Re: gnutls security breach

2014-03-06 Thread Chris Bannister 
On Wed, Mar 05, 2014 at 03:10:59AM -0500, Ric Moore wrote:
 Yeow! I just did update / upgrade to Jessy, but didn't see the
 security fix come through yet. Ric

Jessie is the penultimate¹ worst dist to be running if you are worried
about security.

¹ The worst IMHO would be oldstable+n where n=1

-- 
If you're not careful, the newspapers will have you hating the people
who are being oppressed, and loving the people who are doing the 
oppressing. --- Malcolm X


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140307065900.GC2030@tal

gnutls security breach

2014-03-05 Thread Ric Moore 

Anyone see this?
http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/

Good thing Red Hat caught it:
https://rhn.redhat.com/errata/RHSA-2014-0246.html

Yeow! I just did update / upgrade to Jessy, but didn't see the security 
fix come through yet. Ric


--
My father, Victor Moore (Vic) used to say:
There are two Great Sins in the world...
..the Sin of Ignorance, and the Sin of Stupidity.
Only the former may be overcome. R.I.P. Dad.
/https://linuxcounter.net/cert/44256.png /


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Archive: https://lists.debian.org/5316dc13.3040...@gmail.com

Re: gnutls security breach

2014-03-05 Thread Florian Ernst 
Hello all,

On Wed, Mar 05, 2014 at 03:10:59AM -0500, Ric Moore wrote:
 Anyone see this?
 http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/
 
 Good thing Red Hat caught it:
 https://rhn.redhat.com/errata/RHSA-2014-0246.html

For Debian, see https://security-tracker.debian.org/tracker/CVE-2014-0092.

 Yeow! I just did update / upgrade to Jessy, but didn't see the
 security fix come through yet. Ric

Debian released a security advisory on the same day, cf.
https://www.debian.org/security/2014/dsa-2869. The update for Jessie,
which still is the current testing release and as such doesn't
necessarily receive timely updates, is pending (currently blocked by not
being built on all architectures).

Cheers,
Flo


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140305082607.ga19...@fernst.no-ip.org

Re: gnutls security breach

2014-03-05 Thread Scott Ferguson 
On 05/03/14 19:10, Ric Moore wrote:
 Anyone see this?
 http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/
 

arsetechnica tend, like all traffic revenue generating news sites, to
overhype things.

 
 Good thing Red Hat caught it:
 https://rhn.redhat.com/errata/RHSA-2014-0246.html

http://www.gnutls.org/security.html#GNUTLS-SA-2014-2 (the audit that
caught this bug)
As with all security concerns that affect Debian - the first place to
look for reliable information is https://www.debian.org/security/

In this instance see:-
https://www.debian.org/security/2014/dsa-2869
The bug affects software that has to deal with dodgy certificates - a
bit like designing nails to pin snot to the wall.

If you are concerned about security you should update regularly and
subscribe to the appropriate debian security announce mailing list.


 
 Yeow! I just did update / upgrade to Jessy, but didn't see the security
 fix come through yet. Ric

You should also probably read the official documentation concerning
security updates and testing.

Dear interweb, please
https://www.debian.org/security/faq#testing
:)


It's an old bug, 2005 from memory, it only effect some instances where
bad certificates are used *and* you manually elect to trust them.

Fix is basically:-
find . -name '*.c' | xargs grep strlen | wc -l
522

find . -name '*.c' | xargs grep strcat | wc -l
44


tl;dr?  Remain calm, update, upgrade; carry on ;)


Kind regards


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/5316e1ec.4070...@gmail.com

Re: gnutls security breach

2014-03-05 Thread NoSpaze 
On Wed, 2014-03-05 at 03:10 -0500, Ric Moore wrote:
 Anyone see this?
 http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/
 Yeow! I just did update / upgrade to Jessy, but didn't see the security 
 fix come through yet. Ric

I wanted to know if this has a major influence on my system:

