[quassel-announce] A Bleeding Heart - Important Information for Quassel Core Hosters!
sputnick at quassel-irc.org
Wed Apr 9 23:18:00 CEST 2014
as you should have heard by now, a major security vulnerability was discovered
in OpenSSL . This does affect Quassel as well, as by default the connection
between a Quassel client and core is encrypted using SSL (or, rather, TLS); in
particular, it affects you if you run a core that supports SSL and is exposed
to the public internet (clients, both monolithic and stand-alone, are not
affected because they don't offer an SSL-encrypted service).
* If you host a Quassel core, make sure to upgrade your OpenSSL to at least
version 1.0.1g (or whatever your distro deems to be a fixed one), create a new
private key and certificate and replace the quasselCert.pem file in your
config directory as described in our wiki ; then restart your core. Since
the vulnerability is in the OpenSSL library and not in Quassel itself, there
is no need to update Quassel unless one of the following bullet points
* If you run one of the static cores offered on our site, make sure to
download the newest version; we uploaded a 0.10.0 core built against a fixed
OpenSSL version on April 8th 2014, 19:14 UTC. Any older version is vulnerable,
as an insecure OpenSSL version was bundled. After replacing the core, follow
the previous step to regenerate your key and certificate.
* If you use our install package for Windows™, and run the core from this
package, make sure to download the newest version. We uploaded a fixed package
on April 9th 2014, 20:47 UTC. Any older version is vulnerable. First bullet
point applies as well.
* Our MacOSX packages don't bundle OpenSSL; they use the system-supplied
version instead. No need to install a newer Quassel core, but first bullet
That's it. Have fun securing your systems; I know I had... NOT.
Manuel "Sputnick" Nickschas ("Sput" on Freenode) | (o<
Member of the Quassel IRC Project - http://quassel-irc.org | //\
Come visit us in #quassel! | V_/_
More information about the quassel-announce