httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: half-OT: heartbleed CVE-2014-0160
Date Wed, 09 Apr 2014 12:01:09 GMT

Am 09.04.2014 13:53, schrieb Graham Leggett:
> On 09 Apr 2014, at 1:48 PM, Reindl Harald <h.reindl@thelounge.net> wrote:
>> after update openssl and re-new all certificates one question
>> remains: in case of httpd-prefork would a attacker only have
>> been able to compromise the private key and data of his
>> worker-process or as well access the memory of other workers?
> 
> In the case of prefork this wouldn't be true, no - they would only be able to compromise
the memory of that process only. They may be able to access username/passwords from previous
requests if they were still visible.
> 
> In the case of the worker and event mpms, the memory of other workers could be compromised,
yes

thanks a lot - this makes my sleep so much better and i am happy
to use httpd-prefork everywhere with all it's disadvantages in
context of scalability


Mime
View raw message