[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [Subclipse-users] Subclipse 1.10.4 / JavaHL 1.8.8 on Win64 vulnerable to Heartbleed OpenSSL bug?

From: Mark Phippard <markphip_at_gmail.com>
Date: Thu, 24 Apr 2014 08:28:09 -0400

On Wed, Apr 23, 2014 at 7:24 PM, Nick Radov <nick.radov_at_optum.com> wrote:

> Is Subclipse 1.10.4 on MS Windows 64 bit impacted by the Heartbleed
> vulnerability (CVE-2014-0160)? It includes JavaHL 1.8.8, which in turn
> includes the OpenSSL 1.0.1f ssleay32.dll. The Heartbleed bug was fixed in
> OpenSSL 1.0.1g. Does JavaHL need to be updated?
>

Yes, it should be updated. It looked like a SVN 1.8.9 was going to come
out and I held off, but that seems to have lagged so I'll probably post
updated plugin.

FWIW, I do not think a SVN client is particularly vulnerable simply because
you are in control of which sites it is connecting to and it is probably
not many. You are only vulnerable to sites you are connected to, and if
that site is "attacking" you then that means it is already compromised. So
the risk is that the site could harvest credentials for some other site
from your memory. So maybe you are updating all projects in your workspace
and your client first hits your corporate site and those credentials are in
RAM, and then your clients hits some infected site that can probe your RAM
and pull out those credentials. Given how JavaHL works I am not sure if
even that scenario is realistic though.

> In the mean time I suppose we can either switch to SVNKit, or manually
> replace ssleay32.dll with the fixed version.
>
>
Yes, you can use SVNKit. If you update the DLL's note that you also need
to update libeay32.dll, that is actually the main OpenSSL DLL. If you
install the Subversion 1.8.8 command line binaries that CollabNet provides
you can just copy the two DLL's it installs into the the JavaHL plugin
folder to replace the ones provided by Subclipse.

That said, I'll try to get the plugin updated soon.

-- 
Thanks
Mark Phippard
http://markphip.blogspot.com/
------------------------------------------------------
http://subclipse.tigris.org/ds/viewMessage.do?dsForumId=1047&dsMessageId=3076983
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subclipse.tigris.org].
Received on 2014-04-24 14:28:17 CEST

This is an archived mail posted to the Subclipse Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.