Showing posts with label GnuTLS. Show all posts
Showing posts with label GnuTLS. Show all posts

Friday, March 7, 2014

GnuTLS Affected By A Bug Leaves Users Of Apple Platforms Vulnerable To Hacks

GnuTLS
A few days after the revelation of a major security bug iOS and Mac OS, it is the turn of the GNU / Linux to be covered by a major fault GnuTLS. GnuTLS, the library implementation of security protocols SSL, TLS and DTLS most commonly used on GNU / Linux, is a victim of a fault of any magnitude that it easily ineffective in protection, several U.S. sites reported to Ars Technica.

 A worse than go to fail discovered on Mac OS and iOS, and Apple recently patched bug. Particularly it affects at least 200 packets of free or open source software, including GNU / Linux Red Hat (RHEL, Fedora), Canonical (Ubuntu and derivatives) or Debian. In addition to implementing within distributions, we could note that various mail clients and applications are potentially subject to risk.

In fact, any software based on GnuTLS to integrate functionality on the SSL and TLS protocols can hit. The management of certain GnuTLS errors when checking the type X509 certificates. It would bring incorrect certificates validated by the system. According to Red Hat, an attacker could use the flaw to create a certificate that would be accepted as valid by GnuTLS to a site chosen by the attacker. The bug is present since at least 2005 in the library.

Many errors are related to requests "go to cleanup”, which increases the apparent similarity with the flaw affecting Apple systems. But its complexity arises primarily from the impact that many lines of code, says Ars Technica. GnuTLS developers required to upgrade to the 3.2.12 release. This does not fix the bug for now, the discoveries made following an audit requested by Red Hat has not shown all their ramifications. You may expect hear again about this major flaw soon.