Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Major security flaw threatens Linux users
Network World ^ | 4 March 2014 | Jon Gold

Posted on 03/05/2014 10:20:50 AM PST by ShadowAce

A source code mistake in the GnuTLS library – an open-source software building block used in a large number of different Linux distributions to handle secure Internet connections – could prove a serious threat to the privacy of Linux users, as developers rush to patch the vulnerability.

Linux security

Nikos Mavrogiannopolous, the developer of GnuTLS, announced Monday in a mailing list message that he had implemented a fix to the source code that closes the loophole. The flaw would have enabled an attacker to spoof GnuTLS’ system for verifying certificates, exposing supposedly secure connections to stealthy eavesdropping.

By creating a specific type of fake certificate, an attacker could trick GnuTLS into accepting it as genuine, granting access to an otherwise-secure connection. This done, the intruder could monitor traffic flowing through the connection in plain text, and even interject code of his own, potentially opening further avenues of attack.

Mavrogiannopolous, who called the bug “embarrassing,” said that the issue was discovered during an audit performed on behalf of his employer, Red Hat. Some major Linux distributions have already acted to apply Mavrogiannopolous’ fix, according to a security advisory posted by LWN.net. Ubuntu, Debian, Fedora, Red Hat, Oracle, Slackware and SUSE have all rolled out updates aimed at closing the loophole.

The news comes days after Apple patched a similar issue in its own software, which had exposed iOS and OS X users to similar man-in-the-middle attacks. Thanks to the greater consumer reach of Apple’s products, that “goto fail” issue received widespread attention – with some commentators even ascribing sinister motivations to Apple’s apparent sluggishness in fixing the flaws.


TOPICS: Computers/Internet
KEYWORDS: linux; vulnerability
Navigation: use the links below to view more comments.
first 1-5051-57 next last

1 posted on 03/05/2014 10:20:51 AM PST by ShadowAce
[ Post Reply | Private Reply | View Replies]

To: rdb3; Calvinist_Dark_Lord; Salo; JosephW; Only1choice____Freedom; amigatec; Still Thinking; ...

2 posted on 03/05/2014 10:21:15 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

No doubt the “Mavrogiannopolous patch” will soon become a household name.


3 posted on 03/05/2014 10:22:43 AM PST by freedomlover
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

So, before it became a serious issue, a private developer fixed it and released the patch for free?

Is there supposed to be a downside to this?


4 posted on 03/05/2014 10:25:07 AM PST by Dead Corpse (Tre Norner eg ber, binde til rota...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Dead Corpse

Just letting people know....:D


5 posted on 03/05/2014 10:26:42 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 4 | View Replies]

To: ShadowAce
Thanks!


6 posted on 03/05/2014 10:28:40 AM PST by Dead Corpse (Tre Norner eg ber, binde til rota...)
[ Post Reply | Private Reply | To 5 | View Replies]

To: freedomlover

The good news is that it’s fixed. The bad news is that you can’t download it unless you can spell “Mavrogiannopolous”.


7 posted on 03/05/2014 10:29:19 AM PST by Billthedrill
[ Post Reply | Private Reply | To 3 | View Replies]

To: ShadowAce
Ubuntu, Debian, Fedora, Red Hat, Oracle, Slackware and SUSE have all rolled out updates aimed at closing the loophole.

Probably a good idea it was kept under wraps until AFTER the updates were sent out.

8 posted on 03/05/2014 10:30:37 AM PST by GeronL (Vote for Conservatives not for Republicans!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

I wonder how this will affect many smartphones. Android sits on top of a Linux system.


9 posted on 03/05/2014 10:31:25 AM PST by BuffaloJack (Freedom isn't free; nor is it easy. END ALL TOTALITARIAN ACTIVITY NOW.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

Here is a little beta game available for Windows, Mac and Linux, runs perfectly on my dinosaur.

http://dinopoloclub.com/minimetro/

I like it


10 posted on 03/05/2014 10:32:19 AM PST by GeronL (Vote for Conservatives not for Republicans!)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Billthedrill

I’m assuming it’s the common spelling... ;-)


11 posted on 03/05/2014 10:33:11 AM PST by Dead Corpse (Tre Norner eg ber, binde til rota...)
[ Post Reply | Private Reply | To 7 | View Replies]

To: ShadowAce

But Apple and Linux aren’t vulnerable, only Microsatan! Just shows to go ya it’s always something! bad people will always find a way to screw with us.


