OpenSSL Vulnerability / Heartbleed Bug
Information has been released about a new OpenSSL vulnerability (CVE-2014-0160) and we were using an affected version of OpenSSL until today - April 10, 2014, 10 AM PT. We have updated our servers now to the latest version of OpenSSL that includes a patch for the vulnerability. We recommend changing your account password, now - if you have an account on our the Kantara Initiative IdP (for example if you log in the Kantara Initiative wiki using the selection "Kantara Initaitve IdP ..."). To change your password please go to: https://idp.kantarainitiative.org/myaccount.php If you have any questions about this incident, please do not hesitate to contact us at staff@kantarainitative.org Thanks, Oliver -- *Oliver Maerz* External Consultant *Kantara Initiative* +1 (503) 468-4188 oliver (at) kantarainitiative.org http://www.kantarainitiative.org The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. No representation is made on its accuracy or completeness of the information contained in this electronic message. Certain assumptions may have been made in the preparation of this material as at this date, and are subject to change without notice. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. Please reply to Oliver Maerz and destroy all copies of this message and any attachments from your system.
Just a quick update about the Hearbleed Bug issue: Because of this OpenSSL vulnerability (CVE-2014-0160) it was theoretically possible for an attacker to recover our servers' private keys. As a precaution we have revoked all old SSL keys/certificates on our servers and have reissued and installed new SSL certificates. Thanks, Oliver On Thu, Apr 10, 2014 at 11:54 PM, Oliver Maerz <oliver@kantarainitiative.org
wrote:
Information has been released about a new OpenSSL vulnerability (CVE-2014-0160) and we were using an affected version of OpenSSL until today - April 10, 2014, 10 AM PT. We have updated our servers now to the latest version of OpenSSL that includes a patch for the vulnerability.
We recommend changing your account password, now - if you have an account on our the Kantara Initiative IdP (for example if you log in the Kantara Initiative wiki using the selection "Kantara Initaitve IdP ..."). To change your password please go to: https://idp.kantarainitiative.org/myaccount.php
If you have any questions about this incident, please do not hesitate to contact us at staff@kantarainitative.org
Thanks, Oliver
-- *Oliver Maerz* External Consultant
*Kantara Initiative* +1 (503) 468-4188 oliver (at) kantarainitiative.org http://www.kantarainitiative.org
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. No representation is made on its accuracy or completeness of the information contained in this electronic message. Certain assumptions may have been made in the preparation of this material as at this date, and are subject to change without notice. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. Please reply to Oliver Maerz and destroy all copies of this message and any attachments from your system.
-- *Oliver Maerz* External Consultant *Kantara Initiative* +1 (503) 468-4188 oliver (at) kantarainitiative.org http://www.kantarainitiative.org The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. No representation is made on its accuracy or completeness of the information contained in this electronic message. Certain assumptions may have been made in the preparation of this material as at this date, and are subject to change without notice. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. Please reply to Oliver Maerz and destroy all copies of this message and any attachments from your system.
*Update*: We have received feedback from some of our community members pointing out the fact that many Web browsers do not have the validity checks for SSL certificates fully enabled by default. In light of the recent Heartbleed OpenSSL vulnerability it is highly recommended to turn on these checks (CRL / OSCP) - so browsers automatically check if SSL certificates are still valid or have been revoked. Thanks, Oliver On Fri, Apr 11, 2014 at 8:04 PM, Oliver Maerz <oliver@kantarainitiative.org>wrote:
Just a quick update about the Hearbleed Bug issue: Because of this OpenSSL vulnerability (CVE-2014-0160) it was theoretically possible for an attacker to recover our servers' private keys. As a precaution we have revoked all old SSL keys/certificates on our servers and have reissued and installed new SSL certificates.
Thanks, Oliver
On Thu, Apr 10, 2014 at 11:54 PM, Oliver Maerz < oliver@kantarainitiative.org> wrote:
Information has been released about a new OpenSSL vulnerability (CVE-2014-0160) and we were using an affected version of OpenSSL until today - April 10, 2014, 10 AM PT. We have updated our servers now to the latest version of OpenSSL that includes a patch for the vulnerability.
We recommend changing your account password, now - if you have an account on our the Kantara Initiative IdP (for example if you log in the Kantara Initiative wiki using the selection "Kantara Initaitve IdP ..."). To change your password please go to: https://idp.kantarainitiative.org/myaccount.php
If you have any questions about this incident, please do not hesitate to contact us at staff@kantarainitative.org
Thanks, Oliver
-- *Oliver Maerz* External Consultant
*Kantara Initiative* +1 (503) 468-4188 oliver (at) kantarainitiative.org http://www.kantarainitiative.org
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. No representation is made on its accuracy or completeness of the information contained in this electronic message. Certain assumptions may have been made in the preparation of this material as at this date, and are subject to change without notice. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. Please reply to Oliver Maerz and destroy all copies of this message and any attachments from your system.
-- *Oliver Maerz* External Consultant
*Kantara Initiative* +1 (503) 468-4188 oliver (at) kantarainitiative.org http://www.kantarainitiative.org
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. No representation is made on its accuracy or completeness of the information contained in this electronic message. Certain assumptions may have been made in the preparation of this material as at this date, and are subject to change without notice. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. Please reply to Oliver Maerz and destroy all copies of this message and any attachments from your system.
-- *Oliver Maerz* External Consultant *Kantara Initiative* +1 (503) 468-4188 oliver (at) kantarainitiative.org http://www.kantarainitiative.org The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. No representation is made on its accuracy or completeness of the information contained in this electronic message. Certain assumptions may have been made in the preparation of this material as at this date, and are subject to change without notice. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. Please reply to Oliver Maerz and destroy all copies of this message and any attachments from your system.
participants (1)
-
Oliver Maerz