On 04/09/2014 08:06 PM, Joseph wrote: > Is gentoo effected by this new 'Heartbleed' bug? > > "The Heartbleed Bug is a serious vulnerability in the popular OpenSSL > cryptographic software library...." > > http://heartbleed.com/ >
Yes, upgrade your OpenSSL to the latest stable version, and if 1.0.1g isn't stable on your arch (it should be unless it's a weird one), unset USE=tls-heartbeat like Ralf said. But that's not your big problem. If you operate any servers, the private keys to any OpenSSL-backed service may have been compromised. So the old certificates all need to be revoked and new ones issued. That includes Apache, OpenVPN, Postfix, Dovecot -- all the big ones. Even if you don't run servers, other people do, and they were probably vulnerable. So any passwords you've used on the web in the past two years should be changed.
