Not Just Apple: GnuTLS Bug Means Security Flaw For Major Linux Distros

According to an article at Ars Technica, a major security bug faces Linux users, akin to the one recently found in Apple's iOS (and which Apple has since fixed). Says the article:"The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical 'goto fail' flaw that for months put users of Apple's iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug." And while Apple can readily fix a bug in its own software, at least for users who keep up on patches, "Linux" refers to a broad range of systems and vendors, rather than a single company, and the affected systems include some of the biggest names in the Linux world, like Red Hat, Debian, and Ubuntu.

There are rumours...

[gnasher719]

that Apple took notice of some accusations that the NSA managed to modiy some open source codebases, reviewed all code that was checked in at about the suspicious time frame, and found the "goto fail" bug that way. No idea whether this is true, but I'd be curious who checked in this bug.

Re:Old news

[postbigbang]

It indeed is the same level as the bug Apple fixed. Plentiful access methods are hinged on this lib and code.

It's non-trivial, and affects clients and servers in a wide breadth. Yes, were you watching, you'd have upgraded to fixed versions. Too many, however, don't know the difference between a CVE and a live hand grenade. Or they weren't watching. Same vulnerability result.

Re:Trust No One

[mark-t]

The difference is that with closed source, the only exploits that are discovered by third parties and get fixed are those that have already been exploited, and already resulted in vulnerable systems.

With open source, exploits can potentially be discovered and reported by other parties *before* the exploit has actually ever been used, meaning that a fix is available at the same time that the exploit becomes public knowledge, and anyone who updates as soon as such an exploit becomes known has a higher level of confidence that their system will have not yet been compromised. The very fact that open source may also make it easier for a third party to find a way to exploit a previously unknown vulnerability also makes it easier for a third party to take action that will lead to the issue being corrected.

With open source, such critical bugs can and actually *will* be fixed, a sufficiently technically competent individual could even do so themselves, where with closed source, absolutely everyone is at the whim of the development team's schedule.

Re:And yet...

[houstonbofh]

Forget openwrt... How about all the ISP provided "Firewalls" that are total garbage, have one password, and can not be updated?

Microsoft PR Fail

[darkonc]

I don't mind the heads-up about a little-used piece of Gnu software (as pointed out, most distros push OpenSSL), but I do mind astro-turfing the Microsoft PR line of "Nobody's responsible if Linux fails!"

The irony, of course, is that most people haven't read Microsoft's EULA which effectively says 'Not only are we not responsible if Windows fails, but we'll sue you if you try to fix it yourself.'

This is really gonna bite the hundreds of millions running XP who will be orphaned this year when Microsoft stops supporting it. Not only do they face the prospect, in a matter of weeks, of never again seeing security updates from Microsoft, but it will be illegal to even try to fix future bugs themselves (or hire a third party to do it).

This last bit is something that Linux users have as a right