Today a serious security vulnerability in the popular encryption library OpenSSL was publicly announced. This issue affects all software using OpenSSL, including Prosody.
The bug allows external attackers to read the memory of any process using OpenSSL, by connecting to it and sending specially crafted packets. In Prosody's case this puts at risk lots of data, including (but not limited to) passwords, messages, and your certificate's key file used to protect SSL/TLS traffic. Our advice is to upgrade OpenSSL immediately, Debian, Ubuntu and many other distributions already have fixes available. On Debian/Ubuntu run: sudo apt-get update sudo apt-get upgrade sudo service prosody restart Don't forget to restart any other services you have as well that use OpenSSL, such as your web server or mail server. Alternatively you may simply reboot to ensure all services are restarted. More generic information on the issue can be found at http://heartbleed.com/ I'll try and finish off with some good news: - if your client used the more advanced SCRAM-SHA-1 mechanism to authenticate to Prosody and you use hashed password storage, your password is probably safe (it would take considerable targeted effort to recover) - if you used OTR or some other end-to-end encryption mechanism with your contacts, your message contents are probably safe - if you used TLS ciphers with forward secrecy then generally your encrypted traffic could not easily be decrypted even if your certificate's key file was compromised (though individual connections active around the time of an attack could still be compromised) - the flaw in OpenSSL has existed for around two years, but we cannot know for sure that it has actually been exploited by anyone Further reading: Information and FAQ: http://heartbleed.com/ OpenSSL advisory: http://www.openssl.org/news/secadv_20140407.txt Debian advisory: http://www.debian.org/security/2014/dsa-2896 Ubuntu advisory: http://www.ubuntu.com/usn/usn-2165-1/ -- You received this message because you are subscribed to the Google Groups "prosody-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to prosody-dev+unsubscr...@googlegroups.com. To post to this group, send email to prosody-dev@googlegroups.com. Visit this group at http://groups.google.com/group/prosody-dev. For more options, visit https://groups.google.com/d/optout.
