Guten Tag Ben Reser,
am Samstag, 12. April 2014 um 01:10 schrieben Sie:
> As such even if you only have your Subversion repository running over
> HTTP, if you have SSL enabled for some other purpose, your Subversion related
> data in memory might be exposed.
Are you sure about that? From my under
On Fri, Apr 11, 2014 at 10:26 PM, Nico Kadel-Garcia wrote:
> On Fri, Apr 11, 2014 at 7:10 PM, Ben Reser wrote:
>> On 4/11/14, 12:52 PM, Nico Kadel-Garcia wrote:
>>> Do you have a pointer to that? It's a reasonable claim, I'd just not
>>> seen anything for verifying it or testing against HTTP site
I have an Apache server running mod_dav_svn and mod_authz_svn with several
repositories, each with several projects which each contain the “typical 3”
folders, where /svn is the base SVN path for access via HTTPS*. Kind of like
this:
/svn
repository1
project1
branches
On 4/12/14, 1:30 AM, Thorsten Schöning wrote:
> Are you sure about that? From my understanding it is necessary that
> data passes OpenSSL's memory to get retrieved because it implements
> it's own malloc. I had the feeling that in case of heartbleed only
> sending passwords over http would have bee
On Sat, Apr 12, 2014 at 11:33:36AM -0700, Ben Reser wrote:
> On 4/12/14, 1:30 AM, Thorsten Schöning wrote:
> > Are you sure about that? From my understanding it is necessary that
> > data passes OpenSSL's memory to get retrieved because it implements
> > it's own malloc. I had the feeling that in c
For our own safety and benefito of combined HTTP/HTTPS servers for
Subversion worldwide: is there a published test to verify that HTTP
servers do not have the same flaw due to also being configured for
SSL?
On Sat, Apr 12, 2014 at 2:33 PM, Ben Reser wrote:
> On 4/12/14, 1:30 AM, Thorsten Schöning
As you may have heard in the news OpenSSL has had a significant security
vulnerability [1] [2]. Subversion by way of several of our dependencies uses
OpenSSL. On the client side the Neon and Serf HTTP libraries can use OpenSSL
(Neon can also use GNUTLS, which is not vulnerable to this issue) and
