subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nico Kadel-Garcia <nka...@gmail.com>
Subject Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers
Date Fri, 11 Apr 2014 19:52:57 GMT
On Fri, Apr 11, 2014 at 6:08 AM, Hannes Erven <hannes@erven.at> wrote:
> Hi all,
>
>
>
> Daniel Shahaf wrote:
>>
>> Nico Kadel-Garcia wrote on Thu, Apr 10, 2014 at 23:53:14 -0400:
>>>
>>> I was just realizing that no one has mentioned it here: For anyone
>>> running HTTPS based Subversion servers, they should really take a good
>>> look at whether their web server is vulnerable to the "HeartBleed"
>>> security problem in OpenSSL.
>>
>>
>> Repositories served exclusively with http:// (non-SSLed), svn+ssh://,
>> and/or svn://-with-SASL-disabled are not affected.
>
>
> This is not entirely correct: any web server process with openssl-based SSL
> enabled was vulnerable. So even if the repository itself wasn't
> served on HTTPS, but some other vhost was, you're still affected.

Do you have a pointer to that? It's a reasonable claim, I'd just not
seen anything for verifying it or testing against HTTP sites that have
HTTPS enabled, perhaps even with HTTPS only  accessible behind a
closed firewall for administrative user.

Mime
View raw message