[TriLUG] Fwd: [ NNSquad ] Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping

David Both dboth at millennium-technology.com
Wed Mar 5 08:21:26 EST 2014

The patch for CVE-2014-0092 is available for CentOS in an update that appears to 
have been made available in the last 24 hours (build time 3PM yesterday). But 
not yet on Fedora.

Does anyone have any idea whether to do a reboot after installing the GnuTLS 
update? I know I do not usually reboot unless the kernel is updated but 
libraries can hang around in memory and I do not want the old ones to remain in 
use while I feel safe. I plan to go ahead and reboot the affected systems 
anyway, but I am just curious as to what you all would do.


On 03/05/2014 07:31 AM, John Mitchell wrote:
> Just checked my Debian Stable (wheezy) and it has the updated/fixed
> version, I had updated it on Tuesday.
> http://www.debian.org/security/2014/dsa-2869
> john mitchell
> On Tue, Mar 4, 2014 at 8:30 PM, Steve Holton <sph0lt0n at gmail.com> wrote:
>> F.Y.I.
>> ---------- Forwarded message ----------
>> From: Lauren Weinstein <lauren at vortex.com>
>> Date: Tue, Mar 4, 2014 at 3:17 PM
>> Subject: [ NNSquad ] Critical crypto bug leaves Linux, hundreds of apps
>> open to eavesdropping
>> To: nnsquad at nnsquad.org
>> Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
>> http://j.mp/1jPcVOr  (Ars Technica)
>>      "Hundreds of open source packages, including the Red Hat, Ubuntu, and
>>       Debian distributions of Linux, are susceptible to attacks that
>>       circumvent the most widely used technology to prevent eavesdropping on
>>       the Internet, thanks to an extremely critical vulnerability in a
>>       widely used cryptographic code library.  The bug in the GnuTLS library
>>       makes it trivial for attackers to bypass secure sockets layer (SSL)
>>       and Transport Layer Security (TLS) protections available on websites
>>       that depend on the open source package. Initial estimates included in
>>       Internet discussions such as this one indicate that more than 200
>>       different operating systems or applications rely on GnuTLS to
>>       implement crucial SSL and TLS operations, but it wouldn't be
>>       surprising if the actual number is much higher. Web applications,
>>       e-mail programs, and other code that use the library are vulnerable to
>>       exploits that allow attackers monitoring connections to silently
>>       decode encrypted traffic passing between end users and servers.  The
>>       bug is the result of commands in a section of the GnuTLS code that
>>       verify the authenticity of TLS certificates, which are often known
>>       simply as X509 certificates."
>>   - - -
>> --Lauren--
>> Lauren Weinstein (lauren at vortex.com): http://www.vortex.com/lauren
>> Co-Founder: People For Internet Responsibility:
>> http://www.pfir.org/pfir-info
>> Founder:
>>   - Network Neutrality Squad: http://www.nnsquad.org
>>   - PRIVACY Forum: http://www.vortex.com/privacy-info
>> Member: ACM Committee on Computers and Public Policy
>> Lauren's Blog: http://lauren.vortex.com
>> Google+: http://google.com/+LaurenWeinstein
>> Twitter: http://twitter.com/laurenweinstein
>> Tel: +1 (818) 225-2800 / Skype: vortex.com
>> _______________________________________________
>> nnsquad mailing list
>> http://lists.nnsquad.org/mailman/listinfo/nnsquad
>> --
>> --
>> Steve Holton
>> sph0lt0n at gmail.com
>> --
>> This message was sent to: john mitchell <john280z at gmail.com>
>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
>> address.
>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>> Unsubscribe or edit options on the web  :
>> http://www.trilug.org/mailman/options/trilug/john280z%40gmail.com
>> Welcome to TriLUG: http://trilug.org/welcome
>> -- 
>> *********************************************************
>> David P. Both, RHCE
>> Millennium Technology Consulting LLC
>> 919-389-8678
>> dboth at millennium-technology.com
>> www.millennium-technology.com
>> www.databook.bz - Home of the DataBook for Linux
>> DataBook is a Registered Trademark of David Both
>> *********************************************************
>> This communication may be unlawfully collected and stored by the National Security Agency (NSA) in secret. The parties to this email do not consent to the retrieving or storing of this communication and any related metadata, as well as printing, copying, re-transmitting, disseminating, or otherwise using it. If you believe you have received this communication in error, please delete it immediately.

More information about the TriLUG mailing list