subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Shahaf <>
Subject Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers
Date Fri, 11 Apr 2014 09:01:26 GMT
Nico Kadel-Garcia wrote on Thu, Apr 10, 2014 at 23:53:14 -0400:
> I was just realizing that no one has mentioned it here: For anyone
> running HTTPS based Subversion servers, they should really take a good
> look at whether their web server is vulnerable to the "HeartBleed"
> security problem in OpenSSL.

Repositories served exclusively with http:// (non-SSLed), svn+ssh://,
and/or svn://-with-SASL-disabled are not affected.

As to svn://-with-SASL, libsasl can optionally link against libssl, but
I'm not sure whether it can trigger the vulnerable codepath.

svn:// over stunnel would be affected too --- just in case someone
is using that.


> There are various good write-ups about
> it, but even an internal website vulnerable to these hacks could
> apparently have usernames and passwords stolen by a zombied or
> rootkitted host inside your network. So strongly consider updating
> *all* your websites to avoid the bug, and other bugs, and strongly
> consider your password management and expiration procedures for
> vulnerabilities that may have been exploited any time in the last two
> years.

View raw message