Slashdot Mirror

← Back to Stories (view on slashdot.org)

Not Just Apple: GnuTLS Bug Means Security Flaw For Major Linux Distros

Posted by timothy on from the holes-to-plug dept.

According to an article at Ars Technica, a major security bug faces Linux users, akin to the one recently found in Apple's iOS (and which Apple has since fixed). Says the article:"The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical 'goto fail' flaw that for months put users of Apple's iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug." And while Apple can readily fix a bug in its own software, at least for users who keep up on patches, "Linux" refers to a broad range of systems and vendors, rather than a single company, and the affected systems include some of the biggest names in the Linux world, like Red Hat, Debian, and Ubuntu.

7 of 144 comments (clear)

  1. Slow weekend over at Ars? by Zontar+The+Mindless · · Score: 4, Informative

    My distro patched this over a month ago.

    --
    Il n'y a pas de Planet B.
  2. Re:There are rumours... by Megol · · Score: 3, Informative

    There are also rumors that all the worlds leaders are reptilians.

  3. Near Zero Impact by marienf · · Score: 4, Informative

    > Most Linux distributions use OpenSSL for TLS.
    > Even if a program links to GnuTLS, it may not use GnuTLS for certificate validation,
    > and if it doesn't, then it's not affected by this bug (one example is Google Chrome)

    Agree. I've ran through everything that linked to gnutls on my distro (Arch) and although there's
    quite a lot of binaries that do, most of those do not offer TLS connections (or any network connectivity at all), so my
    guess (without knowing GNuTLS at all) is that they use some other feature offered by the library.

    Of those that I know actually capable of SSL/TLS connections, all (also) link to OpenSSL.

    So without making a definitive statement, AFAICT this should have near zero impact on GNU/Linux.

  4. Re:Old news by swillden · · Score: 5, Informative

    This is quite old news, why is slashdot only picking up on it now?

    Slashdot picked it up on March 4th, actually. This is a dupe.

    The impact of this bug does not compare to the goto fail bug.

    Agreed.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  5. Re:If GNUTls is unneeded, then create a NO-OP libr by Sipper · · Score: 5, Informative

    Create a library with that name that does nothing, or logs errors for any entry points. Why is something being shipped that is insecure. I understand that the builds have to be changed. But the library could be replaced with a skeleton right now, can't it?
    And maybe we would see that its not quite as in-active as people think.

    There are two distinct part of SSL/TLS; encryption and authentication. In this case it's only the authentication portion that has an issue, not the encryption portion. There are several places in which GnuTLS is used for encryption but not authentication such as MTA (email) transfers over TLS (at least most of the time).

    As for why GnuTLS exists, AFAIK it's mainly because of licensing issues -- compiling a GPLv2+ program against OpenSSL gets into licensing troubles, so there needed to be a GPL compatible alternative.

  6. Re:And yet... by GPLHost-Thomas · · Score: 5, Informative

    Please define "as quickly as desired". Debian was fixed on the 3rd of March which is the date of the Debian Security Advisory, that's pretty quick to me. I wonder exactly why this article pops up now, when it's been a long time we've been all patched.

  7. Re:Real question by Wootery · · Score: 4, Informative

    Well, there is this one crazy project.