A serious security vulnerability was recently uncovered: CVE–2014–0160, AKA “Heartbleed.“
The Pivotal Tracker team has worked with our hosting provider and determined that none of our externally exposed servers were affected by this vulnerability.
Specifically, this vulnerability is known to exist in version 1.0.1 of the OpenSSL library, used widely in web servers and load balancers. Tracker’s production web servers and load balancers have been running versions 0.9.8 and 1.0.0, respectively, which are not affected by this problem.
We did identify three internal production servers with vulnerable OpenSSL versions. However, these servers are not running any processes that provide SSL termination, access to them is restricted by firewall rules, and they do not directly access any user data. These three servers were patched the evening of Tuesday, April 8th, when the updated packages were made available.
While we have determined that Pivotal Tracker was not vulnerable to this exploit, we are nevertheless taking the precaution of having all of our SSL certificates reissued, and changing our passwords and keys used with our third-party service providers.
The following is a list of the third-party applications with which Pivotal Tracker provides integrations. We highly recommend that you review your use of these integrations, their response to this security vulnerability, and take any recommended action. We also recommend reviewing any webhooks and third-party tools that you might be using.
A tool that checks websites for this vulnerability is available here.
We hope this answers any concerns you have regarding the security of Pivotal Tracker; however, please email us if you have any questions.