subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Reser <...@reser.org>
Subject Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers
Date Sat, 12 Apr 2014 18:33:36 GMT
On 4/12/14, 1:30 AM, Thorsten Schöning wrote:
> Are you sure about that? From my understanding it is necessary that
> data passes OpenSSL's memory to get retrieved because it implements
> it's own malloc. I had the feeling that in case of heartbleed only
> sending passwords over http would have been the "more secure" way
> because in that case they wouldn't have been retrievable because they
> never passed memory allocated using OPENSSL_malloc() at all.

No that's not accurate at all.  The malloc implementation doesn't matter at
all, the process can read memory that's allocated by any memory allocator.
Ultimately all of them have to use the same kernel interfaces to request the
memory.

The requirements are that the memory be allocated in a larger memory address
than the memory being used for the heartbeat feature and that it be within 64k
of that memory space.  With memory fragmentation and a lot of requests just
about anything can be retrieved.



Mime
View raw message