Chris S is actively looking into this. Thanks for the note. -- Sent from my phone, please excuse brevity. On Apr 8, 2014 4:18 PM, "Risker" <risker...@gmail.com> wrote:
> Thanks for the heads-up, Greg. However, I'm finding that I am being > repeatedly logged out...it's happened every other edit I've made tonight, > which is a real pain. Will report on IRC as well. > > Risker/Anne > > > On 8 April 2014 16:57, Greg Grossmeier <g...@wikimedia.org> wrote: > > > FYI to this audience as well: > > > > We're reseting all user session tokens today due to heartbleed. > > > > What I didn't state below is that we have already replaced our SSL certs > > as well as upgraded to the fixed version of openssl. > > > > ----- Forwarded message from Greg Grossmeier <g...@wikimedia.org> ----- > > > > > Date: Tue, 8 Apr 2014 13:54:26 -0700 > > > From: Greg Grossmeier <g...@wikimedia.org> > > > To: Wikitech Ambassadors <wikitech-ambassad...@lists.wikimedia.org> > > > Subject: Security precaution - Resetting all user sessions today > > > > > > Yesterday a widespread issue in OpenSSL was disclosed that would allow > > > attackers to gain access to privileged information on any site running > a > > > vulnerable version of that software. Unfortunately, all Wikimedia > > > Foundation hosted wikis are potentially affected. > > > > > > We have no evidence of any actual compromise to our systems or our > users > > > information, but as a precautionary measure we are resetting all user > > > session tokens. In other words, we will be forcing all logged in users > > > to re-login (ie: we are logging everyone out). > > > > > > All logged in users send a secret session token with each request to > the > > > site and if a nefarious person were able to intercept that token they > > > could impersonate other users. Resetting the tokens for all users will > > > have the benefit of making all users reconnect to our servers using the > > > updated and fixed version of the OpenSSL software, thus removing this > > > potential attack. > > > > > > As an extra precaution, we recommend all users change their passwords > as > > > well. > > > > > > > > > Again, there has been no evidence that Wikimedia Foundation users were > > > targeted by this attack, but we want all of our users to be as safe as > > > possible. > > > > > > > > > Thank you for your understanding and patience, > > > > > > Greg Grossmeier > > > > > > > > > -- > > > | Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E | > > > | identi.ca: @greg A18D 1138 8E47 FAC8 1C7D | > > > > > > > > ----- End forwarded message ----- > > > > -- > > | Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E | > > | identi.ca: @greg A18D 1138 8E47 FAC8 1C7D | > > > > _______________________________________________ > > Wikitech-l mailing list > > Wikitech-l@lists.wikimedia.org > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
