[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers

From: Thorsten Schöning <tschoening_at_am-soft.de>
Date: Sat, 12 Apr 2014 10:30:10 +0200

Guten Tag Ben Reser,
am Samstag, 12. April 2014 um 01:10 schrieben Sie:

> As such even if you only have your Subversion repository running over
> HTTP, if you have SSL enabled for some other purpose, your Subversion related
> data in memory might be exposed.

Are you sure about that? From my understanding it is necessary that
data passes OpenSSL's memory to get retrieved because it implements
it's own malloc. I had the feeling that in case of heartbleed only
sending passwords over http would have been the "more secure" way
because in that case they wouldn't have been retrievable because they
never passed memory allocated using OPENSSL_malloc() at all.

Mit freundlichen Grüßen,

Thorsten Schöning

-- 
Thorsten Schöning       E-Mail:Thorsten.Schoening_at_AM-SoFT.de
AM-SoFT IT-Systeme      http://www.AM-SoFT.de/
Telefon...........05151-  9468- 55
Fax...............05151-  9468- 88
Mobil..............0178-8 9468- 04
AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow
Received on 2014-04-12 10:30:53 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.