On 05/03/14 19:10, Ric Moore wrote: > Anyone see this? > http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/ >
arsetechnica tend, like all traffic revenue generating "news" sites, to overhype things. > > Good thing Red Hat caught it: > https://rhn.redhat.com/errata/RHSA-2014-0246.html http://www.gnutls.org/security.html#GNUTLS-SA-2014-2 (the audit that caught this bug) As with all security concerns that affect Debian - the first place to look for reliable information is https://www.debian.org/security/ In this instance see:- https://www.debian.org/security/2014/dsa-2869 The bug affects software that has to deal with dodgy certificates - a bit like designing nails to pin snot to the wall. If you are concerned about security you should update regularly and subscribe to the appropriate debian security announce mailing list. > > Yeow! I just did update / upgrade to Jessy, but didn't see the security > fix come through yet. Ric You should also probably read the official documentation concerning security updates and testing. Dear interweb, please.... https://www.debian.org/security/faq#testing :) It's an old bug, 2005 from memory, it only effect some instances where bad certificates are used *and* you manually elect to trust them. Fix is basically:- find . -name '*.c' | xargs grep strlen | wc -l 522 find . -name '*.c' | xargs grep strcat | wc -l 44 tl;dr? Remain calm, update, upgrade; carry on ;) Kind regards -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5316e1ec.4070...@gmail.com