Hi all,
I'm forwarding this for those of you who are concerned about online security.
Kind regards,
David
---------- Forwarded message ---------- From: ENWP Pine deyntestiss@hotmail.com Date: Wed, Apr 9, 2014 at 6:21 AM Subject: [Wikimedia-l] OpenSSL vulnerability To: "mediawiki-l@lists.wikimedia.org" mediawiki-l@lists.wikimedia.org, "wikimedia-l@lists.wikimedia.org" wikimedia-l@lists.wikimedia.org
I'm cross-posting this email from Wikitech-l from Greg Grossmeier. I think wide distribution is appropriate especially for contributors who may use vulnerable off-wiki communication tools with their Wikimedia password or for Wikimedia activity.
-- Yesterday a widespread issue in OpenSSL was disclosed that would allow attackers to gain access to privileged information on any site running a vulnerable version of that software. Unfortunately, all Wikimedia Foundation hosted wikis are potentially affected.
We have no evidence of any actual compromise to our systems or our users information, but as a precautionary measure we are resetting all user session tokens. In other words, we will be forcing all logged in users to re-login (ie: we are logging everyone out).
All logged in users send a secret session token with each request to the site and if a nefarious person were able to intercept that token they could impersonate other users. Resetting the tokens for all users will have the benefit of making all users reconnect to our servers using the updated and fixed version of the OpenSSL software, thus removing this potential attack.
As an extra precaution, we recommend all users change their passwords as well.
Again, there has been no evidence that Wikimedia Foundation users were targeted by this attack, but we want all of our users to be as safe as possible.
Thank you for your understanding and patience,
Greg Grossmeier
_______________________________________________ Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
Thanks for the info.
As long as there's been resetting of tokens worldwide on wmf sites, I think its pretty much great.
rexford | google.com/+nkansahrexford | sent from tab On Apr 9, 2014 1:31 PM, "David Richfield" davidrichfield@gmail.com wrote:
Hi all,
I'm forwarding this for those of you who are concerned about online security.
Kind regards,
David
---------- Forwarded message ---------- From: ENWP Pine deyntestiss@hotmail.com Date: Wed, Apr 9, 2014 at 6:21 AM Subject: [Wikimedia-l] OpenSSL vulnerability To: "mediawiki-l@lists.wikimedia.org" mediawiki-l@lists.wikimedia.org, "wikimedia-l@lists.wikimedia.org" wikimedia-l@lists.wikimedia.org
I'm cross-posting this email from Wikitech-l from Greg Grossmeier. I think wide distribution is appropriate especially for contributors who may use vulnerable off-wiki communication tools with their Wikimedia password or for Wikimedia activity.
-- Yesterday a widespread issue in OpenSSL was disclosed that would allow attackers to gain access to privileged information on any site running a vulnerable version of that software. Unfortunately, all Wikimedia Foundation hosted wikis are potentially affected.
We have no evidence of any actual compromise to our systems or our users information, but as a precautionary measure we are resetting all user session tokens. In other words, we will be forcing all logged in users to re-login (ie: we are logging everyone out).
All logged in users send a secret session token with each request to the site and if a nefarious person were able to intercept that token they could impersonate other users. Resetting the tokens for all users will have the benefit of making all users reconnect to our servers using the updated and fixed version of the OpenSSL software, thus removing this potential attack.
As an extra precaution, we recommend all users change their passwords as well.
Again, there has been no evidence that Wikimedia Foundation users were targeted by this attack, but we want all of our users to be as safe as possible.
Thank you for your understanding and patience,
Greg Grossmeier
Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
-- David Richfield [[:en:User:Slashme]] +49 176 72663368
WikimediaZA mailing list WikimediaZA@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediaza
Thanks for letting us know David. Good to be kept informed.
On 9 April 2014 13:31, David Richfield davidrichfield@gmail.com wrote:
Hi all,
I'm forwarding this for those of you who are concerned about online security.