12 posted on 03/05/2014 10:35:23 AM PST by Mastador1 (I'll take a bad dog over a good politician any day!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: GeronL

Darn. Probably time to upgrade Ubuntu. I am still running 10 because I hate the iphone style interface. Been an excellent OS for me otherwise.


13 posted on 03/05/2014 10:38:56 AM PST by dhs12345
[ Post Reply | Private Reply | To 8 | View Replies]

To: Billthedrill

Mxyzptlk?


14 posted on 03/05/2014 10:39:08 AM PST by Dr. Bogus Pachysandra ( Ya can't pick up a turd by the clean end!)
[ Post Reply | Private Reply | To 7 | View Replies]

To: Mastador1

This is the first time I have heard of an issue with Linux in 3 years. I am not current on the techie stuff, though.


15 posted on 03/05/2014 10:41:26 AM PST by dhs12345
[ Post Reply | Private Reply | To 12 | View Replies]

To: Dr. Bogus Pachysandra

Man, that’d make one heck of a root password. The problem is that I’d never get in either.


16 posted on 03/05/2014 10:42:16 AM PST by Billthedrill
[ Post Reply | Private Reply | To 14 | View Replies]

To: dhs12345

I really don’t have an issue with Apple or Linux, it’s just human nature that the more popular something is in use the more it draws the lowlifes to attack it.


17 posted on 03/05/2014 10:43:30 AM PST by Mastador1 (I'll take a bad dog over a good politician any day!)
[ Post Reply | Private Reply | To 15 | View Replies]

To: dhs12345

Consider Linux Mint w Cinnamon desktop as an alternative. I hated the new interface too and found this a great option.

http://www.linuxmint.com/download.php

Its essentially Ubuntu with some tweaks.


18 posted on 03/05/2014 10:44:28 AM PST by wonkowasright (Wonko from outside the asylum)
[ Post Reply | Private Reply | To 13 | View Replies]

To: ShadowAce
What makes this particular vulnerability special? Security problems are discovered every day. Here is a long list. Check the dates.

Install your updates, people! Hope you weren’t thinking that it’s only necessary on Windows machines…

19 posted on 03/05/2014 10:44:56 AM PST by cartan
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

bookmark


20 posted on 03/05/2014 10:47:33 AM PST by dadfly
[ Post Reply | Private Reply | To 1 | View Replies]

To: dhs12345

If you don’t like the Unity interface you can always try the Kubuntu or Xubuntu varieties. They are probably identical underneath the desktop.


21 posted on 03/05/2014 10:53:28 AM PST by GeronL (Vote for Conservatives not for Republicans!)
[ Post Reply | Private Reply | To 13 | View Replies]

To: Billthedrill

https://en.wikipedia.org/wiki/Mister_Mxyzptlk


22 posted on 03/05/2014 10:53:44 AM PST by Dr. Bogus Pachysandra ( Ya can't pick up a turd by the clean end!)
[ Post Reply | Private Reply | To 16 | View Replies]

To: Billthedrill

I’d have migraines.


23 posted on 03/05/2014 10:59:03 AM PST by wally_bert (There are no winners in a game of losers. I'm Tommy Joyce, welcome to the Oriental Lounge.)
[ Post Reply | Private Reply | To 16 | View Replies]

To: ShadowAce
Yep, and this is why a fully formally verified OS would be so desirable… provability on the absence of bugs.
24 posted on 03/05/2014 11:02:21 AM PST by OneWingedShark (Q: Why am I here? A: To do Justly, to love mercy, and to walk humbly with my God.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: OneWingedShark

It’s being worked on, but I can see it as an absolutely huge undertaking


25 posted on 03/05/2014 11:06:21 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 24 | View Replies]

To: Mastador1

Considering how many flaws have been found in each OS, how long it takes for a patch to be found, and what happens once you patch them?

M$ has nothing to crow about here.


26 posted on 03/05/2014 11:08:47 AM PST by Dead Corpse (Tre Norner eg ber, binde til rota...)
[ Post Reply | Private Reply | To 12 | View Replies]

To: Billthedrill
The good news is that it’s fixed. The bad news is that you can’t download it unless you can spell “Mavrogiannopolous”.

The article misspells the name. Should be ...poulos not ...polous.

