[CentOS] CVE-2014-0160 CentOS 6 openssl heartbleed workaround
Stephen Harris
lists at spuddy.org
Wed Apr 9 13:40:28 UTC 2014
On Wed, Apr 09, 2014 at 09:36:25AM -0400, James B. Byrne wrote:
> However, if one was running an affected service, say httpd/ mod_ssl, on a host
> that had sftp sessions connected to it then would not the ssh private keys of
> the host and local users be in memory and therefore readable by the exploit?
[...]
> state. As I understand the exploit it allows systematic transfer of every byte
> in memory which would include the unprotected keys would it not?
I'm pretty sure the exploit can only read the memory of the process and not
of the kernel; "apache" shouldn't be able to read the memory space of a
root process. If it could then we'd have no key security at all, anyway!
This isn't a privilege escalation attack...
--
rgds
Stephen
More information about the CentOS
mailing list