subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nico Kadel-Garcia <nka...@gmail.com>
Subject Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers
Date Sat, 12 Apr 2014 22:41:20 GMT
For our own safety and benefito of combined HTTP/HTTPS servers for
Subversion worldwide: is there a published test to verify that HTTP
servers do not have the same flaw due to also being configured for
SSL?

On Sat, Apr 12, 2014 at 2:33 PM, Ben Reser <ben@reser.org> wrote:
> On 4/12/14, 1:30 AM, Thorsten Schöning wrote:
>> Are you sure about that? From my understanding it is necessary that
>> data passes OpenSSL's memory to get retrieved because it implements
>> it's own malloc. I had the feeling that in case of heartbleed only
>> sending passwords over http would have been the "more secure" way
>> because in that case they wouldn't have been retrievable because they
>> never passed memory allocated using OPENSSL_malloc() at all.
>
> No that's not accurate at all.  The malloc implementation doesn't matter at
> all, the process can read memory that's allocated by any memory allocator.
> Ultimately all of them have to use the same kernel interfaces to request the
> memory.
>
> The requirements are that the memory be allocated in a larger memory address
> than the memory being used for the heartbeat feature and that it be within 64k
> of that memory space.  With memory fragmentation and a lot of requests just
> about anything can be retrieved.
>
>

Mime
View raw message