a3li 14/04/13 09:21:10 Added: 20140413-heartbleed.xml Log: Add heartbleed password rotation news item
Revision Changes Path 1.1 xml/htdocs/news/20140413-heartbleed.xml file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/news/20140413-heartbleed.xml?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/news/20140413-heartbleed.xml?rev=1.1&content-type=text/plain Index: 20140413-heartbleed.xml =================================================================== <?xml version='1.0'?> <!DOCTYPE news SYSTEM "/dtd/guide.dtd"> <news gentoo="yes" category="gentoo"> <!-- Enter your name here --> <poster>Alex Legler</poster> <!-- Date to be displayed - usually the GWN release date --> <date>2014-04-13</date> <!-- Title of the news item - don't forget to change the date --> <title>Action required: Password reset on all Gentoo services</title> <body> <!-- Alter to your own likings --> <p> Recent versions of OpenSSL were found to be affected by an information disclosure vulnerability related to TLS heartbeats, nicknamed Heartbleed. It allows attackers to read up to 64kb of random server memory, possibly including passwords, session IDs or even private keys. </p> <p> After the public disclosure on April 7, we have confirmed that several services provided by Gentoo Infrastructure were vulnerable as well. We have immediately updated the affected software, recreated private keys, reissued certificates, and invalidated all running user sessions. Despite these measures, we cannot exclude the possibility of attackers exploiting the issue during the time it was not publicly known to gain access to credentials or session IDs of our users. <b>There are currently no indications this has happened.</b> </p> <p> <b>However, to be safe, we are asking you to reset your passwords used for Gentoo services within the next 7 days.</b> You need to take action if you have an account on one of the following sites: </p> <ul> <li>blogs.gentoo.org</li> <li>bugs.gentoo.org</li> <li>forums.gentoo.org</li> <li>wiki.gentoo.org</li> </ul> <p> After 7 days, we will be removing all passwords to avoid abuse. For more information and the full announcement, visit <uri>http://infra-status.gentoo.org/notice/20140413-heartbleed</uri>. </p> </body> </news>