On 4/10/14, 9:53 PM, Nico Kadel-Garcia wrote:
> I was just realizing that no one has mentioned it here: For anyone
> running HTTPS based Subversion servers, they should really take a good
> look at whether their web server is vulnerable to the "HeartBleed"
> security problem in OpenSSL. There are various good write-ups about
> it, but even an internal website vulnerable to these hacks could
> apparently have usernames and passwords stolen by a zombied or
> rootkitted host inside your network. So strongly consider updating
> *all* your websites to avoid the bug, and other bugs, and strongly
> consider your password management and expiration procedures for
> vulnerabilities that may have been exploited any time in the last two
> years.
>
> http://www.theatlantic.com/technology/archive/2014/04/how-to-check-if-a-site-is-safe-from-heartbleed/360417/
For what it's worth we're preparing specific advice for admins (so much as we
can), but it is taking some time to complete largely because we lack much in
the way of handling revoked certificates. I hope to have something up later
today on the users@, dev@ and announce@ lists.
Received on 2014-04-11 15:15:13 CEST