On Sat, Apr 12, 2014 at 10:08 PM, Ben Reser bre...@apache.org wrote:
This specific issue lies in the implementation of a feature of the SSL/TLS
protocols. Apache HTTP Servers running mod_ssl to provide SSL/TLS are
vulnerable. While svnserve does support encryption via Cyrus SASL, and Cyrus
On Sun, Apr 13, 2014 at 07:21:26AM -0400, Nico Kadel-Garcia wrote:
I'm assuming that the vulnerability for particular httpd (Apache 2.x)
web servers is *only* activated when the mod_ssl module is loaded,
Yes. The server must perform TLS negotiation using a vulnerable
OpenSSL version. Data
As you may have heard in the news OpenSSL has had a significant security
vulnerability [1] [2]. Subversion by way of several of our dependencies uses
OpenSSL. On the client side the Neon and Serf HTTP libraries can use OpenSSL
(Neon can also use GNUTLS, which is not vulnerable to this issue) and
