As you have probably heard, a severe security bug in OpenSSL dubbed Heartbleed was uncovered on April 7th. It allows anyone to read 64k chunks of memory of the systems using the vulnerable versions of OpenSSL, leaving no trace in common system or server logs.
All Semaphore’s current infrastructure is using OpenSSL and was thus affected and needed to be updated. Here’s what we did and what we recommend you to do as well.
OpenSSL upgrade
We upgraded OpenSSL to a secure version on our front-end system on April 8th 9:47 AM UTC. Immediate next step was to replace SSL certificates. Once that was in place, the platform was secure from any future attacks. We then proceeded to upgrade OpenSSL and certificates on our build platform as well.
Passwords, API tokens and sessions
We have found no evidence of harm, but absence of evidence does not equal evidence of absence, hence we recommend that you change your Semaphore password and reset your API token. We have implemented a one-click way for resetting the API token for this purpose, you can find it in project settings > API. We have also reset all user sessions.
GitHub tokens
GitHub issued their response to Heartbleed. We encourage you to use their 2FA system if you are not already. They implemented an API endpoint for resetting OAuth tokens, which we applied to all Semaphore users.
Heroku tokens
If you are deploying from Semaphore to Heroku, and you changed your Heroku password (which you should do), then the API token that Semaphore is using internally to run db:migrate for you is no longer valid. We have implemented an easy way for you to set a new value of Heroku API token, which you can find on your server settings page.
Contacting us
If you still have any concerns, please do get in touch, we are happy to help and answer any questions. You can reach us via the “Support” link inside the app or via semaphore@renderedtext.com.