> after update openssl and re-new all certificates one question > remains: in case of httpd-prefork would a attacker only have > been able to compromise the private key and data of his > worker-process or as well access the memory of other workers? >
The address space boundary of the process is the limit, so no access to other processes' memory. Multi-threaded workers are in a pretty bad shape with this assertion, unfortunately: credentials, cookies, symmetric keys. > in that case also all passwords of any website should be > treated as compromised which is the big question now It is answered by the idea that an attacker can chose _when_ to execute the exploit. Meaning this can happen after some creds have been dealt with. > the dovecot-developer says if dovecot is running in high-security > mode with single processes the setup has been safe except the > private key, but in case of dovceot there is also a chroot > involved for the login-workers It depends on the authentication scheme. Depending on the auth driver (driver=passwd-file...), dovecot reads file chunks onto the heap, adds entries to a hash table and closes the file again. Crums may be left there. There have been some zero-before-free changes in mozilla-nss recently. It may be time to have object reuse issues in mind for both core and at least the auth* modules. Roman.
