Linux crypto vulnerability
Jose I. Diaz Bardales
jose.dbardales at gmail.com
Thu Mar 6 03:24:49 UTC 2014
On 03/05/2014 10:03 PM, Gene Heskett wrote:
> On Wednesday 05 March 2014 22:01:34 MR ZenWiz did opine:
>
>> Is anyone at Canonical aware of this? Lauren is rarely mistaken about
>> this sort of stuff....
>>
>> ---------- Forwarded message ----------
>> From: PRIVACY Forum mailing list <privacy at vortex.com>
>> Date: Tue, Mar 4, 2014 at 12:17 PM
>> Subject: [ PRIVACY Forum ] Critical crypto bug leaves Linux, hundreds
>> of apps open to eavesdropping
>> To: privacy-list at vortex.com
>>
>>
>>
>> Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
>>
>> http://j.mp/1jPcVOr (Ars Technica)
>>
>> "Hundreds of open source packages, including the Red Hat, Ubuntu,
>> and Debian distributions of Linux, are susceptible to attacks that
>> circumvent the most widely used technology to prevent eavesdropping on
>> the Internet, thanks to an extremely critical vulnerability in a widely
>> used cryptographic code library. The bug in the GnuTLS library makes
>> it trivial for attackers to bypass secure sockets layer (SSL) and
>> Transport Layer Security (TLS) protections available on websites that
>> depend on the open source package. Initial estimates included in
>> Internet discussions such as this one indicate that more than 200
>> different operating systems or applications rely on GnuTLS to implement
>> crucial SSL and TLS operations, but it wouldn't be surprising if the
>> actual number is much higher. Web applications, e-mail programs, and
>> other code that use the library are vulnerable to exploits that allow
>> attackers monitoring connections to silently decode encrypted traffic
>> passing between end users and servers. The bug is the result of
>> commands in a section of the GnuTLS code that verify the authenticity
>> of TLS certificates, which are often known simply as X509
>> certificates."
>>
>> - - -
>
> Do you not run the update-manager as a background daemon? If so, your
> machine should have already presented you with a request to update that
> library and anything that depended on it. I did all 3 of my live machines
> several hours ago.
>>
>> --Lauren--
>> Lauren Weinstein (lauren at vortex.com): http://www.vortex.com/lauren
>> Co-Founder: People For Internet Responsibility:
>> http://www.pfir.org/pfir-info Founder:
>> - Network Neutrality Squad: http://www.nnsquad.org
>> - PRIVACY Forum: http://www.vortex.com/privacy-info
>> Member: ACM Committee on Computers and Public Policy
>> Lauren's Blog: http://lauren.vortex.com
>> Google+: http://google.com/+LaurenWeinstein
>> Twitter: http://twitter.com/laurenweinstein
>> Tel: +1 (818) 225-2800 / Skype: vortex.com
>> _______________________________________________
>> privacy mailing list
>> http://lists.vortex.com/mailman/listinfo/privacy
>>
>> Thanks.
>>
>> MR
>
>
> Cheers, Gene
>
+1
More information about the ubuntu-users
mailing list