Security problems due to the heartbleed bug

TL;DR: change ALL your passwords

The CS Departement's CIP-Pool was also affected by the so-called heartbleed bug. The Rechenzentrum has also published some recommendations and comments. Affected server certificates have been swapped out, all software has been updated.

For you, as user, this means: If you are using one of the following services of the CIP-Pool or have been using it at some point since 2011, you have to change the passwords you used:

• Email via IMAP or SMTP-AUTH (cippop/cipmail/faui03)
• OpenVPN-Service "OpenFAUpn"
• Redmine
• Waffel

Redmine and Waffel each have a separate password database, you can reset those passwords on the respective websites. Your general CIP-Pool password can be reset via kpasswd. If you have set a separate service password for the aforementioned VPN or mail services you can reset those passwords via /local/bin/servicepasswd -s vpn and /local/bin/servicepasswd -s mail respectively. With /local/bin/servicepasswd -l you can check if you have set service passwords, in case you are unsure.

When in doubt, reset all your passwords.

For the OpenFAUpn service the server certificate has also changed. This means that you need to download the new configuration and the new certificate chain and install them. You need to do this before you use your freshly reset password with the VPN for the first time.

All over the internet, lots and lots of services and websites have been affected. If you have re-used any password on any two websites or services anywhere (which we strongly advise you not to do), you have to reset all those passwords. You should also try to use separate passwords for each service in the future.

When in doubt, just reset all your passwords, and set them all different.

-- Alexander Würstlein