[Labs-l] Recent SSL vulnerability impact
Marc A. Pelletier
marc at uberbox.org
Tue Apr 8 16:15:53 UTC 2014
Hello everyone,
Please be aware that the recently disclosed vulnerability in openssl (CVE-2014-0160)[1] affected the Ubuntu Precise distribution of that library (which is in use in Labs). This vulnerability potentially exposes server process memory in a way that may allow an attacker to recover the private key during SSL negotiation.
We have forcibly upgraded that library on all instances (as well as the WMF infrastructure) and will replace any potentially exposed SSL key material; but please note that if you use SSL within your project, you should consider all keys to be compromised, generate new keys and issue new certificates.
(To be clear, this does not affect SSH key material in any way).
— Marc
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wikimedia.org/pipermail/labs-l/attachments/20140408/b3eaede5/attachment.html>
More information about the Labs-l
mailing list