On Sun, Apr 13, 2014 at 07:21:26AM -0400, Nico Kadel-Garcia wrote:
> I'm assuming that the vulnerability for particular httpd (Apache 2.x)
> web servers is *only* activated when the "mod_ssl" module is loaded,
Yes. The server must perform TLS negotiation using a vulnerable
OpenSSL version. Data le
On Sat, Apr 12, 2014 at 10:08 PM, Ben Reser wrote:
> This specific issue lies in the implementation of a feature of the SSL/TLS
> protocols. Apache HTTP Servers running mod_ssl to provide SSL/TLS are
> vulnerable. While svnserve does support encryption via Cyrus SASL, and Cyrus
> SASL does use
As you may have heard in the news OpenSSL has had a significant security
vulnerability [1] [2]. Subversion by way of several of our dependencies uses
OpenSSL. On the client side the Neon and Serf HTTP libraries can use OpenSSL
(Neon can also use GNUTLS, which is not vulnerable to this issue) and
