subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Sperling <>
Subject Re: Subversion and Heartbleed
Date Sun, 13 Apr 2014 11:45:59 GMT
On Sun, Apr 13, 2014 at 07:21:26AM -0400, Nico Kadel-Garcia wrote:
> I'm assuming that the vulnerability for particular httpd (Apache 2.x)
> web servers is *only* activated when the "mod_ssl" module is loaded,

Yes. The server must perform TLS negotiation using a vulnerable
OpenSSL version. Data leaked via heartbleed can come from unrelated
connections handled by the same server process, whether or not those
other connections use TLS.

> I've not seen any verification that proxies set for simple HTTP
> pass-through are vulnerable. I suspect they're safe, but I'd really
> like to have a test tool to verify this. Has anyone seen a Heartbleed
> test tool that will test HTTP sites, or HTTPS on ports other than 443?

There are published test scripts. You can edit them and change the port.
will do what you want if you adjust the port number (and perhaps
simplify the argument processing such that the script probes a
single server specified on the command line).

View raw message