Earlier this week there was a important vulnerability discovered in openssl. Please see previous announcements on this list for how to update and secure your Fedora installs.
The vulnerability was announced late Monday afternoon, and by Monday evening a fixed packages were available. Fedora Infrastructure folks spent much of Monday night and Tuesday morning updating and rebooting servers. Then, Tuesday, the last bunch of internal servers were also updated. Our critical internet facing openssl using servers were patched Monday evening as soon as the fixed package was available.
We have a number of security measures always in place, none of which have indicated any compromise of user or system data. Additionally, access to Fedora Infrastructure systems is by ssh key only (which is not vulnerable to this attack) and 2 factor authentication is required for any privileged access.
Fedora account system account holders are welcome to change their passwords at any time (and this is a fine time while you are thinking about it), but we will not be forcing all users to change their passwords at this time.
We will also not be re-issuing our existing ssl certificates, we will be replacing them as they expire. There is little proof that private ssl keys can be compromised with this vulnerability and additionally almost no browsers check revocation lists, so reissuing would do little good.
Fedora account system account holders are encouraged to notify admin@fedoraproject.org if they see any out of the ordinary activity on their accounts (changes to Fedora accounts generate email to the account holder). If you see a change you didn't initiate, please let us know.
I'd like to thank all the many Fedora Community members that helped us produce and distribute updates and apply them to Fedora Infrastructure.
Fedora Infrastructure.
Greetings.
I want to pass along some additional information about this vulnerability and how it affects Fedora Infrastructure.
Shortly after sending the announcement, it was confirmed that private keys from SSL certs CAN be acquired by this vulnerability. Accordingly, we WILL be reissuing all our SSL certificates. We have started this process today, and will send another email when all of them are reissued.
If you have not yet changed your Fedora Account system password you may wish to wait until we have finished replacing all SSL certificates.
Additionally, it was pointed out that Firefox does now use OCSP (Online Certificate Status Protocol) by default. It should note revoked certificates as long as it's able to reach the OSCP provider for that Certificate Authority (if it cannot, it will assume the certificate is valid).
Thanks for your patience as we work to keep Fedora resources secure.
kevin
Greetings.
In the wake of the recent openssl vulnerability, we have now reissued all the public facing SSL certificates used by the Fedora Project, as well as a number of internal only ones.
This includes:
*.fedoraproject.org (wildcard certificate) *.fedorahosted.org (wildcard certificate) *.id.fedoraproject.org (wildcard certificate) *.stg.fedoraproject.org (wildcard certificate) copr.fedoraproject.org copr-be.cloud.fedoraproject.org retrace.fedoraproject.org koji.fedoraproject.org/pkgs.fedoraproject.org
Internally we have completely re-keyed our puppet, openvpn, and fedmsg certs as a precaution.
If you were holding off changing your Fedora Account System password until new certs were issued, feel free to do so now.
As always, Fedora account system account holders are encouraged to notify admin@fedoraproject.org if they see any out of the ordinary activity on their accounts (changes to Fedora accounts generate email to the account holder). If you see a change you didn't initiate, please let us know.
Thanks for your patience,
kevin
announce@lists.stg.fedoraproject.org