homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
Forum Library, Charter, Moderators: bakedjake

Linux, Unix, and *nix like Operating Systems Forum

Critical Crypto GnuTLS Bug Leaves Linux, Many Apps Open to Eavesdropping

WebmasterWorld Administrator bill us a WebmasterWorld Top Contributor of All Time 10+ Year Member Best Post Of The Month

Msg#: 4651233 posted 4:57 am on Mar 5, 2014 (gmt 0)

http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/ [arstechnica.com]

Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping

Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library.

The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package.



WebmasterWorld Senior Member 5+ Year Member

Msg#: 4651233 posted 2:13 pm on Mar 5, 2014 (gmt 0)

To be clear to Windows users who will misunderstand all of that, 1) it's a bug in GNU's library and not Linux itself 2) it's a bug that affects some applications which MIGHT be installed but might not 3) the fix is already out.


5+ Year Member

Msg#: 4651233 posted 12:38 am on Mar 6, 2014 (gmt 0)

what percentage of home users would be affected?


WebmasterWorld Senior Member 5+ Year Member

Msg#: 4651233 posted 8:14 am on Mar 6, 2014 (gmt 0)

It looks to be that fixes have been rolled out - Ubuntu updated this library the day this was announced, I think. The other good news that it was found by the good guys - Red Hat found it by auditing the code so there is a very good chance its never been exploited. [bugzilla.redhat.com ].

It may affect software on other platforms such as Windows or MacOS as well. Its license is LGPL not GPL so it may be used in some proprietary software.

It is not used by Firefox, Thunderbird. It may be used with Apache if Apache is configured to use it. Apache defaults to Open SSL while Mozilla have their own library.

It does seem to be used by quite a lot of email, chat and download and multimedia software and a few other things - empathy, aria2, Wireshark, Mutt, Claws Mail, Lynx, CUPS, Exim and some gstreamer plugins.

It also seems to be used by Chrome/Chromium which may be the most widespread problem.

There are lots of lists of packages dependent on it, but depends does not mean uses or that it matters. Abiword uses gnutls, but I have never done anything with Abiword that requires accessing a network...The same applies to indirect dependencies - an app may depend on library that depends on GNUTLS but not actually use GNUTLS itself.

As far as I can see it does not break encryption, but does allow a the use of a fake certificate, leading to a possible MITM attack. There is no indication that this has happened.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved