Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping

Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library.

The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates included in Internet discussions such as this one indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations, but it wouldn't be surprising if the actual number is much higher. Web applications, e-mail programs, and other code that use the library are vulnerable to exploits that allow attackers monitoring connections to silently decode encrypted traffic passing between end users and servers.

The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical "goto fail" flaw that for months put users of Apple's iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug.

"It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification," an advisory issued by Red Hat warned. "An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker."

Link

This seems pretty big. Lots of system that need to be patched.

reply to post by roadgravel


LMAO!

So many 'techno hippies' use LINUX. LOL.

It's no better than any other operating system.

minusinfinity
reply to post by roadgravel

 

LMAO!

So many 'techno hippies' use LINUX. LOL.

It's no better than any other operating system.

Actually it is ALOT better in terms of security than "any other operating system". LOL

FYI GnuTLS is not Linux and is used in many other OS like IOS and Windows.

hana1

minusinfinity
reply to post by roadgravel

 

LMAO!

So many 'techno hippies' use LINUX. LOL.

It's no better than any other operating system.

Actually it is ALOT better in terms of security than "any other operating system". LOL

FYI GnuTLS is not Linux and is used in many other OS like IOS and Windows.

GnuTLS is used by very few Linux applications as it turns out. Almost all use the competing OpenSSL library which has significantly better security design. GnuTLS was written because of ideological problems between GNU and the license terms of OpenSSL.

The popular web browsers use OpenSSL.

I dont think I use GnuTLS or any of my apps, because I dont such thing, I'm open, no secret here! but that just me.
In theory if the system is secure, there is no need for a crypto at all.

The article is mentioning "200 different operating systems or applications rely on GnuTLS". No just Linux. Thanks to opensource movement, such thing can be found and alerted.

If closedsourced crypto application have bug, you will not know it until its revealed which is - Never.

I think Chrome uses GNUtls in Kubuntu anyway. Just updated so I hope it is patched.