27 posted on 03/05/2014 11:09:47 AM PST by omega4412
[ Post Reply | Private Reply | To 7 | View Replies]

To: ShadowAce
It’s being worked on, but I can see it as an absolutely huge undertaking

Indeed it is, though if they're using C (or C++) they're making an inherently arduous task even more difficult for themselves.
Ada/SPARK would probably be ideal, as Ada lends itself to these sorts of analyses fairly well and it has good low-level facilities.
A functional language would be excellent for implementing a large portion of the OS w/ verifiable properties, but there are efficiency issues (as well as that they're rather unsuited to low-level manipulations).

IMO we need the fundamental/base portions of our SW to be formally verified: OS, Compiler, the basics of the networking components (like DNS). If that's done the stability/reliability/security of everyday consumer-level software should be immensely improved.

28 posted on 03/05/2014 11:16:48 AM PST by OneWingedShark (Q: Why am I here? A: To do Justly, to love mercy, and to walk humbly with my God.)
[ Post Reply | Private Reply | To 25 | View Replies]

To: ShadowAce

This article is obviously untrue. Linux and Apple products are completely immune from viruses. Only Microsoft products are affected by hackers.


29 posted on 03/05/2014 11:17:45 AM PST by bigtoona
[ Post Reply | Private Reply | To 1 | View Replies]

To: bigtoona

This isn’t a virus.


30 posted on 03/05/2014 11:18:48 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 29 | View Replies]

To: OneWingedShark

Green Hills Integrity, for instance?


31 posted on 03/05/2014 11:19:30 AM PST by CodeToad (Keeping whites from talking about blacks is verbal segregation!)
[ Post Reply | Private Reply | To 24 | View Replies]

To: Dead Corpse

The worst thing about getting a virus on Linux or Apple is the fact that neither one of them has their act together with regard to fixing and distributing the hotfixes to end users.

Microsoft learned this lesson a long time ago and built an effective system for this. MS is hit more often but that comes with the territo0ry when you own about 90% of the OS market.


32 posted on 03/05/2014 11:20:42 AM PST by bigtoona
[ Post Reply | Private Reply | To 26 | View Replies]

To: ShadowAce

Correction, not a virus, agreed. Its a security flaw. In other words it doesn’t have to propagate to other machines, the hole is already in place and ready to go.


33 posted on 03/05/2014 11:23:12 AM PST by bigtoona
[ Post Reply | Private Reply | To 30 | View Replies]

To: bigtoona

The ruling Kings were less than 1% of any given population.

Now ask yourself, how much of the Internet rests on Linux servers? How much of our power grid and communications networks run on Linux-based appliances?

Now even Google ChromeOS based devices are little more than a fancy front-end for a Linux backend.

A few things to think about...


34 posted on 03/05/2014 11:24:22 AM PST by Dead Corpse (Tre Norner eg ber, binde til rota...)
[ Post Reply | Private Reply | To 32 | View Replies]

To: CodeToad
Green Hills Integrity, for instance?

Good instance // yep.
It's not really a consumer-level OS, though. (The Multivisor looks really interesting.)

35 posted on 03/05/2014 11:26:49 AM PST by OneWingedShark (Q: Why am I here? A: To do Justly, to love mercy, and to walk humbly with my God.)
[ Post Reply | Private Reply | To 31 | View Replies]

To: OneWingedShark

No, but it shows bug-free software can be had instead of the garbage these hacker types produce.


36 posted on 03/05/2014 11:32:03 AM PST by CodeToad (Keeping whites from talking about blacks is verbal segregation!)
[ Post Reply | Private Reply | To 35 | View Replies]

To: CodeToad
No, but it shows bug-free software can be had instead of the garbage these hacker types produce.

Very true — a couple of academics [lit. 2] produced Ironsides, which is a verified DNS, as a proof of concept that formal-verification tools [SPARK's theorem prover] were ready to be used in full applications.

37 posted on 03/05/2014 11:36:04 AM PST by OneWingedShark (Q: Why am I here? A: To do Justly, to love mercy, and to walk humbly with my God.)
[ Post Reply | Private Reply | To 36 | View Replies]

To: Dead Corpse
So, before it became a serious issue, a private developer fixed it and released the patch for free? Is there supposed to be a downside to this?

only if you don't understand the way open source software works
38 posted on 03/05/2014 11:36:34 AM PST by AK_47_7.62x39 (There are many moderate Muslims, but there is no such thing as a moderate Islam. -- Geert Wilders)
[ Post Reply | Private Reply | To 4 | View Replies]

To: Bloody Sam Roberts

?? ping ??


