FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Heartbleed bug?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Heartbleed bug? [message #185562 is a reply to message #185553] Fri, 11 April 2014 06:33 Go to previous messageGo to previous message
Arno Welzel is currently offline  Arno Welzel
Messages: 317
Registered: October 2011
Karma:
Senior Member
Denis McMahon, 2014-04-11 00:45:

> On Thu, 10 Apr 2014 22:54:01 +0200, Arno Welzel wrote:
>
>> The fact is, that stream_socket_enable_crypto() allows to build a server
>> which listens on a socket to accept incoming SSL/TLS connections and
>> uses OpenSSL for this.
>>
>> OpenSSL up to 1.0.1f has a now well known vulnerability for that use
>> case.
>>
>> Ask who ever you want. If you got the answers that prove all this wrong,
>> do the rest of us a favour and tell us.
>
> Yes, but for that issue to affect your (or my, or Jerry's) code, we'd
> have had to write our own SSL/TLS enabled server in PHP.
>
> And for that issue to affect anyone elses code, they'd have had to write
> their own SSL/TLS enabled server in PHP.
>
> So this comes back to: The "heartbleed" exploit will only affect your php
> code if your php code is linked against the exploitable OpenSSL libraries
> *AND* your code calls functions in those libraries that expose the
> exploits.

That's correct.

> And to know that you need to know which functions of the libraries are
> exploitable, and whether your code calls those functions. It's impossible
> for anyone, without reviewing another persons code, to tell whether that
> other person's code is exposed to this exploit or not, and that is the
> point that I believe Jerry is trying to make, and that you are so
> abstrusely refusing to recognise.

Of course not *every* PHP based application is affected by the OpenSSL bug.

But I refuse to assume the opposite that everything is OK as long as no
one exactly can describe, how the OpenSSL bug may affect PHP
applications. Because concerning PHP in general there *is* a problem
which *can* affect PHP based applications as long as you use a PHP
version without updated OpenSSL libraries.


--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
http://fahrradzukunft.de
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: cURL and response code 302
Next Topic: PHP Parse error: syntax error, unexpected '$sql' (T_VARIABLE) in
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Wed Nov 27 10:12:41 GMT 2024

Total time taken to generate the page: 0.05332 seconds