output/blog/heartbleed_fallout_for_apache.html - infrastructure-website - Git at Google

 <!doctype html>
 <html class="no-js" lang="en" dir="ltr">
   <head>
     <meta charset="utf-8">
     <meta http-equiv="x-ua-compatible" content="ie=edge">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>heartbleed fallout for apache - Apache Infrastructure Website</title>
 <link href="/css/bootstrap.min.css" rel="stylesheet">
 <link href="/css/fontawesome.all.min.css" rel="stylesheet">
 <link href="/css/headerlink.css" rel="stylesheet">
 <script src="/highlight/highlight.min.js"></script>  </head>
   <body class="d-flex flex-column h-100">
   <main class="flex-shrink-0">
 <!-- nav bar -->
 <nav class="navbar navbar-expand-lg navbar-dark bg-dark" aria-label="Fifth navbar example">
     <div class="container-fluid">
         <a class="navbar-brand" href="/"><img src="/images/feather.png" style="height: 32px;"/> Apache Infrastructure</a>
         <button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarADP" aria-controls="navbarADP" aria-expanded="false" aria-label="Toggle navigation">
             <span class="navbar-toggler-icon"></span>
         </button>

         <div class="collapse navbar-collapse" id="navbarADP">
             <ul class="navbar-nav me-auto mb-2 mb-lg-0">
                 <li class="nav-item dropdown">
                     <a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">About</a>
                     <ul class="dropdown-menu">
                         <li><a class="dropdown-item" href="/team.html">About the team</a></li>
                         <li><a class="dropdown-item" href="/roundtable.html">The Infrastructure Roundtable</a></li>
                         <li><a class="dropdown-item" href="/blog/">The Infrastructure Blog</a></li>
                     </ul>
                 </li>
                 <li class="nav-item">
                     <a class="nav-link" href="/policies.html">Policies</a>
                 </li>
                 <li class="nav-item dropdown">
                     <a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">Services and Tools</a>
                     <ul class="dropdown-menu">
                         <li><a class="dropdown-item" href="/services.html">Services and Tools</a></li>
                         <li><a class="dropdown-item" href="/machines.html">Machines and Fingerprints</a></li>
                         <li><a class="dropdown-item" href="https://blocky.apache.org/">Blocky</a></li>
                         <li><a class="dropdown-item" href="https://app.datadoghq.com/account/login?next=%2Finfrastructure">DataDog</a></li>
                         <li><a class="dropdown-item" href="https://whimsy.apache.org/roster/committer/" target="_blank">Committer Search</a></li>
                     </ul>
                 </li>
                 <li class="nav-item dropdown">
                     <a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">Documentation</a>
                     <ul class="dropdown-menu">
                         <li><a class="dropdown-item" href="/doc.html">Contribute</a></li>
                         <li><a class="dropdown-item" href="/infra-volunteer.html">Volunteer with Infra</a></li>
                         <li><a class="dropdown-item" href="/how-to-mirror.html">Become an ASF download mirror</a></li>
                         <li><a class="dropdown-item" href="/hosting-external-agent.html">Host a Jenkins or Buildbot agent</a></li>

                     </ul>
                 </li>
                 <li class="nav-item">
                     <a class="nav-link" href="/stats.html">Status</a>
                 </li>
                 <li class="nav-item">
                     <a class="nav-link" href="/contact.html">Contact Us</a>
                 </li>
             </ul>
         </div>
     </div>
 </nav><!-- breadcrumbs -->
 <div class="card" style="height: 34px;">
     <nav aria-label="breadcrumb"  style="padding-left: 12px; padding-top: 4px;">
         <ol class="breadcrumb">
             <li class="breadcrumb-item"><a href="/">Home</a></li>

             <li class="breadcrumb-item active"><a href="/blog/heartbleed_fallout_for_apache.html">
 heartbleed fallout for apache            </a></li>

             <li class="breadcrumb-item active">(<a href="https://github.com/apache/infrastructure-website/tree/master/content/blog/heartbleed_fallout_for_apache.md">edit</a>)</li>

