Like the rest of the Internet, libsdl.org was vulnerable to Heartbleed,
so I’ve taken the time to update not just OpenSSL, but also the server
distribution. If you find anything suddenly broken, please report any
problems to me.
As for Heartbleed:
We don’t have any reason to believe that either your passwords or our
SSL key was compromised, but we don’t really know for sure, and since
the rest of the Internet isn’t sure this week, either, this would be a
good time to change any passwords you have for the SDL web forums,
bugzilla, wiki, etc.
–ryan.
Hey Ryan, did you guys also go about creating new keys regardless?
– AlbertoOn 2014-04-10 00:38, Ryan C. Gordon wrote:
As for Heartbleed:
We don’t have any reason to believe that either your passwords or our
SSL key was compromised, but we don’t really know for sure, and since
the rest of the Internet isn’t sure this week, either, this would be a
good time to change any passwords you have for the SDL web forums,
bugzilla, wiki, etc.
Obviously now would be a good time to change your SDL passwords, but
don’t go on a password-changing frenzy until you know the servers in
question have been patched.
I expect this won’t be the last one of these MAJOR vulnerabilities we
hear about? Ed Snowden: He saw something, he said something. Doubt
SDL is a high-value surveillance target ? but then again the US army
does use video games to train soldiers nowadays so who knows. 
JosephOn Thu, Apr 10, 2014 at 01:38:25AM -0400, Ryan C. Gordon wrote:
Like the rest of the Internet, libsdl.org was vulnerable to
Heartbleed, so I’ve taken the time to update not just OpenSSL, but
also the server distribution. If you find anything suddenly broken,
please report any problems to me.
As for Heartbleed:
We don’t have any reason to believe that either your passwords or our
SSL key was compromised, but we don’t really know for sure, and since
the rest of the Internet isn’t sure this week, either, this would be
a good time to change any passwords you have for the SDL web forums,
bugzilla, wiki, etc.
–ryan.
SDL mailing list
SDL at lists.libsdl.org
http://lists.libsdl.org/listinfo.cgi/sdl-libsdl.org
Joseph Carter wrote:
I expect this won’t be the last one of these MAJOR vulnerabilities we
hear about??? Ed Snowden: He saw something, he said something. Doubt
SDL is a high-value surveillance target ??? but then again the US army
does use video games to train soldiers nowadays so who knows.
Joseph
Sounds like we should re-exam every patches sent from NSA B-).
Hey Ryan, did you guys also go about creating new keys regardless?
This is in progress, but revoking the old key is proving difficult. To
be clear: we’ve patched the bug, but not replaced the SSL certs yet.
We will soon.
–ryan.
Getting cert revoked, no new cert yet?On Sat, Apr 12, 2014 at 12:18 AM, Ryan C. Gordon wrote:
Hey Ryan, did you guys also go about creating new keys regardless?
This is in progress, but revoking the old key is proving difficult. To be
clear: we’ve patched the bug, but not replaced the SSL certs yet. We will
soon.
–ryan.
SDL mailing list
SDL at lists.libsdl.org
http://lists.libsdl.org/listinfo.cgi/sdl-libsdl.org
Hi all,
Am I the only one that can’t access wiki.libsdl.org since yesterday?
All I get is this (from my browser):
An error occurred during a connection to wiki.libsdl.org. Peer’s
Certificate has been revoked. (Error code: sec_error_revoked_certificate)
I might say a blasphemy, but wouldn’t it be easier to drop the https
thing, and publish the SDL wiki on raw http? Or at least allow both,
without redirecting the user to https by force…
I don’t care about the wiki being protected, I would just like to access
it (of course I understand SSL is necessary for forum, etc… but the
wiki is not, until someone wants to log in to make changes).
cheers,
MateuszOn 04/16/2014 03:42 AM, Andre D wrote:
Getting cert revoked, no new cert yet?
On Sat, Apr 12, 2014 at 12:18 AM, Ryan C. Gordon wrote:
Hey Ryan, did you guys also go about creating new keys regardless?
This is in progress, but revoking the old key is proving difficult. To be
clear: we’ve patched the bug, but not replaced the SSL certs yet. We will
soon.
–ryan.
SDL mailing list
SDL at lists.libsdl.org
http://lists.libsdl.org/listinfo.cgi/sdl-libsdl.org
SDL mailing list
SDL at lists.libsdl.org
http://lists.libsdl.org/listinfo.cgi/sdl-libsdl.org
The wiki is already accessible through http only.
-------------- next part --------------
A non-text attachment was scrubbed…
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: http://lists.libsdl.org/pipermail/sdl-libsdl.org/attachments/20140416/60f80625/attachment.pgpOn Wednesday, April 16, 2014 08:17:51 AM Mateusz Viste wrote:
I might say a blasphemy, but wouldn’t it be easier to drop the https
thing, and publish the SDL wiki on raw http? Or at least allow both,
without redirecting the user to https by force…
We had some issues.
The SSL certs are now revoked and replaced with new ones, you should be
able to use https://*.libsdl.org/ again, right now.
Sorry about that!
–ryan.On 04/15/2014 09:42 PM, Andre D wrote:
Getting cert revoked, no new cert yet?
The SSL certs are now revoked and replaced with new ones, you should be
able to use https://*.libsdl.org/ again, right now.
Also, this means it’s now safe to change your passwords on any
libsdl.org service.
We have no evidence to suggest your accounts were compromised, but we
also have no evidence to suggest they weren’t…that’s the problem with
Heartbleed. It’s a good idea to change your passwords now.
Please ask me if you have problems or questions.
–ryan.