[TriLUG] Fwd: [ NNSquad ] Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping

William Sutton william at trilug.org
Wed Mar 5 08:35:05 EST 2014


I dunno, but I asked our security dude at work and his response was that 
most software uses openssl.. except for packages written by "zealots" who 
refuse to use non-GNU libraries.  His secondary comment was to not use 
lynx for online banking :-)

William Sutton

On Wed, 5 Mar 2014, David Both wrote:

> The patch for CVE-2014-0092 is available for CentOS in an update that appears 
> to have been made available in the last 24 hours (build time 3PM yesterday). 
> But not yet on Fedora.
>
> Does anyone have any idea whether to do a reboot after installing the GnuTLS 
> update? I know I do not usually reboot unless the kernel is updated but 
> libraries can hang around in memory and I do not want the old ones to remain 
> in use while I feel safe. I plan to go ahead and reboot the affected systems 
> anyway, but I am just curious as to what you all would do.
>
> Thanks!
>
> On 03/05/2014 07:31 AM, John Mitchell wrote:
>> Just checked my Debian Stable (wheezy) and it has the updated/fixed
>> version, I had updated it on Tuesday.
>> 
>> http://www.debian.org/security/2014/dsa-2869
>> 
>> john mitchell
>> 
>> 
>> On Tue, Mar 4, 2014 at 8:30 PM, Steve Holton <sph0lt0n at gmail.com> wrote:
>> 
>>> F.Y.I.
>>> 
>>> 
>>> 
>>> ---------- Forwarded message ----------
>>> From: Lauren Weinstein <lauren at vortex.com>
>>> Date: Tue, Mar 4, 2014 at 3:17 PM
>>> Subject: [ NNSquad ] Critical crypto bug leaves Linux, hundreds of apps
>>> open to eavesdropping
>>> To: nnsquad at nnsquad.org
>>> 
>>> 
>>> 
>>> Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping
>>> 
>>> http://j.mp/1jPcVOr  (Ars Technica)
>>>
>>>      "Hundreds of open source packages, including the Red Hat, Ubuntu, and
>>>       Debian distributions of Linux, are susceptible to attacks that
>>>       circumvent the most widely used technology to prevent eavesdropping 
>>> on
>>>       the Internet, thanks to an extremely critical vulnerability in a
>>>       widely used cryptographic code library.  The bug in the GnuTLS 
>>> library
>>>       makes it trivial for attackers to bypass secure sockets layer (SSL)
>>>       and Transport Layer Security (TLS) protections available on websites
>>>       that depend on the open source package. Initial estimates included 
>>> in
>>>       Internet discussions such as this one indicate that more than 200
>>>       different operating systems or applications rely on GnuTLS to
>>>       implement crucial SSL and TLS operations, but it wouldn't be
>>>       surprising if the actual number is much higher. Web applications,
>>>       e-mail programs, and other code that use the library are vulnerable 
>>> to
>>>       exploits that allow attackers monitoring connections to silently
>>>       decode encrypted traffic passing between end users and servers.  The
>>>       bug is the result of commands in a section of the GnuTLS code that
>>>       verify the authenticity of TLS certificates, which are often known
>>>       simply as X509 certificates."
>>>
>>>   - - -
>>> 
>>> --Lauren--
>>> Lauren Weinstein (lauren at vortex.com): http://www.vortex.com/lauren
>>> Co-Founder: People For Internet Responsibility:
>>> http://www.pfir.org/pfir-info
>>> Founder:
>>>   - Network Neutrality Squad: http://www.nnsquad.org
>>>   - PRIVACY Forum: http://www.vortex.com/privacy-info
>>> Member: ACM Committee on Computers and Public Policy
>>> Lauren's Blog: http://lauren.vortex.com
>>> Google+: http://google.com/+LaurenWeinstein
>>> Twitter: http://twitter.com/laurenweinstein
>>> Tel: +1 (818) 225-2800 / Skype: vortex.com
>>> _______________________________________________
>>> nnsquad mailing list
>>> http://lists.nnsquad.org/mailman/listinfo/nnsquad
>>> 
>>> 
>>> 
>>> --
>>> --
>>> Steve Holton
>>> sph0lt0n at gmail.com
>>> --
>>> This message was sent to: john mitchell <john280z at gmail.com>
>>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
>>> address.
>>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>>> Unsubscribe or edit options on the web  :
>>> http://www.trilug.org/mailman/options/trilug/john280z%40gmail.com
>>> Welcome to TriLUG: http://trilug.org/welcome
>>> 
>>> 
>>> -- 
>>> 
>>> 
>>> *********************************************************
>>> David P. Both, RHCE
>>> Millennium Technology Consulting LLC
>>> 919-389-8678
>>> 
>>> dboth at millennium-technology.com
>>> 
>>> www.millennium-technology.com
>>> www.databook.bz - Home of the DataBook for Linux
>>> DataBook is a Registered Trademark of David Both
>>> *********************************************************
>>> This communication may be unlawfully collected and stored by the National 
>>> Security Agency (NSA) in secret. The parties to this email do not consent 
>>> to the retrieving or storing of this communication and any related 
>>> metadata, as well as printing, copying, re-transmitting, disseminating, or 
>>> otherwise using it. If you believe you have received this communication in 
>>> error, please delete it immediately.
>>> 
> -- 
> This message was sent to: William <william at trilug.org>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that 
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web	: 
> http://www.trilug.org/mailman/options/trilug/william%40trilug.org
> Welcome to TriLUG: http://trilug.org/welcome
>


More information about the TriLUG mailing list