Major security flaw threatens Linux users

Network World ^ | 4 March 2014 | Jon Gold

[ShadowAce]

A source code mistake in the GnuTLS library – an open-source software building block used in a large number of different Linux distributions to handle secure Internet connections – could prove a serious threat to the privacy of Linux users, as developers rush to patch the vulnerability.

Nikos Mavrogiannopolous, the developer of GnuTLS, announced Monday in a mailing list message that he had implemented a fix to the source code that closes the loophole. The flaw would have enabled an attacker to spoof GnuTLS’ system for verifying certificates, exposing supposedly secure connections to stealthy eavesdropping.

By creating a specific type of fake certificate, an attacker could trick GnuTLS into accepting it as genuine, granting access to an otherwise-secure connection. This done, the intruder could monitor traffic flowing through the connection in plain text, and even interject code of his own, potentially opening further avenues of attack.

Mavrogiannopolous, who called the bug “embarrassing,” said that the issue was discovered during an audit performed on behalf of his employer, Red Hat. Some major Linux distributions have already acted to apply Mavrogiannopolous’ fix, according to a security advisory posted by LWN.net. Ubuntu, Debian, Fedora, Red Hat, Oracle, Slackware and SUSE have all rolled out updates aimed at closing the loophole.

The news comes days after Apple patched a similar issue in its own software, which had exposed iOS and OS X users to similar man-in-the-middle attacks. Thanks to the greater consumer reach of Apple’s products, that “goto fail” issue received widespread attention – with some commentators even ascribing sinister motivations to Apple’s apparent sluggishness in fixing the flaws.

[Bloody Sam Roberts]

So...what package would a Mint 15 or 16 user install? An Ubuntu patch?

[ShadowAce]

I would think that Ubuntu (like Fedora) already has a patch in the repositories--or at least in the pipeline. Fedora's version is in the updates-testing repository, so it should arrive in mainstream fairly soon.

Look for a package by the name of gnutls or similar.

[OneWingedShark]

Sweet! Thanks for that.

You're quite welcome.

I work in the DO-178C arena and know what it takes to build bug-free, safety critical systems. It isn’t easy because it is ‘old school’ where most programmers just want to code.

Tell me about it — in my last job I was doing the backend of a system dealing with medical/insurance records (in PHP) and wrote an importation module that took a CSV file as input, I would not be surprised if that module is not the best commented in that company's code-base. Anyway, after everything was up and running we pushed it over to the production machine where it promptly failed. Turns out that the dev machine had a newer version of PHP, which had a CSV-parsing function, and the production machine did not. So I wrote my own CSV-parsing function pushed that to production and everything worked great.

Talking with the other main dev on that project about it later I got the response "Why not just use string-split? Done." … This data being things like names (Last, First), Addresses, lists... IOW, a non-parsing method would be (and is) wholly inadequate for all but the most trivial CSV-files. *sigh*

[rarestia]

This update was patched last week. I updated a bunch of my Ubuntu 12.04 servers over the weekend, and this patch was in it.

Hooray for open source and community awareness!

[Bloody Sam Roberts]

Mxyzptlk?

XYZZY

[GeronL]

bump!

[GeronL]

lol

That 5th dimension trickster always shows up unexpectedly!

[steve86]

The bad news is that you can’t download it unless you can spell “Mavrogiannopolous”.

Funny lol. Oddly, I didn't get this update for SUSE last night. Will have to check which actual packages are involved. Called GnuTLS?

[dhs12345]

Thank you sir!

[dhs12345]

Thanks.

[dhs12345]

Good point.

[Mastador1]

Nor am I implying that, only that ALL software is vulnerable and as people get bored with attacking MS they will move on to the next popular targets which are Apple and Linux.

[zeugma]

I just checked the Fedora repos. From the description it looks like the 'keyutils' and 'keyutils-libs' are what are affected.

yum -y update

Pretty simple. :-)

[zeugma]

This is the first time I have heard of an issue with Linux in 3 years. I am not current on the techie stuff, though.

There's stuff often enough, that it's a good idea to keep your system fully patched. Fortunately, you don't see a lot of stuff like the viruses seen in the Windows world. The vast majority of security-related issues that come up are local exploits that you don't really have to worry about as long as you trust yourself from hacking your own computer.

No operating system is perfect, which is why responsible computer users keep themselves reasonably updated, and keep their attack surface as shallow as it can be.

[zeugma]

The worst thing about getting a virus on Linux or Apple is the fact that neither one of them has their act together with regard to fixing and distributing the hotfixes to end users.

hahahaahahahahahahahahahahahahaha

wow. it's amazing how woefully uninformed some folks are.

"sudo yum -y update" is so incredibly difficult to do to get all of your software as up to date as it can be. Microsoft is still crap for updating because everything is so decentralized. Yeah, you can get Microsoft updates from one place, but the vast majority of everything else you need to actually do anything beyond playing solitaire have to be updated separately.

[ShadowAce]

wow. it's amazing how woefully uninformed some folks are.

Yeah--when I first saw that, I just shook my head. People are so willing to make pronouncements on things they know nothing about.

[dhs12345]

Ya. I have been taking a risk because I am running. Ubuntu 10 which is no longer LTS. I don't like the unified interface.