|Critical Crypto GnuTLS Bug Leaves Linux, Many Apps Open to Eavesdropping|
|Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping |
Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library.
The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package.
To be clear to Windows users who will misunderstand all of that, 1) it's a bug in GNU's library and not Linux itself 2) it's a bug that affects some applications which MIGHT be installed but might not 3) the fix is already out.
what percentage of home users would be affected?
It looks to be that fixes have been rolled out - Ubuntu updated this library the day this was announced, I think. The other good news that it was found by the good guys - Red Hat found it by auditing the code so there is a very good chance its never been exploited. [bugzilla.redhat.com ].
It may affect software on other platforms such as Windows or MacOS as well. Its license is LGPL not GPL so it may be used in some proprietary software.
It is not used by Firefox, Thunderbird. It may be used with Apache if Apache is configured to use it. Apache defaults to Open SSL while Mozilla have their own library.
It does seem to be used by quite a lot of email, chat and download and multimedia software and a few other things - empathy, aria2, Wireshark, Mutt, Claws Mail, Lynx, CUPS, Exim and some gstreamer plugins.
It also seems to be used by Chrome/Chromium which may be the most widespread problem.
There are lots of lists of packages dependent on it, but depends does not mean uses or that it matters. Abiword uses gnutls, but I have never done anything with Abiword that requires accessing a network...The same applies to indirect dependencies - an app may depend on library that depends on GNUTLS but not actually use GNUTLS itself.
As far as I can see it does not break encryption, but does allow a the use of a fake certificate, leading to a possible MITM attack. There is no indication that this has happened.