Posted on 03/05/2014 10:20:50 AM PST by ShadowAce
A source code mistake in the GnuTLS library – an open-source software building block used in a large number of different Linux distributions to handle secure Internet connections – could prove a serious threat to the privacy of Linux users, as developers rush to patch the vulnerability.
Nikos Mavrogiannopolous, the developer of GnuTLS, announced Monday in a mailing list message that he had implemented a fix to the source code that closes the loophole. The flaw would have enabled an attacker to spoof GnuTLS’ system for verifying certificates, exposing supposedly secure connections to stealthy eavesdropping.
By creating a specific type of fake certificate, an attacker could trick GnuTLS into accepting it as genuine, granting access to an otherwise-secure connection. This done, the intruder could monitor traffic flowing through the connection in plain text, and even interject code of his own, potentially opening further avenues of attack.
Mavrogiannopolous, who called the bug “embarrassing,” said that the issue was discovered during an audit performed on behalf of his employer, Red Hat. Some major Linux distributions have already acted to apply Mavrogiannopolous’ fix, according to a security advisory posted by LWN.net. Ubuntu, Debian, Fedora, Red Hat, Oracle, Slackware and SUSE have all rolled out updates aimed at closing the loophole.
The news comes days after Apple patched a similar issue in its own software, which had exposed iOS and OS X users to similar man-in-the-middle attacks. Thanks to the greater consumer reach of Apple’s products, that “goto fail” issue received widespread attention – with some commentators even ascribing sinister motivations to Apple’s apparent sluggishness in fixing the flaws.
No doubt the “Mavrogiannopolous patch” will soon become a household name.
So, before it became a serious issue, a private developer fixed it and released the patch for free?
Is there supposed to be a downside to this?
Just letting people know....:D
The good news is that it’s fixed. The bad news is that you can’t download it unless you can spell “Mavrogiannopolous”.
Probably a good idea it was kept under wraps until AFTER the updates were sent out.
I wonder how this will affect many smartphones. Android sits on top of a Linux system.
Here is a little beta game available for Windows, Mac and Linux, runs perfectly on my dinosaur.
http://dinopoloclub.com/minimetro/
I like it
I’m assuming it’s the common spelling... ;-)
But Apple and Linux aren’t vulnerable, only Microsatan! Just shows to go ya it’s always something! bad people will always find a way to screw with us.
Darn. Probably time to upgrade Ubuntu. I am still running 10 because I hate the iphone style interface. Been an excellent OS for me otherwise.
Mxyzptlk?
This is the first time I have heard of an issue with Linux in 3 years. I am not current on the techie stuff, though.
Man, that’d make one heck of a root password. The problem is that I’d never get in either.
I really don’t have an issue with Apple or Linux, it’s just human nature that the more popular something is in use the more it draws the lowlifes to attack it.
Consider Linux Mint w Cinnamon desktop as an alternative. I hated the new interface too and found this a great option.
http://www.linuxmint.com/download.php
Its essentially Ubuntu with some tweaks.
Install your updates, people! Hope you weren’t thinking that it’s only necessary on Windows machines…
bookmark
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.