Heartbleed -- the xTuple Response

 

bcwilson's picture

HeartbleedEarlier this week, security experts revealed a significant flaw in a widely used Internet security product called OpenSSL. The bug, called Heartbleed, is a vulnerability in systems that use OpenSSL to encrypt information over SSL connections. OpenSSL is used on about two-thirds of the Internet servers in the world, so the impact of this bug is very widespread. The existence of this bug does not mean that any specific private information has in fact been stolen, but it does mean that it could have been stolen, and all sites that employ the OpenSSL encryption library must implement a security patch immediately, as well as perform a number of other security-related updates, to protect against Heartbleed.

xTuple has taken the following actions to update our servers, secure our data, and protect our customers:

  1. The day after the information on Heartbleed was released, xTuple replaced the OpenSSL code on our servers with an updated version that does not contain the bug.
  2. We have revoked and reissued all SSL certificates for our servers, to remove any lingering vulnerability.
  3. We are informing our user community of our actions and recommending that you update your passwords.

What should you do?

This is not fun, we know, but the potential impact of this bug is quite serious and affects thousands of websites around the Internet, including ours. Now that we have updated our SSL certificates, you should update the passwords you use to connect to xTuple sites and services. You should also update any passwords you use to connect to any other Internet service, including Google, Facebook, Amazon, etc., as they all have been affected by this bug.

Want to know more?

If you want to learn more about Heartbleed, read the information posted by Codenomicon, the security firm that first exposed this bug.

 

 
MissySchmidt's picture
Offline
Joined: 02/07/2012
WHAT DO WE NEED TO DO OURSELVES?

Thanks, BC, for advising the xTuple community. In addition to the xTuple website, here is a task list developed from a trusted source I follow, Mashable, on passwords you need to change right now (if you know of others, please list them in a comment):

  1. Change your user password on xTuple website
  2. Change your password on the following websites (and do not use the same one):
    1. Amazon Web Services
    2. Box
    3. Dropbox
    4. Facebook
    5. Flickr
    6. GitHub
    7. Gmail
    8. GoDaddy
    9. Google
    10. Instagram
    11. Netflix
    12. Pinterest
    13. SoundCloud
    14. Tumblr
    15. Wunderlist
    16. Yahoo
    17. YouTube
  3. Sites that tell us we do NOT need to change passwords:
    1. Amazon
    2. Apple
    3. Banks
    4. eBay
    5. Evernote
    6. Government and Taxes
    7. Groupon
    8. Hotmail
    9. LinkedIn
    10. Microsoft
    11. Outlook
    12. Password Managers (1Password, Dashlane, LastPass)
    13. PayPal
    14. Twitter
    15. Wordpress (unclear)
 
MissySchmidt's picture
Offline
Joined: 02/07/2012
Infographic: Major sites affected by Heartbleed (and what to do)