Sauce Labs Security Information: Heartbleed Update

Sauce Labs help at saucelabs.com
Fri Apr 11 07:35:03 UTC 2014


Dear Sauce Labs user: 
 
 In the wake of the disclosure of CVE-2014-0160 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160>, also known as "Heartbleed <http://ahoy.twilio.com/e/9512/2014-04-09/lqrwl/268606133>", Sauce Labs has been working to assess the impact of this issue on our users.

While we have not found any signs that Sauce Labs or its users were negatively impacted by the Heartbleed vulnerability, we take security very seriously and are taking steps to remediate any exposures relating to it. This email to you is part of that effort.

We have determined that the Heartbleed vulnerability has no impact on the Sauce Labs web interface or REST API. However, Sauce Connect is affected by the vulnerability. Users of Sauce Connect should read more below.

Again, if you are not using Sauce Connect, this vulnerability had no impact on your Sauce Labs tests. For the Sauce Labs web interface and REST API we use an unaffected version of OpenSSL. This can be validated here <http://filippo.io/Heartbleed/>.

IMPORTANT: For Customers Using Sauce Connect 

For our customers who use Sauce Connect to test their applications behind their firewall, we have no specific evidence that data has been compromised. We have now updated our Sauce Connect servers so they are no longer vulnerable to new attacks enabled by the Heartbleed bug.

During the period of time when the Sauce Connect servers were vulnerable, attackers may have gained access to customer test data (traversing the Sauce Connect tunnel). If that has occurred, attackers may have the ability to similarly compromise future Sauce Connect 4.0 and 3.0 sessions. Again, we have no specific evidence that this has actually occurred.

As part of closing this potential vulnerability we have updated our certificates for Sauce Connect in version 4.1, and released a version 3.1 with updated certificates for those customers who prefer to stay with the 3.x line for now.

Customers will need to:

 - Upgrade to Sauce Connect 4.1 as soon as possible: 
 - OS X: https://saucelabs.com/downloads/sc-4.1-osx.zip <https://saucelabs.com/downloads/sc-4.1-osx.zip>
 - Linux: https://saucelabs.com/downloads/sc-4.1-linux.tar.gz <https://saucelabs.com/downloads/sc-4.1-linux.tar.gz>
 - Windows: https://saucelabs.com/downloads/sc-4.1-win32.zip <https://saucelabs.com/downloads/sc-4.1-win32.zip>

 - OR upgrade to Sauce Connect 3.1 (cross-platform) as soon as possible: 
 - https://saucelabs.com/downloads/Sauce-Connect-3.1-r32.zip <https://saucelabs.com/downloads/Sauce-Connect-3.1-r32.zip>

 - Change all passwords that could potentially have been affected if an attacker did have access to test sites and commands

We hope this email answers your questions about the impact of CVE-2014-0160 on your Sauce Labs application. Feel free to reply back to this email to reach our Customer Support team with follow up questions.

Sincerely,
The Sauce Labs Team
Sauce Labs Inc., 500 Third St #240, San Francisco, CA, 94107 USA

Contact Us <http://saucelabs.com/contact>

This email was sent to juju-gui at lists.ubuntu.com. If you no longer wish to receive these emails you may unsubscribe here: http://info.saucelabs.com/UnsubscribePage.html?mkt_unsubscribe=1&mkt_tok=3RkMMJWWfF9wsRonvqTNZKXonjHpfsX56uspXqGg38431UFwdcjKPmjr1YIFRMN0aPyQAgobGp5I5FEMTLjYRKJ0t6MFXA%3D%3D.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/juju-gui/attachments/20140411/9cb0e142/attachment-0001.html>


More information about the Juju-GUI mailing list