[quassel-announce] A Bleeding Heart - Important Information for Quassel Core Hosters!

Manuel Nickschas sputnick at quassel-irc.org
Wed Apr 9 23:18:00 CEST 2014


Hi all,

as you should have heard by now, a major security vulnerability was discovered 
in OpenSSL [1]. This does affect Quassel as well, as by default the connection 
between a Quassel client and core is encrypted using SSL (or, rather, TLS); in 
particular, it affects you if you run a core that supports SSL and is exposed 
to the public internet (clients, both monolithic and stand-alone, are not 
affected because they don't offer an SSL-encrypted service).

* If you host a Quassel core, make sure to upgrade your OpenSSL to at least 
version 1.0.1g (or whatever your distro deems to be a fixed one), create a new 
private key and certificate and replace the quasselCert.pem file in your 
config directory as described in our wiki [2]; then restart your core. Since 
the vulnerability is in the OpenSSL library and not in Quassel itself, there 
is no need to update Quassel unless one of the following bullet points 
applies:

* If you run one of the static cores offered on our site, make sure to 
download the newest version; we uploaded a 0.10.0 core built against a fixed 
OpenSSL version on April 8th 2014, 19:14 UTC. Any older version is vulnerable, 
as an insecure OpenSSL version was bundled. After replacing the core, follow 
the previous step to regenerate your key and certificate.

* If you use our install package for Windows™, and run the core from this 
package, make sure to download the newest version. We uploaded a fixed package 
on April 9th 2014, 20:47 UTC. Any older version is vulnerable. First bullet 
point applies as well.

* Our MacOSX packages don't bundle OpenSSL; they use the system-supplied 
version instead. No need to install a newer Quassel core, but first bullet 
point applies.

That's it. Have fun securing your systems; I know I had... NOT.

[1] <http://heartbleed.com/>
[2] <http://bugs.quassel-irc.org/projects/quassel-irc/wiki/Client-Core_SSL_support>

Cheers,
~ Sput
-- 
Manuel "Sputnick" Nickschas ("Sput" on Freenode)                  |  (o<
Member of the Quassel IRC Project - http://quassel-irc.org        |  //\
Come visit us in #quassel!                                        |  V_/_


More information about the quassel-announce mailing list