Date: Wed, 09 Apr 2014 23:44:47 -0700 From: Xin Li <delphij@delphij.net> To: Jon Boley <jon@airsltd.com>, freebsd-stable@freebsd.org Subject: Re: FreeBSD, VPS and Heartbleed Message-ID: <53463DDF.2020602@delphij.net> In-Reply-To: <5346330B.1020203@airsltd.com> References: <5346330B.1020203@airsltd.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 4/9/14, 10:58 PM, Jon Boley wrote: > Hello, > > I'm running 9.2 and my openssl is a safe version. > > However, I do have a VPS running 9.2 and wonder if I should be > concerned about the system that is providing me with the VPS. I can't speak for anything that the VPS provider is running. However, the worst case scenario when a process is linked with vulnerable version of OpenSSL is that data in *that* process's virtual memory address space could be leaked. As long as your VPS provider can make sure that there is no memory pages being shared between virtual hosts and as long as you are not using anything vulnerable, you should NOT be affected by the issue. However, keep in mind that if your VPS provider runs vulnerable OpenSSL versions that are used in their e.g. login system, and you have logged in (thus your credential data are in memory), then there is possibility that these sensitive data may be used in an attack. Also, should there be any vulnerability found in the hypervisor your VPS provider is running that would allow stealing memory contents from your virtual system, you may also at risk, but this is not related to the OpenSSL issue and there is few things you can do with that other than asking the VPS provider to apply security patches in timely manner. Cheers, -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJTRj3fAAoJEJW2GBstM+nsvPgP/04QKY8fHGtcIBWjCGtzEWzq 4Vot9t7tGdGblWa70tKwSUICTsRH6kAZVqaXZ8d9w0lniMgLCTRcqaPp9wLV6mW+ yaQ9GpcpiOgaPi5PVpsf1IpMwHdEqkQgC2ru0RQzSlxU13koxP4ia5cWz9i49k9t DX25PXETE6gxKalLJLRlE9d20MNcv/8vi+OlhwmRyW3xt1LrbS0gbPofEkv0qtyT 54vB+hNOqBd8rHWLRDS9i3+Iqz1uLY06LCbrHsXwUvc3fXcrOukyEovcL7tLo7bm V1sJaRQj6lSG4+eZ37+l4NNXvp55FxZWiVbovONY1cmeX3Ri5UKBl5fTa7y8ZGkY dzMkddpOaSz60MR5zNpXmXNrq28AExT5kzJLeoPogaFjMAY2x3Rk/TIdw/wA2FHH paCR7ufiq2qWe9Fpt4yUeUF6dUWvNLpSPZ7aRWG1jesFeFHuY/teQaUYyivGRK0z 4YLCQql3Xk4XdGbJHq66KRmrlyXxXS/v4TBrytTUaVFvGOpER67ZPpnF7lxCkib1 bquRJfstG6Bqnn5ieKPE/uVx8iPk24Tr0GtDCGHfG0j0xSGE6/oC1wBf/VNruAxI e2aImxPg/S9JTpp7Fc2xiwQHoU6rI+MGkouQ0a8lEyD3St4qo7pMiqBM/BiFILCv FG1WzifX1QqUiQcc4Juo =X0VX -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53463DDF.2020602>