We've already updated our OpsnSSL and generated a new certificate for our Moodle site, but we're trying to decide if we need to force a password change on all of our users. At current, authentication is done via Active Directory, and teh AD server is not vulnerable, but we are trying to determine what happens to the users credentials when they are sent to Moodle. How are they passed along to AD for authentication, and how long are they resident in memory?
My security hat says the safest option is to force a password reset, but we are rolling into the busiest part of the semester, so before pulling the pin on that grenade, I'm hoping someone with a clerer insight to the workings of the AD authentication system can provide input.