Googling, I found http://heartbleed.com/ and https://www.openssl.org/news/secadv_20140407.txt gave more technical description of the issue in question, which I found interesting. Thought I'd pass the links along in case they are useful to anyone else.
Anyhow, some scary stuff there. --bawolff On 4/8/14, Greg Grossmeier <g...@wikimedia.org> wrote: > FYI to this audience as well: > > We're reseting all user session tokens today due to heartbleed. > > What I didn't state below is that we have already replaced our SSL certs > as well as upgraded to the fixed version of openssl. > > ----- Forwarded message from Greg Grossmeier <g...@wikimedia.org> ----- > >> Date: Tue, 8 Apr 2014 13:54:26 -0700 >> From: Greg Grossmeier <g...@wikimedia.org> >> To: Wikitech Ambassadors <wikitech-ambassad...@lists.wikimedia.org> >> Subject: Security precaution - Resetting all user sessions today >> >> Yesterday a widespread issue in OpenSSL was disclosed that would allow >> attackers to gain access to privileged information on any site running a >> vulnerable version of that software. Unfortunately, all Wikimedia >> Foundation hosted wikis are potentially affected. >> >> We have no evidence of any actual compromise to our systems or our users >> information, but as a precautionary measure we are resetting all user >> session tokens. In other words, we will be forcing all logged in users >> to re-login (ie: we are logging everyone out). >> >> All logged in users send a secret session token with each request to the >> site and if a nefarious person were able to intercept that token they >> could impersonate other users. Resetting the tokens for all users will >> have the benefit of making all users reconnect to our servers using the >> updated and fixed version of the OpenSSL software, thus removing this >> potential attack. >> >> As an extra precaution, we recommend all users change their passwords as >> well. >> >> >> Again, there has been no evidence that Wikimedia Foundation users were >> targeted by this attack, but we want all of our users to be as safe as >> possible. >> >> >> Thank you for your understanding and patience, >> >> Greg Grossmeier >> >> >> -- >> | Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E | >> | identi.ca: @greg A18D 1138 8E47 FAC8 1C7D | > > > > ----- End forwarded message ----- > > -- > | Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E | > | identi.ca: @greg A18D 1138 8E47 FAC8 1C7D | > _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
