By now you have probably heard or read about the OpenSSL Heartbleed Vulnerability (unless you have been living under a rock for the last week)! We have had a few customers ask us whether Continua CI is vulnerable to this exploit.
The short answer is No.
Continua CI itself does not use Open SSL directly, but the default database engine, PostgreSQL, does. The version of PostgreSQL we ship with Continua CI is 9.1.3 .1254 and it does include a version of OpenSSL with the vulnerability, however ssl support is turned off by default and is not used by Continua CI.
We also update the pg_hba.conf during install to only allow connections from localhost, however it turns out that if ssl is enabled, the ssl negotiation happens before the rules in pb_hba.conf are matched and this alone does not protect the server.
If you are using your own install of PostgreSQL (or you want to be sure that what I say is correct) then I suggest you check your PostgreSQL server. You and easily check if ssl is enabled by running the following query in PGAdmin:
show ssl
Another option is to try the testing tool here :
https://github.com/titanous/heartbleeder
heartbleeder -pg yourciserver:9001
here's the output from testing one of our CI servers :
heartbleeder.exe -pg pilatus:9001
Error connecting to pilatus:9001: dial tcp 10.0.0.80:9001: ConnectEx tcp: No connection could be made because the target machine actively refused it.
If you are using SQLServer, then you (for once) are ok, SQL Server doesn's use OpenSSL.