On 04/09/2014 07:40 AM, Stephen Harris wrote: > On Wed, Apr 09, 2014 at 09:36:25AM -0400, James B. Byrne wrote: >> However, if one was running an affected service, say httpd/ mod_ssl, on a host >> that had sftp sessions connected to it then would not the ssh private keys of >> the host and local users be in memory and therefore readable by the exploit? > [...] > >> state. As I understand the exploit it allows systematic transfer of every byte >> in memory which would include the unprotected keys would it not? > I'm pretty sure the exploit can only read the memory of the process and not > of the kernel; "apache" shouldn't be able to read the memory space of a > root process. If it could then we'd have no key security at all, anyway! > This isn't a privilege escalation attack... > According to heartbleed,org, private keys for httpd (or other TLS / SSL services) are readable. Though the 64KB bit of memory obtainable is random, so its not like they can just ask for the private keys or query a database for someone's password, etc. They could only get a random chunk of things active in memory when they make the request. For what its worth, CentOS.org is replacing our certificate private keys. Others can obviously make their own choices. Thanks, Johnny Hughes
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
