I first posted this in general, but later I saw this forum, which might be more appropriate. Sorry for that

According to http://filippo.io/Heartbleed/#forum.openstreetmap.org
the forum website is vulnarable for heartbleed. Any plans on fixing this ?

Since the forum isn’t working over TLS (see a few threads below) this isn’t relevant.

As rayquaza says: the forum itself is not vulnerable because it still uses only HTTP. I think the server has SSH access so that service might cause the positive detection.

However, we are in the process of moving the forum to another server managed by the OSM admins and switch to HTTPS. I guess that the OSM admins keep an eye on this issue.

I guess it’s because the server supports connections via HTTPS, though it only serves “Apache is functioning normally” there. That (using OpenSSL 1.0.0 through 1.0.0f with support for RFC6520 (Hearbeat-Extension for TLS) enabled) is enough to use Heartbleed. But if I understood it correctly that would only leak OpenSSL’s RAM, which is hopefully not useful, since it’s unused.

ok, thanks. I thought that at least the login page would be using https.

Ehm, unfortunately no :roll_eyes:

That’s enough. With a vulnerable server responding on the openstreetmap.org domain, an attacker could plausibly get the private key and use that to construct a fake site, which will serve something that looks a lot like the openstreetmap.org content, instead of the “It works!” page. Sure, you need to be able to MitM to pull this off.

Also, depending on whether Apache is set up to use threads or separate processes (mpm-worker vs. mpm-prefork), an attacker could use the vulnerability to grab secrets that another thread is using - threads share an address space and you’re not guaranteed that the 64KiB window won’t extend into another thread’s data.