FUDforum: comp.lang.php » Heartbleed bug?

Home » Imported messages » comp.lang.php » Heartbleed bug?

Show: Today's Messages :: Polls :: Message Navigator

Re: Heartbleed bug? [message #185555 is a reply to message #185551]

Thu, 10 April 2014 23:14

Denis McMahon
Messages: 634
Registered: September 2010

Karma:

Senior Member

On Thu, 10 Apr 2014 22:56:34 +0200, Arno Welzel wrote:

> Denis McMahon, 2014-04-10 17:50:
>
>> On Thu, 10 Apr 2014 08:57:54 +0200, Arno Welzel wrote:
>>
>>> To be precise: If the installed PHP version is linked against OpenSSL
>>> then it should be replaced with a patched version of course.
>>
>> Is simply being linked against the buggy openssl enough to be
>> exploitable? As I understand it the openssl code needs to be invoked
>> (eg
>
> No. The bug is only exploitable if you run a SSL/TLS server - which is
> possible using PHP.
>
>> https) for the bug to actually expose data.

Sorry, but you seem to be saying "No" and then agreeing with me. Perhaps
it's the way you have quote-replied, and I'm reading your "No" as
applying to a different part of the quoted text to that which you
intended it to refer?

Are you saying "No" to the question:

>> Is simply being linked against the buggy openssl enough to be
>> exploitable?

Or the statement:

>> As I understand it the openssl code needs to be invoked
>> (eg https) for the bug to actually expose data.

Because I can't tell from the way you quoted me which of these you're
saying no to, and depending which applies, you're either agreeing with my
position or disputing it.

> "it's just PHP, nothing to worry about any library bugs" - is also not
> the right way to deal with security problems.

That's not what I'm saying. What I am saying is that as I understand it,
in this specific case, you only have a php issue if your php code is
making ssl / tsl connections using the vulnerable OpenSSL library, and
that is something that the admin and / or coders responsible for a system
needs to determine for themselves given their knowledge of what their
system does.

I don't know enough about your code, Jerry's code, or anyone elses code
(except maybe richard's[1], we all know too much about richard's code) to
determine whether that person's php code is vulnerable to this exploit.

[1] I doubt richard's code is vulnerable to this exploit, the universe's
life expectancy is insufficient for him to develop the coding competency
required to implement a server process in php.

--
Denis McMahon, denismfmcmahon(at)gmail(dot)com

Report message to a moderator

[Message index]

		Heartbleed bug? By: Kevin Burton on Wed, 09 April 2014 12:24
		Re: Heartbleed bug? By: Jerry Stuckle on Wed, 09 April 2014 13:17
		Re: Heartbleed bug? By: Robert Heller on Wed, 09 April 2014 13:56
		Re: Heartbleed bug? By: Jerry Stuckle on Wed, 09 April 2014 15:21
		Re: Heartbleed bug? By: Christoph Michael Bec on Wed, 09 April 2014 15:43
		Re: Heartbleed bug? By: Jerry Stuckle on Wed, 09 April 2014 17:37
		Re: Heartbleed bug? By: Arno Welzel on Thu, 10 April 2014 06:51
		Re: Heartbleed bug? By: Jerry Stuckle on Thu, 10 April 2014 11:52
		Re: Heartbleed bug? By: Christoph Michael Bec on Thu, 10 April 2014 12:03
		Re: Heartbleed bug? By: Jerry Stuckle on Thu, 10 April 2014 16:36
		Re: Heartbleed bug? By: Denis McMahon on Thu, 10 April 2014 23:01
		Re: Heartbleed bug? By: The Natural Philosoph on Thu, 10 April 2014 23:47
		Re: Heartbleed bug? By: Eli the Bearded on Fri, 11 April 2014 00:38
		Re: Heartbleed bug? By: Jerry Stuckle on Fri, 11 April 2014 01:58
		Re: Heartbleed bug? By: Denis McMahon on Fri, 11 April 2014 02:59
		Re: Heartbleed bug? By: The Natural Philosoph on Fri, 11 April 2014 03:36
		Re: Heartbleed bug? By: Jerry Stuckle on Fri, 11 April 2014 16:08
		Re: Heartbleed bug? By: Arno Welzel on Thu, 10 April 2014 20:54
		Re: Heartbleed bug? By: Denis McMahon on Thu, 10 April 2014 22:45
		Re: Heartbleed bug? By: Arno Welzel on Fri, 11 April 2014 06:33
		Re: Heartbleed bug? By: Denis McMahon on Thu, 10 April 2014 15:47
		Re: Heartbleed bug? By: Robert Heller on Wed, 09 April 2014 15:56
		Re: Heartbleed bug? By: Jerry Stuckle on Wed, 09 April 2014 17:38
		Re: Heartbleed bug? By: M. Strobel on Wed, 09 April 2014 22:11
		Re: Heartbleed bug? By: Jerry Stuckle on Thu, 10 April 2014 11:53
		Re: Heartbleed bug? By: The Natural Philosoph on Wed, 09 April 2014 20:02
		Re: Heartbleed bug? By: Adam Harvey on Wed, 09 April 2014 23:43
		Re: Heartbleed bug? By: Eli the Bearded on Thu, 10 April 2014 00:01
		Re: Heartbleed bug? By: Arno Welzel on Thu, 10 April 2014 06:43
		Re: Heartbleed bug? By: Arno Welzel on Thu, 10 April 2014 06:57
		Re: Heartbleed bug? By: Denis McMahon on Thu, 10 April 2014 15:50
		Re: Heartbleed bug? By: The Natural Philosoph on Thu, 10 April 2014 18:37
		Re: Heartbleed bug? By: Arno Welzel on Thu, 10 April 2014 20:56
		Re: Heartbleed bug? By: M. Strobel on Thu, 10 April 2014 21:32
		Re: Heartbleed bug? By: Denis McMahon on Thu, 10 April 2014 23:14
		Re: Heartbleed bug? By: Arno Welzel on Fri, 11 April 2014 06:23
		Re: Heartbleed bug? By: Denis McMahon on Thu, 10 April 2014 15:42
		Re: Heartbleed bug? By: Arno Welzel on Fri, 11 April 2014 11:00

Previous Topic:	cURL and response code 302
Next Topic:	PHP Parse error: syntax error, unexpected '$sql' (T_VARIABLE) in

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Sat May 18 06:48:02 GMT 2024

Total time taken to generate the page: 0.05656 seconds