[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers

From: Hannes Erven <hannes_at_erven.at>
Date: Fri, 11 Apr 2014 12:08:38 +0200

Hi all,

Daniel Shahaf wrote:
> Nico Kadel-Garcia wrote on Thu, Apr 10, 2014 at 23:53:14 -0400:
>> I was just realizing that no one has mentioned it here: For anyone
>> running HTTPS based Subversion servers, they should really take a good
>> look at whether their web server is vulnerable to the "HeartBleed"
>> security problem in OpenSSL.
>
> Repositories served exclusively with http:// (non-SSLed), svn+ssh://,
> and/or svn://-with-SASL-disabled are not affected.

This is not entirely correct: any web server process with openssl-based
SSL enabled was vulnerable. So even if the repository itself wasn't
served on HTTPS, but some other vhost was, you're still affected.

Best regards,

        -hannes
Received on 2014-04-11 12:23:12 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.