From users-return-21236-apmail-subversion-users-archive=subversion.apache.org@subversion.apache.org Fri Apr 11 03:53:46 2014 Return-Path: X-Original-To: apmail-subversion-users-archive@minotaur.apache.org Delivered-To: apmail-subversion-users-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D485710E05 for ; Fri, 11 Apr 2014 03:53:46 +0000 (UTC) Received: (qmail 96604 invoked by uid 500); 11 Apr 2014 03:53:46 -0000 Delivered-To: apmail-subversion-users-archive@subversion.apache.org Received: (qmail 95901 invoked by uid 500); 11 Apr 2014 03:53:43 -0000 Mailing-List: contact users-help@subversion.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@subversion.apache.org Received: (qmail 95887 invoked by uid 99); 11 Apr 2014 03:53:42 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 Apr 2014 03:53:42 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of nkadel@gmail.com designates 209.85.217.169 as permitted sender) Received: from [209.85.217.169] (HELO mail-lb0-f169.google.com) (209.85.217.169) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 Apr 2014 03:53:36 +0000 Received: by mail-lb0-f169.google.com with SMTP id q8so3039206lbi.14 for ; Thu, 10 Apr 2014 20:53:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=+VRL+x0ofH3IvQ34L1zdIo2X3S30HYPn/3MFwqxZL4I=; b=Ric6pBqFmUJxU4GAI6LVmTCpYgfaVYnYHRKW9iKgMmAJlI6yx8RWj6zSMeXPAYz8hk J47O7G5G7sjTjk2hz7qJTFQEchHPKhjOGn9tPUExrJIRsBTDMeqRPDYpCKNr+aKTYrL8 OGffoJbXpaYdu36r/WgiYiiUDoPzMzNEvrHUbXLYlFUQu06X2It1TfwkGEED8FA+KlZN Qy2ZjQkBxigPRDiUMyy2Aju4bN8SOtiYptaNNCsfnyW68qqKdgrT9Y90E+XPVPmft845 bqOcsx1AGyXs1al0/apjpWjqjCL2Lt/jTNC409Ngg8epTjTok1Cdr+6hqv5JPrs9mCxy eZJg== MIME-Version: 1.0 X-Received: by 10.152.246.43 with SMTP id xt11mr4547058lac.34.1397188394079; Thu, 10 Apr 2014 20:53:14 -0700 (PDT) Received: by 10.112.205.102 with HTTP; Thu, 10 Apr 2014 20:53:14 -0700 (PDT) Date: Thu, 10 Apr 2014 23:53:14 -0400 Message-ID: Subject: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers From: Nico Kadel-Garcia To: Subversion Content-Type: text/plain; charset=ISO-8859-1 X-Virus-Checked: Checked by ClamAV on apache.org I was just realizing that no one has mentioned it here: For anyone running HTTPS based Subversion servers, they should really take a good look at whether their web server is vulnerable to the "HeartBleed" security problem in OpenSSL. There are various good write-ups about it, but even an internal website vulnerable to these hacks could apparently have usernames and passwords stolen by a zombied or rootkitted host inside your network. So strongly consider updating *all* your websites to avoid the bug, and other bugs, and strongly consider your password management and expiration procedures for vulnerabilities that may have been exploited any time in the last two years. http://www.theatlantic.com/technology/archive/2014/04/how-to-check-if-a-site-is-safe-from-heartbleed/360417/