Re: gnutls security breach
On Wed, Mar 05, 2014 at 03:10:59AM -0500, Ric Moore wrote: Yeow! I just did update / upgrade to Jessy, but didn't see the security fix come through yet. Ric Jessie is the penultimate¹ worst dist to be running if you are worried about security. ¹ The worst IMHO would be oldstable+n where n=1 -- If you're not careful, the newspapers will have you hating the people who are being oppressed, and loving the people who are doing the oppressing. --- Malcolm X -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140307065900.GC2030@tal
gnutls security breach
Anyone see this? http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/ Good thing Red Hat caught it: https://rhn.redhat.com/errata/RHSA-2014-0246.html Yeow! I just did update / upgrade to Jessy, but didn't see the security fix come through yet. Ric -- My father, Victor Moore (Vic) used to say: There are two Great Sins in the world... ..the Sin of Ignorance, and the Sin of Stupidity. Only the former may be overcome. R.I.P. Dad. /https://linuxcounter.net/cert/44256.png / -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5316dc13.3040...@gmail.com
Re: gnutls security breach
Hello all, On Wed, Mar 05, 2014 at 03:10:59AM -0500, Ric Moore wrote: Anyone see this? http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/ Good thing Red Hat caught it: https://rhn.redhat.com/errata/RHSA-2014-0246.html For Debian, see https://security-tracker.debian.org/tracker/CVE-2014-0092. Yeow! I just did update / upgrade to Jessy, but didn't see the security fix come through yet. Ric Debian released a security advisory on the same day, cf. https://www.debian.org/security/2014/dsa-2869. The update for Jessie, which still is the current testing release and as such doesn't necessarily receive timely updates, is pending (currently blocked by not being built on all architectures). Cheers, Flo -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140305082607.ga19...@fernst.no-ip.org
Re: gnutls security breach
On 05/03/14 19:10, Ric Moore wrote: Anyone see this? http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/ arsetechnica tend, like all traffic revenue generating news sites, to overhype things. Good thing Red Hat caught it: https://rhn.redhat.com/errata/RHSA-2014-0246.html http://www.gnutls.org/security.html#GNUTLS-SA-2014-2 (the audit that caught this bug) As with all security concerns that affect Debian - the first place to look for reliable information is https://www.debian.org/security/ In this instance see:- https://www.debian.org/security/2014/dsa-2869 The bug affects software that has to deal with dodgy certificates - a bit like designing nails to pin snot to the wall. If you are concerned about security you should update regularly and subscribe to the appropriate debian security announce mailing list. Yeow! I just did update / upgrade to Jessy, but didn't see the security fix come through yet. Ric You should also probably read the official documentation concerning security updates and testing. Dear interweb, please https://www.debian.org/security/faq#testing :) It's an old bug, 2005 from memory, it only effect some instances where bad certificates are used *and* you manually elect to trust them. Fix is basically:- find . -name '*.c' | xargs grep strlen | wc -l 522 find . -name '*.c' | xargs grep strcat | wc -l 44 tl;dr? Remain calm, update, upgrade; carry on ;) Kind regards -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5316e1ec.4070...@gmail.com
Re: gnutls security breach
On Wed, 2014-03-05 at 03:10 -0500, Ric Moore wrote: Anyone see this? http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/ Yeow! I just did update / upgrade to Jessy, but didn't see the security fix come through yet. Ric I wanted to know if this has a major influence on my system: # lsof -n | grep libgnutls|awk '{ print $1; }'|sort|uniq -c 6 apache2 1 AudioOutp 1 AudioThre 3 BrowserBl 1 BrowserWa 5 CachePool 1 Chrome_Ca 6 Chrome_Ch 1 Chrome_DB 2 Chrome_Fi 1 Chrome_Hi 1 Chrome_IO 1 Chrome_Pr 1 Chrome_Sa 1 Chrome_Sy 37 chromium 1 CrShutdow 1 cupsd 1 dconf 1 evolution 1 exim4 1 extension 1 FFmpegDem 3 gdbus 2 gmain 2 gvfs-afc- 5 HTMLParse 1 IndexedDB 1 inotify_r 1 LevelDBEn 11 libvirtd 1 Media 1 MediaStre 1 NetworkCh 1 NetworkMa 1 nm-applet 1 NSS 1 plugin_cr 2 Proxy 1 renderer_ 2 threaded- 5 VC 1 WorkerPoo So, no problem for me, but seeing apache there makes me think If I should continue to use online banking... Anyway, I don't find any concrete information on the bug's effects on common systems... Greets! -- Rodolfo Alcazar Portillo - rodolf...@gmail.com otbits.blogspot.com / counter.li.org: #367962 -- Ich will Microsoft wirklich nicht zerstören. Das wird nur ein gänzlich unbeabsichtigter Nebeneffekt sein. - Linus Torvalds -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1394045951.6183.4.ca...@rap.ydor.org
Re: gnutls security breach
On 06/03/14 05:59, NoSpaze wrote: On Wed, 2014-03-05 at 03:10 -0500, Ric Moore wrote: Anyone see this? http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/ Yeow! I just did update / upgrade to Jessy, but didn't see the security fix come through yet. Ric I wanted to know if this has a major influence on my system: And your system is? # lsof -n | grep libgnutls|awk '{ print $1; }'|sort|uniq -c snipped So, no problem for me, but seeing apache there makes me think If I should continue to use online banking... Have you applied the libgnutls security update? Puzzled. How would apache - running your own web server - impact on the ssl certs your system authenticates as part of your online banking? Both apache and your server use gnutls for handling SSL, TLS and DTLS - aside from that there's no connections I can see. opinion class=biased authority=unknown As always if you want secure connections get up and walk. Otherwise the best you can do, after limiting your risk exposure and maintaining good OpSec and a secure system is:- ;visually confirm the cert footprint to ascertain it belongs to the issuer - particularly if it changes (see your cert settings in your browser) ;check with DNSSEC that the site issuing the cert is the site it claims to be. Given that most users don't do the former - even though I can't think of a major cert issuer who hasn't been compromised, and most enterprise resists implementation of DNSSEC... SNAFU(?) Internet banking will always be a risk, likewise any secure communications using resources outside your control. It's always an end-to-end equation with at least two unreliable meatbags at either end, and the triviality of capture and replay at a later date with additional information. /opinion Anyway, I don't find any concrete information on the bug's effects on common systems... Did you try searching this list for information? Was the information I provided earlier in this thread insufficient? What do you mean by I don't find? It took me all of ten minutes to find more detail on the *past* bug than I had time to read since. You could check the git and see what has changed, and why, since Simon Josefsson wrote the relevant section of code - or just rely on second and third hand interpretations. I'm not sure what choices you have. *Theoretically* the bug, since patched, *may* have allowed an attacker using a carefully crafted X.509 certificate, of which no working proof has been found, to play MITM. You would need to accept this certificate or it won't work. I'm not attempting to mitigate the risks - just counter the over-hyped, ill-informed, chorus of monkey blogs/news channels that seek to inflate their readerships by conflating possible with actual. In a world of breached certificate authorities, and compromised banks, networks, and DNS - MTM is a constant risk even if ssl/tls/dtls was easy to secure *and* certificate issuers adhered to a standard that allowed that. snipped Kind regards -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5317b478.8020...@gmail.com