novacut-community team mailing list archive
Mailing list archive
Security alert: Dmedia vulnerable to Heartbleed
Dmedia (and therefor Novacut) are affected by the Heartbleed bug in the
OpenSSL library. This bug is very serious as it allows an attacker to
capture the private keys Dmedia uses, which then allows an attacker to steal
both your Dmedia library metadata and the files it contains.
Please see USN-2165-1 for details about the OpenSSL fix in Ubuntu:
What you need to do
To correct this problem, first make sure your packages are up-to-date:
sudo apt-get update
sudo apt-get dist-upgrade
Then you'll need to force Dmedia to generate new user and machine certificates:
You should do this on all your computers running Dmedia before peering them
The next time you open Dmedia or Novacut, you'll be presented with the Dmedia
On your first computer, click "New Account". On any additional computers, click
"Connect to Devices" and then accept the peering offer on the first computer.
It's easy for an attacker on the local network to use the Heartbleed bug to
attack Dmedia on systems running a vulnerable version of OpenSSL. This includes
when you're using, for example, a public WiFi network at a coffee shop. This is
true even when you only have a single Dmedia device on a given network.
In practice it's probably very difficult for a remote attacker to exploit
Heartbleed in Dmedia from across the Internet. Most home routers use NAT to
prevent direct access to your computers from across Internet. Also, each time
Dmedia starts, it runs on a different, random port. Dmedia uses Avahi to
advertise this random port to other Dmedia devices on the local network. Dmedia
does *not* advertise this random port to any outside servers. That said, remote
attacks could sill be possible if, for example, your router was compromised.
As Dmedia is not yet widely used, it's probably not yet a common attack target.
However, to play it safe, please follow the above procedure to generate new
Dmedia SSL certificates.
 Heartbleed: http://heartbleed.com/
 OpenSSL: https://www.openssl.org/
 Peering screen: http://cdn.novacut.com/Dmedia-12.10-1.png
 Avahi: http://avahi.org/