         </ol>
     </nav>
 </div>


 <!-- page contents -->
 <div id="contents">
     <div class="bg-white p-5 rounded">
         <div class="col-sm-8 mx-auto">
           <h1>
               heartbleed fallout for apache
           </h1>
               <p>Posted on: 2014-04-11 20:25:44+00:00</p>
               <p>Remain calm.</p>
 <p>What we've learned about the heartbleed incident is that it is hard, in the sense of perhaps only viable to a well-funded blackhat operation, to steal a private certificate and key from a vulnerable service. &nbsp;Nevertheless, the central role Apache projects play in the modern software development world require us to mitigate against that circumstance. &nbsp;Given the length of time and exposure window for this bug's existence, we have to assume that some/many Apache passwords may have been compromised, and perhaps even our private wildcard cert and key, so we've taken a few steps as of today:</p>
 <p> </p>
 <ol>
 <li>We fixed the vulnerability in our openssl installations to prevent further damage,</li>
 <li>We've acquired a new wildcard cert for apache.org that we have rolled out prior to this blog entry,</li>
 <li>We will require that all committers rotate their LDAP passwords (committers visit <a href="https://id.apache.org/reset/enter">id.apache.org</a> to reset LDAP passwords once they've been forcibly reset),</li>
 <li>We are encouraging all service administrators to all non-LDAP service like jira to rotate those passwords as well.</li>
 </ol>
 <div>
 <p>Regarding the cert change for svn users- we'd also like to suggest that you remove your existing apache.org certs from your .subversion cache to prevent potential MITM attacks using the old cert. &nbsp;Fortunately it is relatively painless to do this:</p>
 <p>&nbsp;% grep -l apache.org ~/.subversion/auth/svn.ssl.server/* | xargs rm</p>
 <p> </p>
 <p>NOTE: our openoffice wildcard cert was never vulnerable to this issue as it was served from an openssl-1.0.0 host.&nbsp;</p>
 <p> </p>
 </div>
 <p> </p>

         </div>
       </div>
     </div>
     <!-- footer -->
     <div class="row">
       <div class="large-12 medium-12 columns">
         <p style="font-style: italic; font-size: 0.8rem; text-align: center;">
           Copyright 2024, <a href="https://www.apache.org/">The Apache Software Foundation</a>, Licensed under the <a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.<br/>
           Apache&reg; and the Apache feather logo are trademarks of The Apache Software Foundation...
         </p>
       </div>
     </div>
     <script type="application/ecmascript" src="/js/bootstrap.bundle.min.js" integrity="sha384-OERcA2EqjJCMA+/3y+gxIOqMEjwtxJY7qPCqsdltbNJuaOe923+mo//f6V8Qbsw3"></script>  </main>
   </body>
 </html>
	<!doctype html>
	<html class="no-js" lang="en" dir="ltr">
	<head>
	<meta charset="utf-8">
	<meta http-equiv="x-ua-compatible" content="ie=edge">
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
	<title>heartbleed fallout for apache - Apache Infrastructure Website</title>
	<link href="/css/bootstrap.min.css" rel="stylesheet">
	<link href="/css/fontawesome.all.min.css" rel="stylesheet">
	<link href="/css/headerlink.css" rel="stylesheet">
	<script src="/highlight/highlight.min.js"></script> </head>
	<body class="d-flex flex-column h-100">
	<main class="flex-shrink-0">
	<!-- nav bar -->
	<nav class="navbar navbar-expand-lg navbar-dark bg-dark" aria-label="Fifth navbar example">
	<div class="container-fluid">
	<a class="navbar-brand" href="/"><img src="/images/feather.png" style="height: 32px;"/> Apache Infrastructure</a>
	<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarADP" aria-controls="navbarADP" aria-expanded="false" aria-label="Toggle navigation">
	<span class="navbar-toggler-icon"></span>
	</button>

	<div class="collapse navbar-collapse" id="navbarADP">
	<ul class="navbar-nav me-auto mb-2 mb-lg-0">
	<li class="nav-item dropdown">
	<a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">About</a>
	<ul class="dropdown-menu">
	<li><a class="dropdown-item" href="/team.html">About the team</a></li>
	<li><a class="dropdown-item" href="/roundtable.html">The Infrastructure Roundtable</a></li>
	<li><a class="dropdown-item" href="/blog/">The Infrastructure Blog</a></li>
	</ul>
	</li>
	<li class="nav-item">
	<a class="nav-link" href="/policies.html">Policies</a>
	</li>
	<li class="nav-item dropdown">
	<a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">Services and Tools</a>
	<ul class="dropdown-menu">
	<li><a class="dropdown-item" href="/services.html">Services and Tools</a></li>
	<li><a class="dropdown-item" href="/machines.html">Machines and Fingerprints</a></li>
	<li><a class="dropdown-item" href="https://blocky.apache.org/">Blocky</a></li>
	<li><a class="dropdown-item" href="https://app.datadoghq.com/account/login?next=%2Finfrastructure">DataDog</a></li>
	<li><a class="dropdown-item" href="https://whimsy.apache.org/roster/committer/" target="_blank">Committer Search</a></li>
	</ul>
	</li>
	<li class="nav-item dropdown">
	<a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">Documentation</a>
	<ul class="dropdown-menu">
	<li><a class="dropdown-item" href="/doc.html">Contribute</a></li>
	<li><a class="dropdown-item" href="/infra-volunteer.html">Volunteer with Infra</a></li>
	<li><a class="dropdown-item" href="/how-to-mirror.html">Become an ASF download mirror</a></li>
	<li><a class="dropdown-item" href="/hosting-external-agent.html">Host a Jenkins or Buildbot agent</a></li>

