Forgot your password?
typodupeerror
Debian GNU is Not Unix Open Source Red Hat Software Security Ubuntu Linux IT

Not Just Apple: GnuTLS Bug Means Security Flaw For Major Linux Distros 144

Posted by timothy
from the holes-to-plug dept.
According to an article at Ars Technica, a major security bug faces Linux users, akin to the one recently found in Apple's iOS (and which Apple has since fixed). Says the article:"The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical 'goto fail' flaw that for months put users of Apple's iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug." And while Apple can readily fix a bug in its own software, at least for users who keep up on patches, "Linux" refers to a broad range of systems and vendors, rather than a single company, and the affected systems include some of the biggest names in the Linux world, like Red Hat, Debian, and Ubuntu.
This discussion has been archived. No new comments can be posted.

Not Just Apple: GnuTLS Bug Means Security Flaw For Major Linux Distros

Comments Filter:
  • Old news (Score:5, Insightful)

    by David Jao (2759) <djao@dominia.org> on Sunday April 06, 2014 @09:30AM (#46675789) Homepage
    This is quite old news, why is slashdot only picking up on it now?

    The impact of this bug does not compare to the goto fail bug. Most Linux distributions use OpenSSL for TLS. Even if a program links to GnuTLS, it may not use GnuTLS for certificate validation, and if it doesn't, then it's not affected by this bug (one example is Google Chrome). It's not like iOS where everything is required (by App Store rules) to use SecureTransport.

  • People use GnuTLS? (Score:4, Insightful)

    by aleph (14733) on Sunday April 06, 2014 @09:39AM (#46675845)

    Is anyone other than Debian zealous enough to use GnuTLS?

    I rarely agree with Howard Chu of OpenLDAP fame, but... http://www.openldap.org/lists/... [openldap.org]

  • by Anonymous Coward on Sunday April 06, 2014 @09:49AM (#46675935)

    Are you trolling for an Apple-vs-Linux flame war? do you have a zealous attachment to Apple? or are you just dull?

    1) This is old news, and the /. has already reported on it;

    2) Hardly anything uses the GNU TLS library, and for the same reason people have been advising against Apple's rewrite of security libraries: because it's better to use something that's had over a decade of development and review and is widely deployed across a series of platforms;

    3) You're arguing about the heterogeneity of the Linux platform as if it's a bad thing, while in fact this acts in Linux's favour. Even though the GNU project might like people to use gnutls, distros have chosen not to. Apple either discourages choice or makes it impossible, depending on what exactly you're targeting, which is why everything was affected.

  • Re:Trust No One (Score:4, Insightful)

    by Arker (91948) on Sunday April 06, 2014 @10:48AM (#46676363) Homepage
    Free/Open code is a necessary but not sufficient condition for security.
  • Re:And yet... (Score:5, Insightful)

    by houstonbofh (602064) on Sunday April 06, 2014 @03:04PM (#46678021)

    For all the speed with which Debian rolled out a patch, it'll still be months or years before this patch makes it into the wild on all the systems it's being used on.

    When you show me the OS that has a patch for idiot, lazy or incompetent operators, I will buy you a beer.

Some people carve careers, others chisel them.

Working...