A critical Linux bug that many are comparing to the "goto fail" problem that afflicted Apple last month was recently discovered, prompting Linux distribution and application developers to scramble to incorporate a new patch into their code.
The bug, which affects the GnuTLS library for implementing the SSL, TLS and DTLS, security protocols, could cause software to falsely indicate that a particular communications connection is secure, when in fact it is not. As with the Apple flaw, that opens the door to "man-in-the-middle" exploits where an attacker could secretly intercept and manipulate the user's communication.The problem was discovered during a code audit last month. Red Hat then notified the other affected distributions, and a patch was released Monday.
"Users of Red Hat Enterprise Linux can obtain updated corrected GnuTLS packages in their usual way or see https://access.redhat.com/security/cve/CVE-2014-0092 for links to our advisories," said Mark Cox, Red Hat's senior director for product security.
Most Linux users affected
"There are hundreds of packages that use the GnuTLS encryption libraries, so virtually every Linux user is affected," warned Dave Wreski, CEO of open source security firm Guardian Digital as well as founder and lead developer at linuxsecurity.com.
In fact, the bug appears to be more than 10 years old, "so it probably affects every Linux system currently in operation that utilizes the GnuTLS library," he told me.
I contacted a few of the other major distros on Wednesday to see what steps they had taken to address the problem so far.
"Our team addressed the issue in a timely manner," Ubuntu spokesperson Sian Aherne said. "The update manager will prompt desktop users about security updates, and we recommend that people using Ubuntu ensure their systems are up to date to ensure they are not affected."
Linux distros jump to action
After noticing that Red Hat rated the issue as high severity, David Walser, who manages security updates for Mageia Linux, "immediately packaged the update, using the patch from upstream," he said. "A member of our QA team tested the update very shortly after I built it and validated the update, and our main sysadmin — who pushes updates to the mirrors — released the update."
In all, "it was approximately five hours from when we became aware of the problem till the fix was implemented, tested, and then released as a security update," added Dave Hodgins, deputy leader of Mageia's QA team.
I haven't yet heard back from Linux Mint, but it's clear that numerous other distros have issued alerts as well.
OpenSSL not affected
Clearly there is cause for some concern. At the same time, while GnuTLS implements the SSL, TLS, and DTLS protocols commonly used by applications requiring secure communications over insecure channels like the Internet, the OpenSSL library is actually much more common, and it's not affected by this vulnerability, Wreski pointed out.
Sign up for Computerworld eNewsletters.