Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 09 Apr 2014 23:44:47 -0700
From:      Xin Li <delphij@delphij.net>
To:        Jon Boley <jon@airsltd.com>, freebsd-stable@freebsd.org
Subject:   Re: FreeBSD, VPS and Heartbleed
Message-ID:  <53463DDF.2020602@delphij.net>
In-Reply-To: <5346330B.1020203@airsltd.com>
References:  <5346330B.1020203@airsltd.com>

next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 4/9/14, 10:58 PM, Jon Boley wrote:
> Hello,
> 
> I'm running 9.2 and my openssl is a safe version.
> 
> However, I do have a VPS running 9.2 and wonder if I should be
> concerned about the system that is providing me with the VPS.

I can't speak for anything that the VPS provider is running.  However,
the worst case scenario when a process is linked with vulnerable
version of OpenSSL is that data in *that* process's virtual memory
address space could be leaked.

As long as your VPS provider can make sure that there is no memory
pages being shared between virtual hosts and as long as you are not
using anything vulnerable, you should NOT be affected by the issue.

However, keep in mind that if your VPS provider runs vulnerable
OpenSSL versions that are used in their e.g. login system, and you
have logged in (thus your credential data are in memory), then there
is possibility that these sensitive data may be used in an attack.

Also, should there be any vulnerability found in the hypervisor your
VPS provider is running that would allow stealing memory contents from
your virtual system, you may also at risk, but this is not related to
the OpenSSL issue and there is few things you can do with that other
than asking the VPS provider to apply security patches in timely manner.

Cheers,
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJTRj3fAAoJEJW2GBstM+nsvPgP/04QKY8fHGtcIBWjCGtzEWzq
4Vot9t7tGdGblWa70tKwSUICTsRH6kAZVqaXZ8d9w0lniMgLCTRcqaPp9wLV6mW+
yaQ9GpcpiOgaPi5PVpsf1IpMwHdEqkQgC2ru0RQzSlxU13koxP4ia5cWz9i49k9t
DX25PXETE6gxKalLJLRlE9d20MNcv/8vi+OlhwmRyW3xt1LrbS0gbPofEkv0qtyT
54vB+hNOqBd8rHWLRDS9i3+Iqz1uLY06LCbrHsXwUvc3fXcrOukyEovcL7tLo7bm
V1sJaRQj6lSG4+eZ37+l4NNXvp55FxZWiVbovONY1cmeX3Ri5UKBl5fTa7y8ZGkY
dzMkddpOaSz60MR5zNpXmXNrq28AExT5kzJLeoPogaFjMAY2x3Rk/TIdw/wA2FHH
paCR7ufiq2qWe9Fpt4yUeUF6dUWvNLpSPZ7aRWG1jesFeFHuY/teQaUYyivGRK0z
4YLCQql3Xk4XdGbJHq66KRmrlyXxXS/v4TBrytTUaVFvGOpER67ZPpnF7lxCkib1
bquRJfstG6Bqnn5ieKPE/uVx8iPk24Tr0GtDCGHfG0j0xSGE6/oC1wBf/VNruAxI
e2aImxPg/S9JTpp7Fc2xiwQHoU6rI+MGkouQ0a8lEyD3St4qo7pMiqBM/BiFILCv
FG1WzifX1QqUiQcc4Juo
=X0VX
-----END PGP SIGNATURE-----



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53463DDF.2020602>