Published at 10.04.2014
Update: Wednesday April 9 at 16:55 CET we created new certificates for a9s.eu and a9sapp.eu, anynines’ gateways.
April 7th the OpenSSL team released a new version of OpenSSL to address a serious security issue that might leak sensitive data to anyone who is able to connect to your SSL services (if you are running OpenSSL version 1.0.1). CVE-2014-0160 is the official reference to this bug. The website heartbleed.com hosts a writeup of the consequences this bug might have.
StackOverflow related forums were literally overflowing with questions the last couple of days and rightly so. This serious vulnerability affects a substantial number of applications running on the internet, including anynines. We advise all anynines users to update their passwords as a precautionary measure.
If you are currently running SSL, you should re-key and reissue your certificate and update it, as it may have been exposed.
Table of Contents
All our servers, including all host machines of anynines and SSL gateways, are running automatic upgrades, started every 10 minutes by Chef. These upgrades have installed successfully at April 8, 6:36 AM CET and our webservers are now using the most recent OpenSSL dynamic library.
The issue was fixed in all our systems directly after the new libopenssl version was available. We have checked all our hosts with open ports and SSL for any leaks and we are ‘all green’ on our side.
However, we cannot know for certain if any private SSL key is stolen. Therefor we advise you to re-key and reissue your certificates.
In case you have any questions, please send us an email at email@example.com.