www.ciandcd.com

软件持续集成和持续发布 QQ群:172758282 / 567940397 / 567931165 Build Status

Continua CI and the OpenSSL Heartbleed Vulnerability

From:https://www.finalbuilder.com/resources/blogs/postid/706/continua-ci-and-the-openssl-heartbleed-vulnerability



The short answer is No

Continua CI itself does not use Open SSL directly, but the default database engine, PostgreSQL, does. The version of PostgreSQL we ship with Continua CI is 9.1.3 .1254 and it does include a version of OpenSSL with the vulnerability, however ssl support is turned off by default and is not used by Continua CI.  

We also update the pg_hba.conf during install to only allow connections from localhost, however it turns out that if ssl is enabled, the ssl negotiation happens before the rules in pb_hba.conf are matched and this alone does not protect the server. 

If you are using your own install of PostgreSQL (or you want to be sure that what I say is correct) then I suggest you check your PostgreSQL server. You and easily check if ssl is enabled by running the following query  in PGAdmin: 

show ssl



Another option is to try the testing tool here :

https://github.com/titanous/heartbleeder

heartbleeder -pg yourciserver:9001



here's the output from testing one of our CI servers :

heartbleeder.exe -pg pilatus:9001
Error connecting to pilatus:9001: dial tcp 10.0.0.80:9001: ConnectEx tcp: No connection could be made because the target machine actively refused it.



If you are using SQLServer, then you (for once) are ok, SQL Server doesn's use OpenSSL.

We will issue an update in the next few days with an updated PostgreSQL version once we have completed testing



By now you have probably heard or read about the OpenSSL Heartbleed Vulnerability (unless you have been living under a rock for the last week)! We have had a few customers ask us whether Continua CI is vulnerable to this exploit.The short answer isContinua CI itself does not use Open SSL directly, but the default database engine, PostgreSQL, does. The version of PostgreSQL we ship with Continua CI is 9.1.3 .1254 and it does include a version of OpenSSL with the vulnerability, however ssl support is turned off by default and is not used by Continua CI.We also update the pg_hba.conf during install to only allow connections from localhost, however it turns out that if ssl is enabled, the ssl negotiation happens before the rules in pb_hba.conf are matched and this alone does not protect the server.If you are using your own install of PostgreSQL (or you want to be sure that what I say is correct) then I suggest you check your PostgreSQL server. You and easily check if ssl is enabled by running the following query in PGAdmin:Another option is to try the testing tool here :here's the output from testing one of our CI servers :If you are using SQLServer, then you (for once) are ok, SQL Server doesn's use OpenSSL.We will issue an update in the next few days with an updated PostgreSQL version once we have completed testing

Posted Mon 08 May 2017 by itech001 in ciandcd

QQ群:172758282 / 567940397 / 567931165