incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Gabriel <a...@barbalex.ch>
Subject Re: CouchDB and the Heartbleed SSL/TLS Vulnerability
Date Tue, 08 Apr 2014 17:08:08 GMT
proactive to the point information when it's crucial = great service

thanks lot!
Am 08.04.2014 17:53 schrieb "Jan Lehnardt" <jan@apache.org>:

> Dear CouchDB community,
>
> You may or may not have heard about the Heartbleed SSL/TLS Vulnerability
> yet (http://heartbleed.com). Without much exaggeration, this is a big one.
>
> What does this mean for CouchDB?
>
> 1. If you are using CouchDB with the built-in SSL support, you are at the
> whim of Erlang/OTP’s handling of SSL. Lucky for you, while they do use
> OpenSSL for the heavy lifting, they do the TLS/SSL handshake logic in
> Erlang (
> http://erlang.org/pipermail/erlang-questions/2014-April/078537.html).
> That means you are not affected by this issue.
>
>
> 2. If you are using CouchDB behind a third-party proxy server you are at
> the whim of the SSL library it uses. For the big three Apache, nginx and
> HAProxy it’s all OpenSSL. So if they are using OpenSSL 1.0.1-1.0.1f with
> heartbeat support (RFC6520) enabled (the default), you need to take action.
> As far as I can tell now:
>
> 0. Check if you are vulnerable[1]
> 1. Stop your service.
> 2. Upgrade to OpenSSL 1.0.1g or recompile OpenSSL without heartbeat
> support.
> 3. Request new cert from your SSL cert vendor.
> 4. Revoke your old cert.
> 5. Invalidate all existing sessions by changing the CouchDB
> couchdb_httpd_auth/secret configuration value to a new UUID.
> 6. Restart your service.
> 7. Invalidate all your user’s passwords and/or OAuth tokens.
> 8. Notify your users that any of their data and passwords are potentially
> compromised.
>
> [1]:
> https://gist.githubusercontent.com/takeshixx/10107280/raw/8052d8479ad0c6150464748d639b0f5e877e8c37/hb-test.py
>
> Stay safe! <3
> Jan
> --
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message