homepage Welcome to WebmasterWorld Guest from 23.20.63.27
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
Forum Library, Charter, Moderators: bakedjake

Linux, Unix, and *nix like Operating Systems Forum

    
Critical Crypto GnuTLS Bug Leaves Linux, Many Apps Open to Eavesdropping
bill




msg:4651235
 4:57 am on Mar 5, 2014 (gmt 0)

http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/ [arstechnica.com]

Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping

Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library.

The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package.

 

drhowarddrfine




msg:4651356
 2:13 pm on Mar 5, 2014 (gmt 0)

To be clear to Windows users who will misunderstand all of that, 1) it's a bug in GNU's library and not Linux itself 2) it's a bug that affects some applications which MIGHT be installed but might not 3) the fix is already out.

creeking




msg:4651647
 12:38 am on Mar 6, 2014 (gmt 0)

what percentage of home users would be affected?

graeme_p




msg:4651688
 8:14 am on Mar 6, 2014 (gmt 0)

It looks to be that fixes have been rolled out - Ubuntu updated this library the day this was announced, I think. The other good news that it was found by the good guys - Red Hat found it by auditing the code so there is a very good chance its never been exploited. [bugzilla.redhat.com ].

It may affect software on other platforms such as Windows or MacOS as well. Its license is LGPL not GPL so it may be used in some proprietary software.

It is not used by Firefox, Thunderbird. It may be used with Apache if Apache is configured to use it. Apache defaults to Open SSL while Mozilla have their own library.

It does seem to be used by quite a lot of email, chat and download and multimedia software and a few other things - empathy, aria2, Wireshark, Mutt, Claws Mail, Lynx, CUPS, Exim and some gstreamer plugins.

It also seems to be used by Chrome/Chromium which may be the most widespread problem.

There are lots of lists of packages dependent on it, but depends does not mean uses or that it matters. Abiword uses gnutls, but I have never done anything with Abiword that requires accessing a network...The same applies to indirect dependencies - an app may depend on library that depends on GNUTLS but not actually use GNUTLS itself.

As far as I can see it does not break encryption, but does allow a the use of a fake certificate, leading to a possible MITM attack. There is no indication that this has happened.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved