Re: gnutls security breach
On 05/03/14 19:10, Ric Moore wrote:
> Anyone see this?
> http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/
>
arsetechnica tend, like all traffic revenue generating "news" sites, to
overhype things.
>
> Good thing Red Hat caught it:
> https://rhn.redhat.com/errata/RHSA-2014-0246.html
http://www.gnutls.org/security.html#GNUTLS-SA-2014-2 (the audit that
caught this bug)
As with all security concerns that affect Debian - the first place to
look for reliable information is https://www.debian.org/security/
In this instance see:-
https://www.debian.org/security/2014/dsa-2869
The bug affects software that has to deal with dodgy certificates - a
bit like designing nails to pin snot to the wall.
If you are concerned about security you should update regularly and
subscribe to the appropriate debian security announce mailing list.
>
> Yeow! I just did update / upgrade to Jessy, but didn't see the security
> fix come through yet. Ric
You should also probably read the official documentation concerning
security updates and testing.
Dear interweb, please....
https://www.debian.org/security/faq#testing
:)
It's an old bug, 2005 from memory, it only effect some instances where
bad certificates are used *and* you manually elect to trust them.
Fix is basically:-
find . -name '*.c' | xargs grep strlen | wc -l
522
find . -name '*.c' | xargs grep strcat | wc -l
44
tl;dr? Remain calm, update, upgrade; carry on ;)
Kind regards
Reply to: