Wikimedia Blog/Drafts/Heartbleed/la
This post has been published at https://blog.wikimedia.org/2014/04/10/wikimedias-response-to-the-heartbleed-security-vulnerability/. You are welcome to add translations here.
Wikimedia respondet novo periculo.
Die septimo mensis Aprilis detectum est novum magnum periculum contra securitatem. Cito Wikimedia effecit ut utentes rursum tuti essent.
Heartbleed permittere potuit malis ingeniis ut notitias furerent. Per aliquas horas periculum magnum fuit sed postea nulla mala acta ostendi potuerunt.
Quomodo Wikimedia egerit infra ostenditur.
Cum utentes aliquid e Wikipedia quaerunt, secretum signum mittitur. Si quis hic signum nefarie capiat, alius utens videri possit. Nova omnium utentium secreta signa beneficia magna ad securitatem conferre possunt.
Consilium, non imperium datur tesserae mutandae ad maximam securitatem consequendam.
Gratias agimus quod patientia hoc intellexistis.
Greg Grossmeier et WMF Operations and Platform teams
Quomodo Wikimedia responderit.
Horae sunt in UTC ostentae.
Die septimo Aprilis
- 17:30: The Heartbleed bug is made public.Periculum ostentum est.
- 21:48: Ubuntu releases patched versions of the software.
April 8th:
- 04:03: We begin upgrading libssl on all of our servers, beginning with high-priority machines.
- 09:08: We begin replacing SSL certificates.
- 13:09: We forcibly upgrade libssl on WMF Tool Labs.
- 13:46: The upgrade of libssl on all public servers is complete.
- 16:45: All Wikimedia wiki user-facing SSL servers have new certificates in place.
- 23:08: We begin resetting user login tokens (forcing users to re-login using new libssl and certificates).
April 9th:
- 13:54: ticket.wikimedia.org's ssl certificate is replaced (the last one)
- 16:44: Email to all users of ticket.wikimedia.org (OTRS) and otrs-wiki.wikimedia.org to change their passwords.
- 22:33: Logged out all Bugzilla users
April 10th:
Frequently Asked Questions
(This section will be expanded as needed.)
- Why hasn't the "not valid before" date on your SSL certificate changed if you have already replaced it?
- Our SSL certificate provider keeps the original "not valid before" date (sometimes incorrectly referred to as an "issued on" date) in any replaced certificates. This is not an uncommon practice. Aside from looking at the change to the .pem files linked above in the Timeline, the other way of verifying that the replacement took place is to compare the fingerprint of our new certificate with our previous one.