Hi all,
As you may or may not be already aware, a significant security vulnerability in OpenSSL has recently been found.
This vulnerability was discovered within the OpenSSL cryptographic software library, a global standard used by most web servers, and is not related to Moodle software.
This vulnerability allows exploitation of the heartbeat mechanism within TLS in order to read 64k of addressable server memory at one time, potentially allowing the leakage of sensitive information, including SSL private keys, usernames, passwords, and other details not normally accessible over encrypted SSL communication channels.
The vulnerability, introduced in December 2011, affects OpenSSL versions 1.0.1 through 1.0.1f, covering a significant portion of SSL websites across the world.
I can confirm that like many other sites, Moodle.org was vulnerable to this issue.
On Tuesday (8/4/14) all Moodle servers were patched for the vulnerability, and as the vulnerability does not leave any signs as to whether a system has been exploited, I have re-keyed and re-signed our SSL certificates to ensure that in the event our private key was leaked, our communications will not be compromised.
There is, however, one major concern remaining. As there is the potential to read all data including usernames and passwords, your moodle.org accounts may or may not have been compromised.
As a precautionary measure, I am advising all moodle.org users to change their passwords here, and on any site *confirmed* to have fixed this vulnerability.
You can confirm a site has been patched for the Heartbleed vulnerability by using this tool: http://filippo.io/Heartbleed/
It is important to ensure that the site is not vulnerable BEFORE you change your credentials, to ensure that your new credentials are not inadvertently exposed, defeating the purpose of changing them to begin with.
IMPORTANT for Moodle Administrators
If you are running Moodle over HTTPS, or any other daemons using SSL, I strongly advise that you update OpenSSL to the latest version, re-key and re-sign your SSL certificates, and restart the daemons (Apache, NginX, etc) using OpenSSL.
Moodle's MNET functionality uses OpenSSL to generate certificates and keys for identity and communication security of the single sign-on functionality. You should also update OpenSSL and re-key/re-sign your MNET certificates to ensure these communication mechanisms remain secure.
For more information on this vulnerability, check out http://heartbleed.com/
Kind Regards,
Matt
Moodle Systems Administrator