subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thorsten Schöning <tschoen...@am-soft.de>
Subject Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers
Date Sat, 12 Apr 2014 08:30:10 GMT
Guten Tag Ben Reser,
am Samstag, 12. April 2014 um 01:10 schrieben Sie:

> As such even if you only have your Subversion repository running over
> HTTP, if you have SSL enabled for some other purpose, your Subversion related
> data in memory might be exposed.

Are you sure about that? From my understanding it is necessary that
data passes OpenSSL's memory to get retrieved because it implements
it's own malloc. I had the feeling that in case of heartbleed only
sending passwords over http would have been the "more secure" way
because in that case they wouldn't have been retrievable because they
never passed memory allocated using OPENSSL_malloc() at all.

Mit freundlichen Grüßen,

Thorsten Schöning

-- 
Thorsten Schöning       E-Mail:Thorsten.Schoening@AM-SoFT.de
AM-SoFT IT-Systeme      http://www.AM-SoFT.de/

Telefon...........05151-  9468- 55
Fax...............05151-  9468- 88
Mobil..............0178-8 9468- 04

AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow


Mime
View raw message