-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCgAGBQJTSE1MAAoJEEs3sNgP+7teQtwP/iTnmqJJXtZ0ddZ3QULvQi1h
k55Z6MunY8adeSLtaybdxl5lao00Z1/yHsfGYtJgUM1C9g36xo7NRxVgfZypqLPk
ObWfYvNAvwh1YH06aaraJ/se506bx2veOpk3OiJknwgHY1Geduxi13In6l++NSr/
qo2UxfqsEvDTRchxFKdm0bh5H8K5ktiWOdRgBMEvpetRFwdWnb9tnFrajvIlos2s
F5KnplClMpePLX0AuMZcNAcoXKjuUrt2MJShZ4pWbOSUq5eRF+f+5rMBPUZYeroy
wkQux5H+idAGS6h1P6F4CSloyFJe95qnNHVfLUufwc2o8k7j4uRky+mmaaZ7W5+W
JO43A580ei51q2ivERdxpl+PGgeODp1edh0In/ymPChihUUnicKIu9724LgWz1c2
SPbn2lU26+Q8MfhfGN/Isf2hccCRxtJL2YZa5irdRVH+LvMzGfBVyIHd4DYbev8m
AYcW4p2kMsp0Gmw2NWh0gEhpCfmWSk7+iKmBcurdrXIoCMAgfj3AN+M5ypjdPqQL
Nw48HShH3kcqANmTxYVMMKByG/q89hAD6agjvOukF0565eD18ZZ2OxgX18gvaMFV
FmeusxpRn5NWoUDhn/IfpLGD3LbehAT6qs0KpQsDG5Opyj4227f+9V539kq+sUDv
crs1ymKuxV7Rm8GwXVY0
=sgug
-----END PGP SIGNATURE-----
Earlier this week there was a important vulnerability discovered in
openssl. Please see previous announcements on this list for how to
update and secure your Fedora installs.
The vulnerability was announced late Monday afternoon, and by Monday
evening a fixed packages were available. Fedora Infrastructure folks
spent much of Monday night and Tuesday morning updating and rebooting
servers. Then, Tuesday, the last bunch of internal servers were also
updated. Our critical internet facing openssl using servers were
patched Monday evening as soon as the fixed package was available.
We have a number of security measures always in place, none of which
have indicated any compromise of user or system data. Additionally,
access to Fedora Infrastructure systems is by ssh key only (which is
not vulnerable to this attack) and 2 factor authentication is required
for any privileged access.
Fedora account system account holders are welcome to change their
passwords at any time (and this is a fine time while you are thinking
about it), but we will not be forcing all users to change their
passwords at this time.
We will also not be re-issuing our existing ssl certificates, we will
be replacing them as they expire. There is little proof that private
ssl keys can be compromised with this vulnerability and additionally
almost no browsers check revocation lists, so reissuing would do
little good.
Fedora account system account holders are encouraged to notify
admin@fedoraproject.org if they see any out of the ordinary activity on
their accounts (changes to Fedora accounts generate email to the
account holder). If you see a change you didn't initiate, please let us
know.
I'd like to thank all the many Fedora Community members that helped us
produce and distribute updates and apply them to Fedora Infrastructure.
Fedora Infrastructure.
No comments:
Post a Comment