Re: [CentOS] CVE-2014-0160 CentOS 6 openssl heartbleed workaround

On Wed, Apr 09, 2014 at 09:36:25AM -0400, James B. Byrne wrote:

However, if one was running an affected service, say httpd/ mod_ssl, on a host that had sftp sessions connected to it then would not the ssh private keys of the host and local users be in memory and therefore readable by the exploit?

[...]

state. As I understand the exploit it allows systematic transfer of every byte in memory which would include the unprotected keys would it not?

I'm pretty sure the exploit can only read the memory of the process and not of the kernel; "apache" shouldn't be able to read the memory space of a root process. If it could then we'd have no key security at all, anyway! This isn't a privilege escalation attack...