A Bleeding Heart - Important Information for Quassel Core Hosters!
Hi all, as you should have heard by now, a major security vulnerability was discovered in OpenSSL [1]. This does affect Quassel as well, as by default the connection between a Quassel client and core is encrypted using SSL (or, rather, TLS); in particular, it affects you if you run a core that supports SSL and is exposed to the public internet (clients, both monolithic and stand-alone, are not affected because they don't offer an SSL-encrypted service). * If you host a Quassel core, make sure to upgrade your OpenSSL to at least version 1.0.1g (or whatever your distro deems to be a fixed one), create a new private key and certificate and replace the quasselCert.pem file in your config directory as described in our wiki [2]; then restart your core. Since the vulnerability is in the OpenSSL library and not in Quassel itself, there is no need to update Quassel unless one of the following bullet points applies: * If you run one of the static cores offered on our site, make sure to download the newest version; we uploaded a 0.10.0 core built against a fixed OpenSSL version on April 8th 2014, 19:14 UTC. Any older version is vulnerable, as an insecure OpenSSL version was bundled. After replacing the core, follow the previous step to regenerate your key and certificate. * If you use our install package for Windows™, and run the core from this package, make sure to download the newest version. We uploaded a fixed package on April 9th 2014, 20:47 UTC. Any older version is vulnerable. First bullet point applies as well. * Our MacOSX packages don't bundle OpenSSL; they use the system-supplied version instead. No need to install a newer Quassel core, but first bullet point applies. That's it. Have fun securing your systems; I know I had... NOT. [1] http://heartbleed.com/ [2] http://bugs.quassel-irc.org/projects/quassel-irc/wiki/Client-Core_SSL_suppor... Cheers, ~ Sput -- Manuel "Sputnick" Nickschas ("Sput" on Freenode) | (o< Member of the Quassel IRC Project - http://quassel-irc.org | //\ Come visit us in #quassel! | V_/_
On Wednesday 09 April 2014 23:18:00 you wrote: Hi again,
* If you host a Quassel core, make sure to upgrade your OpenSSL to at least version 1.0.1g (or whatever your distro deems to be a fixed one), create a new private key and certificate and replace the quasselCert.pem file in your config directory as described in our wiki [2]; then restart your core.
Obviously, you need to restart your core *after upgrading OpenSSL* and *before creating a new certificate* first, because otherwise your newly generated private key could leak again. And then restart your core a second time after replacing the certificate. Also, you should change the passwords afterwards, because they may have leaked, too. Cheers, ~ Sput -- Manuel "Sputnick" Nickschas ("Sput" on Freenode) | (o< Member of the Quassel IRC Project - http://quassel-irc.org | //\ Come visit us in #quassel! | V_/_
participants (1)
-
Manuel Nickschas