On 04/09/2014 08:54 AM, "Gabriel E. Sánchez Martínez" wrote:
> Hi all,
>
> Our server is running Ubuntu Server 13.10 (we will soon upgrade to
> 14.04) and PostgreSQL 9.1. We use certificates for all client
> authentication on remote connections. The server certificate is
> self-signed. In light of the heartbleed bug, should we create a new
> server certificate and replace all client certificates? My guess is yes.
The answer is, of course, "it depends." Here's my take:
If your connections are coming from the Internet or other untrusted
sources *and* you are or were running a vulnerable version of OpenSSL
then yes, you should change your keys, certificates and any other
credentials that might have been found at some point in RAM including
passwords/keys used to access the vulnerable server *or* which the
vulnerable server stores and uses to access other systems. Of course
this means that if you have PostgreSQL backing a vulnerable public
webserver then you are at risk.
If you aren't and weren't running a vulnerable version or if the
vulnerable systems were entirely within a trusted network space with no
direct external access then you are probably at low to no risk and need
to evaluate the cost of updates against the low level of risk.
Cheers,
Steve
