01342: [[http://heartbleed.com/ | heartbleed]] bug

Summary: heartbleed bug
Created: 2014-04-09 08:49
Status: Closed, not a bug
Category: Bug
Assigned:
Priority: 5
Version: pmwiki website
OS:

Description: URL below shows pmwiki suffers fromthe heartbleed bug:

  http://filippo.io/Heartbleed/#www.pmwiki.org

See also https://www.ssllabs.com/ssltest/analyze.html?d=pmwiki.com

http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html

heartbleed? April 09, 2014, at 08:49 AM

Notified Pm the same day, he hasn't replied yet. --Petko April 12, 2014, at 01:06 AM


I've checked both of the test sites above, and neither of them shows that pmwiki.org is suffering from the heartbleed bug. The flippo.io site comes back with "tls: oversized record received with length 20291" which means it can't say anything about whether www.pmwiki.org is safe or not.

The Qualsys/ssllabs.com site also doesn't show that pmwiki.org/pmwiki.com has the bug, in fact it gives me "Assessment failed: No secure protocols supported"... which is exactly correct.

So, at least by these two tools, it's inaccurate to say that pmwiki.org suffers from the heartbleed bug, it's more accurate to say "the tools can't decide either way yet". The pmwiki.org server automatically applies most security patches, however; and before I do anything manually I need to verify that all of my sites' backups are up-to-date.

Beyond that, I don't believe that pmwiki.org's server is storing or using any particularly sensitive or private user data that would hurt if it were compromised, so I'm having trouble seeing this as something that has to be urgently repaired here.

-- Pm April 13, 2014, at 04:37 PM