Skip to main content
Enterprise Agile Planning Image

This post is from the CollabNet VersionOne blog and has not been updated since the original publish date.

Last Updated Apr 10, 2014 — Enterprise Agile Planning expert

Subversion and Heartbleed — Are you vulnerable?

Enterprise Agile Planning

You have probably already heard about the OpenSSL vulnerability, named Heartbleed, that is getting so much attention in the press. This is a significant vulnerability that can expose data in memory on your server. Making matters worse is that this vulnerability leaves absolutely no trace on the server. You will not see this in your logs no matter how detailed your logging level and it also does not require any authentication with the server.

This bug impacts the current Subversion binaries we were providing so we have updated those binaries to include the fixed version of OpenSSL – 1.0.1g and those updates are available now.

http://www.collab.net/downloads/subversion

For Subversion Edge users, you can get these via the in-app updates. The Subversion Edge version is now 4.0.6. For the regular binaries the version is still 1.8.8 but the package names are 1.8.8-2.

WHO NEEDS THIS UPDATE

This update is only needed on a Subversion server that is using the Apache httpd server and SSL. While you can update your clients if you want to, the client is not vulnerable to this bug and the client does not have to be updated as part of resolving this issue on your server. UPDATE: There are apparently scenarios being discussed where a server could send the same requests to a client to steal information from the client machines memory. So if you are running a client that uses OpenSSL 1.0.1 it is recommended to update it as well. The binaries linked above also included updated clients, so we have already posted the updates you need.

Only servers that are using OpenSSL 1.0.1 through 1.0.1f are vulnerable. The easiest way to check your version is to look in your Apache httpd error_log. When Apache starts, it prints out a line like this in that log file:

[Tue Apr 08 10:56:06.087918 2014] [mpm_winnt:notice] [pid 2192:tid 328] AH00455: Apache/2.4.9 (Win64) SVN/1.8.8 OpenSSL/1.0.1g configured — resuming normal operations

As you can see, this message contains the version of Apache httpd, Subversion and most importantly in this case, OpenSSL. The fixed version is 1.0.1g.

If your server is using 0.9.8 or 1.0.0 then you are NOT vulnerable and you do not have to update. The above approach is the best way to determine the version you are using, but if you cannot check the logs, then in terms of the binaries we provide, we started using OpenSSL 1.0.1 on Windows with Subversion 1.8.0 and on Linux and Solaris only since the 1.8.8 and 1.7.16 released back in February of this year.  So if you are on older versions of Subversion then you are probably using OpenSSL 0.9.8 currently and would not be vulnerable to this attack.

It is worth noting that there are good reasons to move to OpenSSL 1.0.1, namely so that TLS 1.1/1.2 can be used which helps mitigate against the BEAST attack.

WHAT ELSE SHOULD YOU DO

This is where things get more tricky. Because it is impossible to know if your existing server has been compromised, the recommendation is to act as if it has been. Most sites recommend that AFTER you have patched your server, the next step should be to revoke the current SSL certificate it is using and generate a new certificate from a new key pair. It is important that you generate a new key pair because the problem you are trying to resolve
is if your private key was stolen.

The other recommendation is to change all user passwords because those could have also been compromised. If your SVN server is attached to your corporate LDAP or Active Directory, that would mean the passwords used by those services may have been compromised and should be changed.

If you share these concerns, it is imperative that you first patch your server, then fix the SSL cert and only then change the passwords.

More from the Blog

View more
May 03, 2021

Bringing the agile planning approach to your whole business

Enterprise Agile Planning
The events of the last 12 months have demonstrated that the only sure ...
Read More
Apr 08, 2021

Making IT services more agile

Enterprise Agile Planning
The agile revolution completely transformed how we create digital prod ...
Read More
Feb 14, 2021

Reflecting on the 20th anniversary of the Agile Manifesto

Enterprise Agile Planning
Over the past 20 years, it’s been amazing to watch an idea from ...
Read More
Feb 08, 2021

How does agile apply to an entire organization?

Enterprise Agile Planning
Before we dive into the main subject of this blog post, it is importan ...
Read More
Contact Us