Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id DF9C210887 for ; Wed, 9 Apr 2014 12:01:50 +0000 (UTC) Received: (qmail 98917 invoked by uid 500); 9 Apr 2014 12:01:45 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 98758 invoked by uid 500); 9 Apr 2014 12:01:41 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 98305 invoked by uid 99); 9 Apr 2014 12:01:34 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Apr 2014 12:01:34 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of h.reindl@thelounge.net designates 91.118.73.15 as permitted sender) Received: from [91.118.73.15] (HELO mail.thelounge.net) (91.118.73.15) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Apr 2014 12:01:30 +0000 Message-ID: <53453685.30001@thelounge.net> Date: Wed, 09 Apr 2014 14:01:09 +0200 From: Reindl Harald Organization: the lounge interactive design User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: half-OT: heartbleed CVE-2014-0160 References: <53453389.3000704@thelounge.net> In-Reply-To: X-Enigmail-Version: 1.6 OpenPGP: id=7F780279; url=http://arrakis.thelounge.net/gpg/h.reindl_thelounge.net.pub.txt Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="KtVmw80a642XE7s6AFwFbnOvsLVionbHb" X-Virus-Checked: Checked by ClamAV on apache.org This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --KtVmw80a642XE7s6AFwFbnOvsLVionbHb Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Am 09.04.2014 13:53, schrieb Graham Leggett: > On 09 Apr 2014, at 1:48 PM, Reindl Harald wrot= e: >> after update openssl and re-new all certificates one question >> remains: in case of httpd-prefork would a attacker only have >> been able to compromise the private key and data of his >> worker-process or as well access the memory of other workers? >=20 > In the case of prefork this wouldn't be true, no - they would only be a= ble to compromise the memory of that process only. They may be able to ac= cess username/passwords from previous requests if they were still visible= =2E >=20 > In the case of the worker and event mpms, the memory of other workers c= ould be compromised, yes thanks a lot - this makes my sleep so much better and i am happy to use httpd-prefork everywhere with all it's disadvantages in context of scalability --KtVmw80a642XE7s6AFwFbnOvsLVionbHb Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlNFNoUACgkQhmBjz394AnkfbACffVhZbYdahabns4VPLE9DORLo IykAnjJMOavnB6ZGzuhn8iAuhOPsRfSI =GD9B -----END PGP SIGNATURE----- --KtVmw80a642XE7s6AFwFbnOvsLVionbHb--