Greetings. I want to pass along some additional information about this vulnerability and how it affects Fedora Infrastructure. Shortly after sending the announcement, it was confirmed that private keys from SSL certs CAN be acquired by this vulnerability. Accordingly, we WILL be reissuing all our SSL certificates. We have started this process today, and will send another email when all of them are reissued. If you have not yet changed your Fedora Account system password you may wish to wait until we have finished replacing all SSL certificates. Additionally, it was pointed out that Firefox does now use OCSP (Online Certificate Status Protocol) by default. It should note revoked certificates as long as it's able to reach the OSCP provider for that Certificate Authority (if it cannot, it will assume the certificate is valid). Thanks for your patience as we work to keep Fedora resources secure. kevin
Attachment:
signature.asc
Description: PGP signature
-- announce mailing list announce@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/announce