	</ul>
	</li>
	<li class="nav-item">
	<a class="nav-link" href="/stats.html">Status</a>
	</li>
	<li class="nav-item">
	<a class="nav-link" href="/contact.html">Contact Us</a>
	</li>
	</ul>
	</div>
	</div>
	</nav><!-- breadcrumbs -->
	<div class="card" style="height: 34px;">
	<nav aria-label="breadcrumb" style="padding-left: 12px; padding-top: 4px;">
	<ol class="breadcrumb">
	<li class="breadcrumb-item"><a href="/">Home</a></li>

	<li class="breadcrumb-item active"><a href="/blog/heartbleed_fallout_for_apache.html">
	heartbleed fallout for apache </a></li>

	<li class="breadcrumb-item active">(<a href="https://github.com/apache/infrastructure-website/tree/master/content/blog/heartbleed_fallout_for_apache.md">edit</a>)</li>

	</ol>
	</nav>
	</div>


	<!-- page contents -->
	<div id="contents">
	<div class="bg-white p-5 rounded">
	<div class="col-sm-8 mx-auto">
	<h1>
	heartbleed fallout for apache
	</h1>
	<p>Posted on: 2014-04-11 20:25:44+00:00</p>
	<p>Remain calm.</p>
	<p>What we've learned about the heartbleed incident is that it is hard, in the sense of perhaps only viable to a well-funded blackhat operation, to steal a private certificate and key from a vulnerable service.  Nevertheless, the central role Apache projects play in the modern software development world require us to mitigate against that circumstance.  Given the length of time and exposure window for this bug's existence, we have to assume that some/many Apache passwords may have been compromised, and perhaps even our private wildcard cert and key, so we've taken a few steps as of today:</p>
	<p> </p>
	<ol>
	<li>We fixed the vulnerability in our openssl installations to prevent further damage,</li>
	<li>We've acquired a new wildcard cert for apache.org that we have rolled out prior to this blog entry,</li>
	<li>We will require that all committers rotate their LDAP passwords (committers visit <a href="https://id.apache.org/reset/enter">id.apache.org</a> to reset LDAP passwords once they've been forcibly reset),</li>
	<li>We are encouraging all service administrators to all non-LDAP service like jira to rotate those passwords as well.</li>
	</ol>
	<div>
	<p>Regarding the cert change for svn users- we'd also like to suggest that you remove your existing apache.org certs from your .subversion cache to prevent potential MITM attacks using the old cert.  Fortunately it is relatively painless to do this:</p>
	<p> % grep -l apache.org ~/.subversion/auth/svn.ssl.server/* \| xargs rm</p>
	<p> </p>
	<p>NOTE: our openoffice wildcard cert was never vulnerable to this issue as it was served from an openssl-1.0.0 host. </p>
	<p> </p>
	</div>
	<p> </p>

	</div>
	</div>
	</div>
	<!-- footer -->
	<div class="row">
	<div class="large-12 medium-12 columns">
	<p style="font-style: italic; font-size: 0.8rem; text-align: center;">
	Copyright 2024, <a href="https://www.apache.org/">The Apache Software Foundation</a>, Licensed under the <a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.<br/>
	Apache® and the Apache feather logo are trademarks of The Apache Software Foundation...
	</p>
	</div>
	</div>
	<script type="application/ecmascript" src="/js/bootstrap.bundle.min.js" integrity="sha384-OERcA2EqjJCMA+/3y+gxIOqMEjwtxJY7qPCqsdltbNJuaOe923+mo//f6V8Qbsw3"></script> </main>
	</body>
	</html>