A critical Linux bug that many are comparing to the "goto fail" problem that afflicted Apple last month was recently discovered, prompting Linux distribution and application developers to scramble to incorporate a new patch into their code.
The bug, which affects the GnuTLS library for implementing the SSL, TLS and DTLS, security protocols, could cause software to falsely indicate that a particular communications connection is secure, when in fact it is not. As with the Apple flaw, that opens the door to "man-in-the-middle" exploits where an attacker could secretly intercept and manipulate the user's communication.The problem was discovered during a code audit last month. Red Hat then notified the other affected distributions, and a patch was released Monday.
[ Prove your expertise with the free OS in InfoWorld's Linux admin IQ test round 1 and round 2. | Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in InfoWorld's Malware Deep Dive Report. | Learn how to secure your systems with InfoWorld's Security Central newsletter. ]
"Users of Red Hat Enterprise Linux can obtain updated corrected GnuTLS packages in their usual way or see https://access.redhat.com/security/cve/CVE-2014-0092 for links to our advisories," said Mark Cox, Red Hat's senior director for product security.
Most Linux users affected
"There are hundreds of packages that use the GnuTLS encryption libraries, so virtually every Linux user is affected," warned Dave Wreski, CEO of open source security firm Guardian Digital as well as founder and lead developer at linuxsecurity.com.
In fact, the bug appears to be more than 10 years old, "so it probably affects every Linux system currently in operation that utilizes the GnuTLS library," he told me.
I contacted a few of the other major distros on Wednesday to see what steps they had taken to address the problem so far.
"Our team addressed the issue in a timely manner," Ubuntu spokesperson Sian Aherne said. "The update manager will prompt desktop users about security updates, and we recommend that people using Ubuntu ensure their systems are up to date to ensure they are not affected."
Linux distros jump to action
After noticing that Red Hat rated the issue as high severity, David Walser, who manages security updates for Mageia Linux, "immediately packaged the update, using the patch from upstream," he said. "A member of our QA team tested the update very shortly after I built it and validated the update, and our main sysadmin--who pushes updates to the mirrors--released the update."