A vulnerability is something susceptible to attack (regardless of whether attack actually occurs using that weakness), and a compromise is something that has been successfully attacked.
Sites and services across the internet have been impacted by a recent vulnerability in OpenSSL, CVE-2014-0160, known as “Heartbleed”. More information on this vulnerability may be found at http://heartbleed.com
Upon disclosure of this vulnerability, SourceForge’s operations team expeditiously reviewed all of our services and confirmed that the only vulnerable service was SourceForge’s Subversion over HTTPS on Allura (svn.code.sourceforge.net).
We are aware of no compromise of our systems. On Tuesday, vulnerable systems were updated to new versions of OpenSSL, and the related SSL certificates were revoked and re-issued with new private keys.
A mailing will be sent to those users who accessed the vulnerable service (svn.code.sourceforge.net) during the window of vulnerability. While we are aware of no compromise of data resulting from this vulnerability, to further reduce risk we are asking certain users to change their SourceForge password.
To change your SourceForge password:
- Go to https://sourceforge.net/account/
- Login with your username and current password
- Click the “Change Password” link on the resulting page
- Enter your current and new password in to the form and submit
Passwords may also be reset using the account recovery facility at https://sourceforge.net/account/registration/recover.php
If you do not already make use of a secure password manager, such as KeePass, Password Safe, Mac OS X Keyring, LastPass, etc. you may wish to begin using such a tool, which makes it easy to manage unique and long passwords for every site you access.
Questions and concerns may be directed to the SourceForge.net support team at firstname.lastname@example.org