FS#39777 - [OpenSSL bug] Archlinux.org server update, SSL certificate should be revoked and regenerated
Attached to Project:
Arch Linux
Opened by Thomas (thomasbk) - Tuesday, 08 April 2014, 04:05 GMT
Last edited by Allan McRae (Allan) - Thursday, 01 May 2014, 08:10 GMT
Opened by Thomas (thomasbk) - Tuesday, 08 April 2014, 04:05 GMT
Last edited by Allan McRae (Allan) - Thursday, 01 May 2014, 08:10 GMT
|
Details
Due to bug
https://bugs.archlinux.org/task/39775, the server running archlinux.org is vulnerable as well to
a compromise of server memory, including the private key for
SSL. This could be confirmed with
http://filippo.io/Heartbleed/#archlinux.org/.
The server should be updated, and then the SSL certificate revoked and renewed. |
This task depends upon
I'd say it's not very likely that someone got our private key during that short period our server was unpatched (and the issue was publicly known).
If the issue was publicly known for a day, it is still possible that it was known to certain people for a lot longer. I wouldn't take any chances.
I will update the ticket when this is complete
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744027
* https://bugzilla.mozilla.org/show_bug.cgi?id=994033
http://arstechnica.com/security/2014/04/heartbleed-vulnerability-may-have-been-exploited-months-before-patch/
I can do the new wildcard cert tomorrow. Sorry for the delay.
I will generate the new cert as soon as possible and stick it in my home dir on gerolde like I did last time. Will report back when this is complete
Any other boxes that need updates? celestia and nymeria don't seem to support ssl.
Is there anything left using the old certificate? Aaron, I deleted the newcerts.tar.gz file from your $HOME.