =fg3+ -----END PGP SIGNATURE----- --NdEgNl2NGq8arCGOGnnNvOLioPdH8eWqo--