Welcome to WebmasterWorld Guest from

Forum Moderators: bakedjake

Message Too Old, No Replies

Critical Crypto GnuTLS Bug Leaves Linux, Many Apps Open to Eavesdropping

4:57 am on Mar 5, 2014 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
votes: 170

http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/ [arstechnica.com]

Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping

Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library.

The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package.
2:13 pm on Mar 5, 2014 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 23, 2005
votes: 0

To be clear to Windows users who will misunderstand all of that, 1) it's a bug in GNU's library and not Linux itself 2) it's a bug that affects some applications which MIGHT be installed but might not 3) the fix is already out.
12:38 am on Mar 6, 2014 (gmt 0)

Preferred Member

10+ Year Member

joined:June 15, 2007
votes: 18

what percentage of home users would be affected?
8:14 am on Mar 6, 2014 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member graeme_p is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
votes: 200

It looks to be that fixes have been rolled out - Ubuntu updated this library the day this was announced, I think. The other good news that it was found by the good guys - Red Hat found it by auditing the code so there is a very good chance its never been exploited. [bugzilla.redhat.com ].

It may affect software on other platforms such as Windows or MacOS as well. Its license is LGPL not GPL so it may be used in some proprietary software.

It is not used by Firefox, Thunderbird. It may be used with Apache if Apache is configured to use it. Apache defaults to Open SSL while Mozilla have their own library.

It does seem to be used by quite a lot of email, chat and download and multimedia software and a few other things - empathy, aria2, Wireshark, Mutt, Claws Mail, Lynx, CUPS, Exim and some gstreamer plugins.

It also seems to be used by Chrome/Chromium which may be the most widespread problem.

There are lots of lists of packages dependent on it, but depends does not mean uses or that it matters. Abiword uses gnutls, but I have never done anything with Abiword that requires accessing a network...The same applies to indirect dependencies - an app may depend on library that depends on GNUTLS but not actually use GNUTLS itself.

As far as I can see it does not break encryption, but does allow a the use of a fake certificate, leading to a possible MITM attack. There is no indication that this has happened.