# lsof -n | grep libgnutls|awk '{ print $1; }'|sort|uniq -c
  6 apache2
  1 AudioOutp
  1 AudioThre
  3 BrowserBl
  1 BrowserWa
  5 CachePool
  1 Chrome_Ca
  6 Chrome_Ch
  1 Chrome_DB
  2 Chrome_Fi
  1 Chrome_Hi
  1 Chrome_IO
  1 Chrome_Pr
  1 Chrome_Sa
  1 Chrome_Sy
 37 chromium
  1 CrShutdow
  1 cupsd
  1 dconf
  1 evolution
  1 exim4
  1 extension
  1 FFmpegDem
  3 gdbus
  2 gmain
  2 gvfs-afc-
  5 HTMLParse
  1 IndexedDB
  1 inotify_r
  1 LevelDBEn
 11 libvirtd
  1 Media
  1 MediaStre
  1 NetworkCh
  1 NetworkMa
  1 nm-applet
  1 NSS
  1 plugin_cr
  2 Proxy
  1 renderer_
  2 threaded-
  5 VC
  1 WorkerPoo

So, no problem for me, but seeing apache there makes me think If I
should continue to use online banking...

Anyway, I don't find any concrete information on the bug's effects on
common systems...

Greets!
--
Rodolfo Alcazar Portillo - rodolf...@gmail.com
otbits.blogspot.com / counter.li.org: #367962
--
Ich will Microsoft wirklich nicht zerstören. Das wird nur ein gänzlich
unbeabsichtigter Nebeneffekt sein.
- Linus Torvalds



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/1394045951.6183.4.ca...@rap.ydor.org

Re: gnutls security breach

2014-03-05 Thread Scott Ferguson 
On 06/03/14 05:59, NoSpaze wrote:
 On Wed, 2014-03-05 at 03:10 -0500, Ric Moore wrote:
 Anyone see this?
 http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/
 Yeow! I just did update / upgrade to Jessy, but didn't see the security 
 fix come through yet. Ric
 
 I wanted to know if this has a major influence on my system:

And your system is?

 
 # lsof -n | grep libgnutls|awk '{ print $1; }'|sort|uniq -c
snipped
 
 So, no problem for me, but seeing apache there makes me think If I
 should continue to use online banking...

Have you applied the libgnutls security update?

Puzzled. How would apache - running your own web server - impact on the
ssl certs your system authenticates as part of your online banking?

Both apache and your server use gnutls for handling SSL, TLS and DTLS -
aside from that there's no connections I can see.

opinion class=biased authority=unknown
As always if you want secure connections get up and walk. Otherwise the
best you can do, after limiting your risk exposure and maintaining good
OpSec and a secure system is:-
;visually confirm the cert footprint to ascertain it belongs to the
issuer - particularly if it changes (see your cert settings in your browser)
;check with DNSSEC that the site issuing the cert is the site it claims
to be.
Given that most users don't do the former - even though I can't think of
a major cert issuer who hasn't been compromised, and most enterprise
resists implementation of DNSSEC... SNAFU(?)
Internet banking will always be a risk, likewise any secure
communications using resources outside your control. It's always an
end-to-end equation with at least two unreliable meatbags at either end,
and the triviality of capture and replay at a later date with additional
information.
/opinion

 
 Anyway, I don't find any concrete information on the bug's effects on
 common systems...

Did you try searching this list for information?
Was the information I provided earlier in this thread insufficient? What
do you mean by I don't find? It took me all of ten minutes to find
more detail on the *past* bug than I had time to read since.

You could check the git and see what has changed, and why, since Simon
Josefsson wrote the relevant section of code - or just rely on second
and third hand interpretations. I'm not sure what choices you have.

*Theoretically* the bug, since patched, *may* have allowed an attacker
using a carefully crafted X.509 certificate, of which no working proof
has been found, to play MITM. You would need to accept this certificate
or it won't work. I'm not attempting to mitigate the risks - just
counter the over-hyped, ill-informed, chorus of monkey blogs/news
channels that seek to inflate their readerships by conflating possible
with actual.
In a world of breached certificate authorities, and compromised banks,
networks, and DNS - MTM is a constant risk even if ssl/tls/dtls was easy
to secure *and* certificate issuers adhered to a standard that allowed that.

snipped

Kind regards


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/5317b478.8020...@gmail.com