Jogamp's Heartbleed Vulnerability / Mitigation

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Jogamp's Heartbleed Vulnerability / Mitigation

Sven Gothel
Heartbleed Bug <>

2014-04-08 00:17:39 CET: Xerxes gave us a heads up about the possible vulnerability

2014-04-08 00:52:37 CET: I was able update the Debian packages to stop the leak

2014-04-09 08:03:49 CET: Further 'hardening' work of the TLS settings happens,
                         i.e. preferring PFS DHE ciphers and dropping weak ones started.

Now I am waiting to receive the new SSL certificate,
which were issued free of charge from Hetzner and Thawte.
Since Hetzner is in Germany and the reseller, sadly this will not happen
before Monday.
However, the vulnerability is _active_ for at least one year w/ deployed
OpenSSL packages - so I guess we don't need to be hysterical :)
Whoever has the passwords and certificate already probably will not change the behavior.
Since the leak is closed, new attacks will not be successful regarding this bug.

I will update you after installing the new certs
and revoking the old one.

Whoever has an account on (wiki, email, jenkins, ..)
please update your passwords, *** after the replacement of the certificate *** !

Cheers, Sven

signature.asc (894 bytes) Download Attachment