On Fri, Apr 11, 2014 at 6:08 AM, Hannes Erven <han...@erven.at> wrote: > Hi all, > > > > Daniel Shahaf wrote: >> >> Nico Kadel-Garcia wrote on Thu, Apr 10, 2014 at 23:53:14 -0400: >>> >>> I was just realizing that no one has mentioned it here: For anyone >>> running HTTPS based Subversion servers, they should really take a good >>> look at whether their web server is vulnerable to the "HeartBleed" >>> security problem in OpenSSL. >> >> >> Repositories served exclusively with http:// (non-SSLed), svn+ssh://, >> and/or svn://-with-SASL-disabled are not affected. > > > This is not entirely correct: any web server process with openssl-based SSL > enabled was vulnerable. So even if the repository itself wasn't > served on HTTPS, but some other vhost was, you're still affected.
Do you have a pointer to that? It's a reasonable claim, I'd just not seen anything for verifying it or testing against HTTP sites that have HTTPS enabled, perhaps even with HTTPS only accessible behind a closed firewall for administrative user.
