Title photo
frugal technology, simple living and guerrilla large-appliance repair
Thu, 06 Mar 2014

Fedora and OpenSUSE update GnuTLS today, Debian and Ubuntu a couple days ago

The LWN security updates posted today include the GnuTLS updates for Fedora and OpenSUSE. Debian and Ubuntu pushed out their patch a couple days earlier.

It's a pretty big bug that is being closed. Says Tomas Hoger in the bug report:

It was discovered that GnuTLS X.509 certificate verification code failed to properly handle certain errors that can occur during the certificate verification. When such errors are encountered, GnuTLS would report successful verification of the certificate, even though verification should end with failure. A specially-crafted certificate can be accepted by GnuTLS as valid even if it wasn't issued by any trusted Certificate Authority. This can be used to perform man-in-the-middle attacks against applications using GnuTLS.

This has been all over the Internet the last week or so.

Selena Larson of Readwrite.com writes:

A variety of Linux distributions are vulnerable to hacks because of a bug that allows people to bypass security protocols to intercept and disseminate encrypted information. A member of the Red Hat security team discovered a bug in the GnuTLS library that allows hackers to easily circumvent the Transport Layer Security (TLS) and secure sockets layer (SSL).

The vulnerability affects the certificate verification, meaning secure connections that are supposedly going through as secure, are not. Someone could compromise a secure connection by using a “man-in-the-middle” attack, acting as the server to intercept traffic, financial transactions or secure information.