Linux crypto vulnerability
Gene Heskett
gheskett at wdtv.com
Thu Mar 6 03:03:45 UTC 2014
On Wednesday 05 March 2014 22:01:34 MR ZenWiz did opine:
> Is anyone at Canonical aware of this? Lauren is rarely mistaken about
> this sort of stuff....
>
> ---------- Forwarded message ----------
> From: PRIVACY Forum mailing list <privacy at vortex.com>
> Date: Tue, Mar 4, 2014 at 12:17 PM
> Subject: [ PRIVACY Forum ] Critical crypto bug leaves Linux, hundreds
> of apps open to eavesdropping
> To: privacy-list at vortex.com
>
>
>
> Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
>
> http://j.mp/1jPcVOr (Ars Technica)
>
> "Hundreds of open source packages, including the Red Hat, Ubuntu,
> and Debian distributions of Linux, are susceptible to attacks that
> circumvent the most widely used technology to prevent eavesdropping on
> the Internet, thanks to an extremely critical vulnerability in a widely
> used cryptographic code library. The bug in the GnuTLS library makes
> it trivial for attackers to bypass secure sockets layer (SSL) and
> Transport Layer Security (TLS) protections available on websites that
> depend on the open source package. Initial estimates included in
> Internet discussions such as this one indicate that more than 200
> different operating systems or applications rely on GnuTLS to implement
> crucial SSL and TLS operations, but it wouldn't be surprising if the
> actual number is much higher. Web applications, e-mail programs, and
> other code that use the library are vulnerable to exploits that allow
> attackers monitoring connections to silently decode encrypted traffic
> passing between end users and servers. The bug is the result of
> commands in a section of the GnuTLS code that verify the authenticity
> of TLS certificates, which are often known simply as X509
> certificates."
>
> - - -
Do you not run the update-manager as a background daemon? If so, your
machine should have already presented you with a request to update that
library and anything that depended on it. I did all 3 of my live machines
several hours ago.
>
> --Lauren--
> Lauren Weinstein (lauren at vortex.com): http://www.vortex.com/lauren
> Co-Founder: People For Internet Responsibility:
> http://www.pfir.org/pfir-info Founder:
> - Network Neutrality Squad: http://www.nnsquad.org
> - PRIVACY Forum: http://www.vortex.com/privacy-info
> Member: ACM Committee on Computers and Public Policy
> Lauren's Blog: http://lauren.vortex.com
> Google+: http://google.com/+LaurenWeinstein
> Twitter: http://twitter.com/laurenweinstein
> Tel: +1 (818) 225-2800 / Skype: vortex.com
> _______________________________________________
> privacy mailing list
> http://lists.vortex.com/mailman/listinfo/privacy
>
> Thanks.
>
> MR
Cheers, Gene
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
NOTICE: Will pay 100 USD for an HP-4815A defective but
complete probe assembly.
More information about the ubuntu-users
mailing list