On Wed, Apr 09, 2014 at 09:36:25AM -0400, James B. Byrne wrote: > However, if one was running an affected service, say httpd/ mod_ssl, on a host > that had sftp sessions connected to it then would not the ssh private keys of > the host and local users be in memory and therefore readable by the exploit? [...] > state. As I understand the exploit it allows systematic transfer of every byte > in memory which would include the unprotected keys would it not? I'm pretty sure the exploit can only read the memory of the process and not of the kernel; "apache" shouldn't be able to read the memory space of a root process. If it could then we'd have no key security at all, anyway! This isn't a privilege escalation attack... -- rgds Stephen _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
Re: CVE-2014-0160 CentOS 6 openssl heartbleed workaround
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- To: CentOS mailing list <centos@xxxxxxxxxx>
- Subject: Re: CVE-2014-0160 CentOS 6 openssl heartbleed workaround
- From: Stephen Harris <lists@xxxxxxxxxx>
- Date: Wed, 9 Apr 2014 09:40:28 -0400
- Delivered-to: centos@xxxxxxxxxx
- In-reply-to: <c069e96e12430fac9514c451a1d3a550.squirrel@webmail.harte-lyne.ca>
- User-agent: Mutt/1.4.2.2i
- Follow-Ups:
- Re: CVE-2014-0160 CentOS 6 openssl heartbleed workaround
- From: Johnny Hughes
- Re: CVE-2014-0160 CentOS 6 openssl heartbleed workaround
- References:
- Re: CVE-2014-0160 CentOS 6 openssl heartbleed workaround
- From: James B. Byrne
- Re: CVE-2014-0160 CentOS 6 openssl heartbleed workaround
- Prev by Date: Re: CVE-2014-0160 CentOS 6 openssl heartbleed workaround
- Next by Date: Re: [CentOS-announce] CVE-2014-0160 CentOS 6 openssl heartbleed workaround
- Previous by thread: Re: CVE-2014-0160 CentOS 6 openssl heartbleed workaround
- Next by thread: Re: CVE-2014-0160 CentOS 6 openssl heartbleed workaround
- Index(es):
 |