Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers

2014-04-15 Thread Nico Kadel-Garcia
On Mon, Apr 14, 2014 at 1:47 PM, Ben Reser wrote: > On 4/12/14, 3:41 PM, Nico Kadel-Garcia wrote: >> For our own safety and benefito of combined HTTP/HTTPS servers for >> Subversion worldwide: is there a published test to verify that HTTP >> servers do not have the same flaw due to also being conf

Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers

2014-04-14 Thread Ben Reser
On 4/12/14, 3:41 PM, Nico Kadel-Garcia wrote: > For our own safety and benefito of combined HTTP/HTTPS servers for > Subversion worldwide: is there a published test to verify that HTTP > servers do not have the same flaw due to also being configured for > SSL? Stefan Sperling replied to you on the

Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers

2014-04-12 Thread Nico Kadel-Garcia
For our own safety and benefito of combined HTTP/HTTPS servers for Subversion worldwide: is there a published test to verify that HTTP servers do not have the same flaw due to also being configured for SSL? On Sat, Apr 12, 2014 at 2:33 PM, Ben Reser wrote: > On 4/12/14, 1:30 AM, Thorsten Schöning

Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers

2014-04-12 Thread Stefan Sperling
On Sat, Apr 12, 2014 at 11:33:36AM -0700, Ben Reser wrote: > On 4/12/14, 1:30 AM, Thorsten Schöning wrote: > > Are you sure about that? From my understanding it is necessary that > > data passes OpenSSL's memory to get retrieved because it implements > > it's own malloc. I had the feeling that in c

Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers

2014-04-12 Thread Ben Reser
On 4/12/14, 1:30 AM, Thorsten Schöning wrote: > Are you sure about that? From my understanding it is necessary that > data passes OpenSSL's memory to get retrieved because it implements > it's own malloc. I had the feeling that in case of heartbleed only > sending passwords over http would have bee

Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers

2014-04-12 Thread Nico Kadel-Garcia
On Fri, Apr 11, 2014 at 10:26 PM, Nico Kadel-Garcia wrote: > On Fri, Apr 11, 2014 at 7:10 PM, Ben Reser wrote: >> On 4/11/14, 12:52 PM, Nico Kadel-Garcia wrote: >>> Do you have a pointer to that? It's a reasonable claim, I'd just not >>> seen anything for verifying it or testing against HTTP site

Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers

2014-04-12 Thread Thorsten Schöning
Guten Tag Ben Reser, am Samstag, 12. April 2014 um 01:10 schrieben Sie: > As such even if you only have your Subversion repository running over > HTTP, if you have SSL enabled for some other purpose, your Subversion related > data in memory might be exposed. Are you sure about that? From my under

Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers

2014-04-11 Thread Nico Kadel-Garcia
On Fri, Apr 11, 2014 at 7:10 PM, Ben Reser wrote: > On 4/11/14, 12:52 PM, Nico Kadel-Garcia wrote: >> Do you have a pointer to that? It's a reasonable claim, I'd just not >> seen anything for verifying it or testing against HTTP sites that have >> HTTPS enabled, perhaps even with HTTPS only acces

Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers

2014-04-11 Thread Ben Reser
On 4/11/14, 12:52 PM, Nico Kadel-Garcia wrote: > Do you have a pointer to that? It's a reasonable claim, I'd just not > seen anything for verifying it or testing against HTTP sites that have > HTTPS enabled, perhaps even with HTTPS only accessible behind a > closed firewall for administrative user

Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers

2014-04-11 Thread Stefan Sperling
On Fri, Apr 11, 2014 at 03:52:57PM -0400, Nico Kadel-Garcia wrote: > On Fri, Apr 11, 2014 at 6:08 AM, Hannes Erven wrote: > > This is not entirely correct: any web server process with openssl-based SSL > > enabled was vulnerable. So even if the repository itself wasn't > > served on HTTPS, but som

Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers

2014-04-11 Thread Nico Kadel-Garcia
On Fri, Apr 11, 2014 at 6:08 AM, Hannes Erven wrote: > Hi all, > > > > Daniel Shahaf wrote: >> >> Nico Kadel-Garcia wrote on Thu, Apr 10, 2014 at 23:53:14 -0400: >>> >>> I was just realizing that no one has mentioned it here: For anyone >>> running HTTPS based Subversion servers, they should reall

Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers

2014-04-11 Thread Ben Reser
On 4/10/14, 9:53 PM, Nico Kadel-Garcia wrote: > I was just realizing that no one has mentioned it here: For anyone > running HTTPS based Subversion servers, they should really take a good > look at whether their web server is vulnerable to the "HeartBleed" > security problem in OpenSSL. There are v

Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers

2014-04-11 Thread Hannes Erven
Hi all, Daniel Shahaf wrote: Nico Kadel-Garcia wrote on Thu, Apr 10, 2014 at 23:53:14 -0400: I was just realizing that no one has mentioned it here: For anyone running HTTPS based Subversion servers, they should really take a good look at whether their web server is vulnerable to the "HeartBle

Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers

2014-04-11 Thread Daniel Shahaf
Nico Kadel-Garcia wrote on Thu, Apr 10, 2014 at 23:53:14 -0400: > I was just realizing that no one has mentioned it here: For anyone > running HTTPS based Subversion servers, they should really take a good > look at whether their web server is vulnerable to the "HeartBleed" > security problem in Op

Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers

2014-04-10 Thread Nico Kadel-Garcia
I was just realizing that no one has mentioned it here: For anyone running HTTPS based Subversion servers, they should really take a good look at whether their web server is vulnerable to the "HeartBleed" security problem in OpenSSL. There are various good write-ups about it, but even an internal w