Slashdot Mirror

← Back to Stories (view on slashdot.org)

Not Just Apple: GnuTLS Bug Means Security Flaw For Major Linux Distros

Posted by timothy on from the holes-to-plug dept.

According to an article at Ars Technica, a major security bug faces Linux users, akin to the one recently found in Apple's iOS (and which Apple has since fixed). Says the article:"The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical 'goto fail' flaw that for months put users of Apple's iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug." And while Apple can readily fix a bug in its own software, at least for users who keep up on patches, "Linux" refers to a broad range of systems and vendors, rather than a single company, and the affected systems include some of the biggest names in the Linux world, like Red Hat, Debian, and Ubuntu.

3 of 144 comments (clear)

  1. Re:Old news by swillden · · Score: 5, Informative

    This is quite old news, why is slashdot only picking up on it now?

    Slashdot picked it up on March 4th, actually. This is a dupe.

    The impact of this bug does not compare to the goto fail bug.

    Agreed.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  2. Re:If GNUTls is unneeded, then create a NO-OP libr by Sipper · · Score: 5, Informative

    Create a library with that name that does nothing, or logs errors for any entry points. Why is something being shipped that is insecure. I understand that the builds have to be changed. But the library could be replaced with a skeleton right now, can't it?
    And maybe we would see that its not quite as in-active as people think.

    There are two distinct part of SSL/TLS; encryption and authentication. In this case it's only the authentication portion that has an issue, not the encryption portion. There are several places in which GnuTLS is used for encryption but not authentication such as MTA (email) transfers over TLS (at least most of the time).

    As for why GnuTLS exists, AFAIK it's mainly because of licensing issues -- compiling a GPLv2+ program against OpenSSL gets into licensing troubles, so there needed to be a GPL compatible alternative.

  3. Re:And yet... by GPLHost-Thomas · · Score: 5, Informative

    Please define "as quickly as desired". Debian was fixed on the 3rd of March which is the date of the Debian Security Advisory, that's pretty quick to me. I wonder exactly why this article pops up now, when it's been a long time we've been all patched.