Kind regards,
David
---------- Forwarded message ---------- From: ENWP Pine deyntestiss@hotmail.com Date: Wed, Apr 9, 2014 at 6:21 AM Subject: [Wikimedia-l] OpenSSL vulnerability To: "mediawiki-l@lists.wikimedia.org" mediawiki-l@lists.wikimedia.org, "wikimedia-l@lists.wikimedia.org" wikimedia-l@lists.wikimedia.org
I'm cross-posting this email from Wikitech-l from Greg Grossmeier. I think wide distribution is appropriate especially for contributors who may use vulnerable off-wiki communication tools with their Wikimedia password or for Wikimedia activity.
-- Yesterday a widespread issue in OpenSSL was disclosed that would allow attackers to gain access to privileged information on any site running a vulnerable version of that software. Unfortunately, all Wikimedia Foundation hosted wikis are potentially affected.
We have no evidence of any actual compromise to our systems or our users information, but as a precautionary measure we are resetting all user session tokens. In other words, we will be forcing all logged in users to re-login (ie: we are logging everyone out).
All logged in users send a secret session token with each request to the site and if a nefarious person were able to intercept that token they could impersonate other users. Resetting the tokens for all users will have the benefit of making all users reconnect to our servers using the updated and fixed version of the OpenSSL software, thus removing this potential attack.
As an extra precaution, we recommend all users change their passwords as well.
Again, there has been no evidence that Wikimedia Foundation users were targeted by this attack, but we want all of our users to be as safe as possible.
Thank you for your understanding and patience,
Greg Grossmeier
Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
-- David Richfield [[:en:User:Slashme]] +49 176 72663368
WikimediaZA mailing list WikimediaZA@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediaza
That's really informative , thanks David
On Wed, Apr 9, 2014 at 3:06 PM, Douglas Scott douglas.i.scott@gmail.comwrote:
Thanks for letting us know David. Good to be kept informed.
On 9 April 2014 13:31, David Richfield davidrichfield@gmail.com wrote:
Hi all,
I'm forwarding this for those of you who are concerned about online security.
Kind regards,
David
---------- Forwarded message ---------- From: ENWP Pine deyntestiss@hotmail.com Date: Wed, Apr 9, 2014 at 6:21 AM Subject: [Wikimedia-l] OpenSSL vulnerability To: "mediawiki-l@lists.wikimedia.org" mediawiki-l@lists.wikimedia.org, "wikimedia-l@lists.wikimedia.org" wikimedia-l@lists.wikimedia.org
I'm cross-posting this email from Wikitech-l from Greg Grossmeier. I think wide distribution is appropriate especially for contributors who may use vulnerable off-wiki communication tools with their Wikimedia password or for Wikimedia activity.
-- Yesterday a widespread issue in OpenSSL was disclosed that would allow attackers to gain access to privileged information on any site running a vulnerable version of that software. Unfortunately, all Wikimedia Foundation hosted wikis are potentially affected.
We have no evidence of any actual compromise to our systems or our users information, but as a precautionary measure we are resetting all user session tokens. In other words, we will be forcing all logged in users to re-login (ie: we are logging everyone out).
All logged in users send a secret session token with each request to the site and if a nefarious person were able to intercept that token they could impersonate other users. Resetting the tokens for all users will have the benefit of making all users reconnect to our servers using the updated and fixed version of the OpenSSL software, thus removing this potential attack.
As an extra precaution, we recommend all users change their passwords as well.
Again, there has been no evidence that Wikimedia Foundation users were targeted by this attack, but we want all of our users to be as safe as possible.
Thank you for your understanding and patience,
Greg Grossmeier
Wikimedia-l mailing list Wikimedia-l@lists.wikimedia.org Unsubscribe: https://lists.wikimedia.org/mailman/listinfo/wikimedia-l, mailto:wikimedia-l-request@lists.wikimedia.org?subject=unsubscribe
-- David Richfield [[:en:User:Slashme]] +49 176 72663368
WikimediaZA mailing list WikimediaZA@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediaza
-- Douglas Ian Scott 司道格 Skype: douglas0scott South African mobile number: +27 (0)79 515 8727
WikimediaZA mailing list WikimediaZA@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikimediaza
wikimediaza@lists.wikimedia.org