Return-Path: X-Original-To: apmail-subversion-users-archive@minotaur.apache.org Delivered-To: apmail-subversion-users-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BBED911C36 for ; Sat, 12 Apr 2014 08:30:46 +0000 (UTC) Received: (qmail 39808 invoked by uid 500); 12 Apr 2014 08:30:46 -0000 Delivered-To: apmail-subversion-users-archive@subversion.apache.org Received: (qmail 39417 invoked by uid 500); 12 Apr 2014 08:30:41 -0000 Mailing-List: contact users-help@subversion.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@subversion.apache.org Received: (qmail 39410 invoked by uid 99); 12 Apr 2014 08:30:39 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 12 Apr 2014 08:30:39 +0000 X-ASF-Spam-Status: No, hits=0.0 required=5.0 tests=SPF_PASS,T_FILL_THIS_FORM_SHORT X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [83.218.36.120] (HELO mail.am-soft.de) (83.218.36.120) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 12 Apr 2014 08:30:34 +0000 Envelope-To: users@subversion.apache.org Received: from localhost (dslb-178-000-174-139.pools.arcor-ip.net [178.0.174.139]) by mail.am-soft.de (Postfix) with ESMTP id 06C4FC4A for ; Sat, 12 Apr 2014 10:30:11 +0200 (CEST) Date: Sat, 12 Apr 2014 10:30:10 +0200 From: =?iso-8859-1?Q?Thorsten_Sch=F6ning?= Organization: AM-SoFT IT-Systeme X-Priority: 3 (Normal) Message-ID: <194003582.20140412103010@am-soft.de> To: users@subversion.apache.org Subject: Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers In-Reply-To: <53487656.8050308@reser.org> References: <20140411090126.GC1702@tarsus.local2> <5347BF26.4070901@erven.at> <53487656.8050308@reser.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org Guten Tag Ben Reser, am Samstag, 12. April 2014 um 01:10 schrieben Sie: > As such even if you only have your Subversion repository running over > HTTP, if you have SSL enabled for some other purpose, your Subversion rel= ated > data in memory might be exposed. Are you sure about that? From my understanding it is necessary that data passes OpenSSL's memory to get retrieved because it implements it's own malloc. I had the feeling that in case of heartbleed only sending passwords over http would have been the "more secure" way because in that case they wouldn't have been retrievable because they never passed memory allocated using OPENSSL_malloc() at all. Mit freundlichen Gr=FC=DFen, Thorsten Sch=F6ning --=20 Thorsten Sch=F6ning E-Mail:Thorsten.Schoening@AM-SoFT.de AM-SoFT IT-Systeme http://www.AM-SoFT.de/ Telefon...........05151- 9468- 55 Fax...............05151- 9468- 88 Mobil..............0178-8 9468- 04 AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln AG Hannover HRB 207 694 - Gesch=E4ftsf=FChrer: Andreas Muchow