SourceForge response to Heartbleed


A vulnerability is something susceptible to attack (regardless of whether attack actually occurs using that weakness), and a compromise is something that has been successfully attacked.

Sites and services across the internet have been impacted by a recent vulnerability in OpenSSL, CVE-2014-0160, known as “Heartbleed”. More information on this vulnerability may be found at

Upon disclosure of this vulnerability, SourceForge’s operations team expeditiously reviewed all of our services and confirmed that the only vulnerable service was SourceForge’s Subversion over HTTPS on Allura (

We are aware of no compromise of our systems. On Tuesday, vulnerable systems were updated to new versions of OpenSSL, and the related SSL certificates were revoked and re-issued with new private keys.

A mailing will be sent to those users who accessed the vulnerable service ( during the window of vulnerability. While we are aware of no compromise of data resulting from this vulnerability, to further reduce risk we are asking certain users to change their SourceForge password.

To change your SourceForge password:

  1. Go to
  2. Login with your username and current password
  3. Click the “Change Password” link on the resulting page
  4. Enter your current and new password in to the form and submit

Passwords may also be reset using the account recovery facility at

If you do not already make use of a secure password manager, such as KeePass, Password Safe, Mac OS X Keyring, LastPass, etc. you may wish to begin using such a tool, which makes it easy to manage unique and long passwords for every site you access.

Questions and concerns may be directed to the support team at

Thank you, Support

Comments are closed.