Holy wow, thanks for the heads up and explanations.
On Tue, Apr 8, 2014 at 10:53 AM, Jan Lehnardt <[email protected]> wrote: > Dear CouchDB community, > > You may or may not have heard about the Heartbleed SSL/TLS Vulnerability > yet (http://heartbleed.com). Without much exaggeration, this is a big one. > > What does this mean for CouchDB? > > 1. If you are using CouchDB with the built-in SSL support, you are at the > whim of Erlang/OTP's handling of SSL. Lucky for you, while they do use > OpenSSL for the heavy lifting, they do the TLS/SSL handshake logic in > Erlang ( > http://erlang.org/pipermail/erlang-questions/2014-April/078537.html). > That means you are not affected by this issue. > > > 2. If you are using CouchDB behind a third-party proxy server you are at > the whim of the SSL library it uses. For the big three Apache, nginx and > HAProxy it's all OpenSSL. So if they are using OpenSSL 1.0.1-1.0.1f with > heartbeat support (RFC6520) enabled (the default), you need to take action. > As far as I can tell now: > > 0. Check if you are vulnerable[1] > 1. Stop your service. > 2. Upgrade to OpenSSL 1.0.1g or recompile OpenSSL without heartbeat > support. > 3. Request new cert from your SSL cert vendor. > 4. Revoke your old cert. > 5. Invalidate all existing sessions by changing the CouchDB > couchdb_httpd_auth/secret configuration value to a new UUID. > 6. Restart your service. > 7. Invalidate all your user's passwords and/or OAuth tokens. > 8. Notify your users that any of their data and passwords are potentially > compromised. > > [1]: > https://gist.githubusercontent.com/takeshixx/10107280/raw/8052d8479ad0c6150464748d639b0f5e877e8c37/hb-test.py > > Stay safe! <3 > Jan > -- > >
