Forgot your password?
typodupeerror
Debian GNU is Not Unix Open Source Red Hat Software Security Ubuntu Linux IT

Not Just Apple: GnuTLS Bug Means Security Flaw For Major Linux Distros 144

Posted by timothy
from the holes-to-plug dept.
According to an article at Ars Technica, a major security bug faces Linux users, akin to the one recently found in Apple's iOS (and which Apple has since fixed). Says the article:"The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical 'goto fail' flaw that for months put users of Apple's iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug." And while Apple can readily fix a bug in its own software, at least for users who keep up on patches, "Linux" refers to a broad range of systems and vendors, rather than a single company, and the affected systems include some of the biggest names in the Linux world, like Red Hat, Debian, and Ubuntu.
This discussion has been archived. No new comments can be posted.

Not Just Apple: GnuTLS Bug Means Security Flaw For Major Linux Distros

Comments Filter:
  • There are rumours... (Score:4, Interesting)

    by gnasher719 (869701) on Sunday April 06, 2014 @09:32AM (#46675809)
    that Apple took notice of some accusations that the NSA managed to modiy some open source codebases, reviewed all code that was checked in at about the suspicious time frame, and found the "goto fail" bug that way. No idea whether this is true, but I'd be curious who checked in this bug.
  • Re:Old news (Score:2, Interesting)

    by postbigbang (761081) on Sunday April 06, 2014 @09:43AM (#46675897)

    It indeed is the same level as the bug Apple fixed. Plentiful access methods are hinged on this lib and code.

    It's non-trivial, and affects clients and servers in a wide breadth. Yes, were you watching, you'd have upgraded to fixed versions. Too many, however, don't know the difference between a CVE and a live hand grenade. Or they weren't watching. Same vulnerability result.

  • Re:Trust No One (Score:3, Interesting)

    by mark-t (151149) <markt@nOSPam.lynx.bc.ca> on Sunday April 06, 2014 @10:47AM (#46676357) Journal

    The difference is that with closed source, the only exploits that are discovered by third parties and get fixed are those that have already been exploited, and already resulted in vulnerable systems.

    With open source, exploits can potentially be discovered and reported by other parties *before* the exploit has actually ever been used, meaning that a fix is available at the same time that the exploit becomes public knowledge, and anyone who updates as soon as such an exploit becomes known has a higher level of confidence that their system will have not yet been compromised. The very fact that open source may also make it easier for a third party to find a way to exploit a previously unknown vulnerability also makes it easier for a third party to take action that will lead to the issue being corrected.

    With open source, such critical bugs can and actually *will* be fixed, a sufficiently technically competent individual could even do so themselves, where with closed source, absolutely everyone is at the whim of the development team's schedule.

  • Re:And yet... (Score:4, Interesting)

    by houstonbofh (602064) on Sunday April 06, 2014 @03:05PM (#46678029)
    Forget openwrt... How about all the ISP provided "Firewalls" that are total garbage, have one password, and can not be updated?
  • Microsoft PR Fail (Score:4, Interesting)

    by darkonc (47285) <(moc.neergcb) (ta) (leumas_nehpets)> on Sunday April 06, 2014 @04:10PM (#46678471) Homepage Journal
    I don't mind the heads-up about a little-used piece of Gnu software (as pointed out, most distros push OpenSSL), but I do mind astro-turfing the Microsoft PR line of "Nobody's responsible if Linux fails!"

    The irony, of course, is that most people haven't read Microsoft's EULA which effectively says 'Not only are we not responsible if Windows fails, but we'll sue you if you try to fix it yourself.'

    This is really gonna bite the hundreds of millions running XP who will be orphaned this year when Microsoft stops supporting it. Not only do they face the prospect, in a matter of weeks, of never again seeing security updates from Microsoft, but it will be illegal to even try to fix future bugs themselves (or hire a third party to do it).

    This last bit is something that Linux users have as a right

"Regardless of the legal speed limit, your Buick must be operated at speeds faster than 85 MPH (140kph)." -- 1987 Buick Grand National owners manual.

Working...