On April 7th 2014, information about a vulnerability in OpenSSL was released. Landscape.io has been updated to mitigate and protect against attacks on this vulnerability.

The vulnerability, officially designated CVE-2014-0160 but now commonly known as Heartbleed, allows an attacker to read chunks of memory from the server using the affected versions of OpenSSL.

This means that an attacker could potentially read private keys, passwords or anything else in the memory of the system's process. A proof of concept which showed the ability to read other user's cookies from vulnerable servers sprung up within hours of the initial announcement.

The version of OpenSSL used on our site was patched within hours of the initial announcement of Heartbleed, and there is no indication of any attack against the Landscape.io site. However, given the severity of the vulnerability and the difficulty of detection of abuse, we have taken the following additional steps:

  • OpenSSL was patched within hours of the announcment.
  • We have revoked our previous SSL certificate and replaced it with a new one.
  • All browser sessions have been reset, to prevent session hijacking should an attacked have gained access to user cookies. You will need to log in again via GitHub.
  • Internal passwords and keys have been reset.
  • We are waiting for GitHub to annouce a way to request new OAuth tokens automatically. The GitHub API developers have added a new API call to renew OAuth tokens. All Landscape OAuth tokens have now been reset.

Keep an eye on the Landscape.io twitter account for updates and progress information on this issue.

If you enjoyed this article and would like to receive email notifications when new articles are published, sign up below:

About Landscape.io

Landscape.io is a tool to measure and track code quality and technical debt in your project. It can analyse Python code to point out errors and problems, and provides continuous metrics so you can see if your code is deteriorating.