Earlier this week there was a important vulnerability discovered in openssl. Please see previous announcements on this list for how to update and secure your Fedora installs.
The vulnerability was announced late Monday afternoon, and by Monday evening a fixed packages were available. Fedora Infrastructure folks spent much of Monday night and Tuesday morning updating and rebooting servers. Then, Tuesday, the last bunch of internal servers were also updated. Our critical internet facing openssl using servers were patched Monday evening as soon as the fixed package was available.
We have a number of security measures always in place, none of which have indicated any compromise of user or system data. Additionally, access to Fedora Infrastructure systems is by ssh key only (which is not vulnerable to this attack) and 2 factor authentication is required for any privileged access.
Fedora account system account holders are welcome to change their passwords at any time (and this is a fine time while you are thinking about it), but we will not be forcing all users to change their passwords at this time.
We will also not be re-issuing our existing ssl certificates, we will be replacing them as they expire. There is little proof that private ssl keys can be compromised with this vulnerability and additionally almost no browsers check revocation lists, so reissuing would do little good.
Fedora account system account holders are encouraged to notify admin@fedoraproject.org if they see any out of the ordinary activity on their accounts (changes to Fedora accounts generate email to the account holder). If you see a change you didn’t initiate, please let us know.
We would like to thank the people that worked ‘overnight’ trying to fix the bug and push security updates. That’s why we made a Badge, just for them 😉
Adam Williamson
“and additionally almost no browsers check revocation lists”
That seems somewhat overstated. At least Fedora’s default browser, and still probably the most popular browser among Fedora users – Firefox – *does* do so by default.
Kevin Fenzi
Mea Culpa. I was looking at some older info on firefox from when they removed support for CRLS. Firefox does use OSCP by default now. It’s still not 100% tho as if it can’t reach the OSCP provider and it doesn’t have the list cached (pinned) it will just assume it’s fine and use it. If you are behind a captive portal or the attacker is able to block your connection to the CA’s OSCP site they could still use a revoked cert.
If there’s found to be enough cause to re-issue we still can, it just seems like mostly a PR move without too much advantage.
Kevin Fenzi
…and it looks like someone has managed to get private key info via heartbleed. Waiting on details but we may well just reissue on monday.
Alex Hudson
I think you need to re-think not reissuing the certs. It’s been shown that private keys *are* retrievable (cf. DigitalOcean), and while revocation isn’t amazing, reissuing the certs ensures continued privacy.