FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Heartbleed bug?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Heartbleed bug? [message #185555 is a reply to message #185551] Thu, 10 April 2014 23:14 Go to previous messageGo to previous message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma:
Senior Member
On Thu, 10 Apr 2014 22:56:34 +0200, Arno Welzel wrote:

> Denis McMahon, 2014-04-10 17:50:
>
>> On Thu, 10 Apr 2014 08:57:54 +0200, Arno Welzel wrote:
>>
>>> To be precise: If the installed PHP version is linked against OpenSSL
>>> then it should be replaced with a patched version of course.
>>
>> Is simply being linked against the buggy openssl enough to be
>> exploitable? As I understand it the openssl code needs to be invoked
>> (eg
>
> No. The bug is only exploitable if you run a SSL/TLS server - which is
> possible using PHP.
>
>> https) for the bug to actually expose data.

Sorry, but you seem to be saying "No" and then agreeing with me. Perhaps
it's the way you have quote-replied, and I'm reading your "No" as
applying to a different part of the quoted text to that which you
intended it to refer?

Are you saying "No" to the question:

>> Is simply being linked against the buggy openssl enough to be
>> exploitable?

Or the statement:

>> As I understand it the openssl code needs to be invoked
>> (eg https) for the bug to actually expose data.

Because I can't tell from the way you quoted me which of these you're
saying no to, and depending which applies, you're either agreeing with my
position or disputing it.

> "it's just PHP, nothing to worry about any library bugs" - is also not
> the right way to deal with security problems.

That's not what I'm saying. What I am saying is that as I understand it,
in this specific case, you only have a php issue if your php code is
making ssl / tsl connections using the vulnerable OpenSSL library, and
that is something that the admin and / or coders responsible for a system
needs to determine for themselves given their knowledge of what their
system does.

I don't know enough about your code, Jerry's code, or anyone elses code
(except maybe richard's[1], we all know too much about richard's code) to
determine whether that person's php code is vulnerable to this exploit.

[1] I doubt richard's code is vulnerable to this exploit, the universe's
life expectancy is insufficient for him to develop the coding competency
required to implement a server process in php.

--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: cURL and response code 302
Next Topic: PHP Parse error: syntax error, unexpected '$sql' (T_VARIABLE) in
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Nov 23 18:09:39 GMT 2024

Total time taken to generate the page: 0.04371 seconds