39 posted on 03/05/2014 11:36:38 AM PST by Mrs. B.S. Roberts
[ Post Reply | Private Reply | To 1 | View Replies]

To: OneWingedShark

Sweet! Thanks for that. I work in the DO-178C arena and know what it takes to build bug-free, safety critical systems. It isn’t easy because it is ‘old school’ where most programmers just want to code.


40 posted on 03/05/2014 11:42:00 AM PST by CodeToad (Keeping whites from talking about blacks is verbal segregation!)
[ Post Reply | Private Reply | To 37 | View Replies]

To: ShadowAce

So...what package would a Mint 15 or 16 user install? An Ubuntu patch?


41 posted on 03/05/2014 11:49:13 AM PST by Bloody Sam Roberts (Truth sounds like hate...to those who hate truth.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bloody Sam Roberts
I would think that Ubuntu (like Fedora) already has a patch in the repositories--or at least in the pipeline. Fedora's version is in the updates-testing repository, so it should arrive in mainstream fairly soon.

Look for a package by the name of gnutls or similar.

42 posted on 03/05/2014 11:52:10 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 41 | View Replies]

To: CodeToad
Sweet! Thanks for that.

You're quite welcome.

I work in the DO-178C arena and know what it takes to build bug-free, safety critical systems. It isn’t easy because it is ‘old school’ where most programmers just want to code.

Tell me about it — in my last job I was doing the backend of a system dealing with medical/insurance records (in PHP) and wrote an importation module that took a CSV file as input, I would not be surprised if that module is not the best commented in that company's code-base. Anyway, after everything was up and running we pushed it over to the production machine where it promptly failed. Turns out that the dev machine had a newer version of PHP, which had a CSV-parsing function, and the production machine did not. So I wrote my own CSV-parsing function pushed that to production and everything worked great.

Talking with the other main dev on that project about it later I got the response "Why not just use string-split? Done." … This data being things like names (Last, First), Addresses, lists... IOW, a non-parsing method would be (and is) wholly inadequate for all but the most trivial CSV-files. *sigh*

43 posted on 03/05/2014 11:58:27 AM PST by OneWingedShark (Q: Why am I here? A: To do Justly, to love mercy, and to walk humbly with my God.)
[ Post Reply | Private Reply | To 40 | View Replies]

To: GeronL

This update was patched last week. I updated a bunch of my Ubuntu 12.04 servers over the weekend, and this patch was in it.

Hooray for open source and community awareness!


44 posted on 03/05/2014 12:14:06 PM PST by rarestia (It's time to water the Tree of Liberty.)
[ Post Reply | Private Reply | To 8 | View Replies]

To: Dr. Bogus Pachysandra
Mxyzptlk?

XYZZY

45 posted on 03/05/2014 12:20:54 PM PST by Bloody Sam Roberts (Truth sounds like hate...to those who hate truth.)
[ Post Reply | Private Reply | To 14 | View Replies]

To: rarestia

bump!


46 posted on 03/05/2014 12:24:40 PM PST by GeronL (Vote for Conservatives not for Republicans!)
[ Post Reply | Private Reply | To 44 | View Replies]

To: Bloody Sam Roberts

lol

That 5th dimension trickster always shows up unexpectedly!


47 posted on 03/05/2014 12:26:25 PM PST by GeronL (Vote for Conservatives not for Republicans!)
[ Post Reply | Private Reply | To 45 | View Replies]

To: Billthedrill
The bad news is that you can’t download it unless you can spell “Mavrogiannopolous”.

Funny lol. Oddly, I didn't get this update for SUSE last night. Will have to check which actual packages are involved. Called GnuTLS?

48 posted on 03/05/2014 12:30:46 PM PST by steve86 (Some things aren't really true but you wouldn't be half surprised if they were.)
[ Post Reply | Private Reply | To 7 | View Replies]

To: wonkowasright

Thank you sir!


49 posted on 03/05/2014 12:38:25 PM PST by dhs12345
[ Post Reply | Private Reply | To 18 | View Replies]

To: GeronL

Thanks.


50 posted on 03/05/2014 12:40:36 PM PST by dhs12345
[ Post Reply | Private Reply | To 21 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051-57 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson