03.05.14

Gemini version available ♊︎

Panic Over Transport Layer Security (TLS) Flaw Which is Already Patched

Posted in GNU/Linux, Security at 12:44 pm by Dr. Roy Schestowitz

Bad news sells better

Summary: What the media is not really telling us about the GnuTLS vulnerability

The corporate press has shown its ignorance by characterising GNU as “Linux” and describing an already-patched flaw as the worst thing since proprietary software. Some went as far as suggesting that the NSA was behind it [1] and Muktware rebutted [2] the seminal article [3] which started a lot of the panic (at the time of writing there are dozens of articles about this, but we don’t need to feed them with links). What we have here is another case of Dan Goodin creating panic in the Microsoft-friendly Ars, just as he had done when he worked for the Microsoft-friendly The Register. The only shocking thing is the amount of press coverage this received. PGP/GPG, OpenSSH, OpenSSL etc. were previously named here for flaws that had been found (in the context of Red Hat and the NSA [1, 2, 3]). These are not so uncommon. One just needs to keep up to date (patched) — one that which Apple’s customers cannot do. They can’t even write their own patches.

Related/contextual items from the news:

  1. NSA did it again? This time GnuTLS fails to check malicious certificates
  2. Yes there was a security hole in Linux, but Red Hat already fixed it

    Originally reported by Ars Technica, the fix was available by the time the general public was made aware of it. It’s actually fairly similar to a certain security hole that lived for a year and could have allowed for exploits to be used in the wild.

  3. Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping

    The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates included in Internet discussions such as this one indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations, but it wouldn’t be surprising if the actual number is much higher. Web applications, e-mail programs, and other code that use the library are vulnerable to exploits that allow attackers monitoring connections to silently decode encrypted traffic passing between end users and servers.

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

DecorWhat Else is New


  1. Microsoft Thought Police

    Reprinted with permission from Ryan



  2. Links 08/02/2023: GNOME Smoother Scrolling of Text Views

    Links for the day



  3. Links 08/02/2023: Transmission 4.0.0 Released and Mass Layoffs at Zoom

    Links for the day



  4. IRC Proceedings: Tuesday, February 07, 2023

    IRC logs for Tuesday, February 07, 2023



  5. When the Pension Vanishes

    Today we commenced a multi-part mini-series about pensions and what happens when they suddenly vanish and nobody is willing to explain where all the money went



  6. Sirius 'Open Source' Pensiongate: An Introduction

    The Sirius ‘Open Source’ series continues in the form of a mini-series about pensions; it’s part of an ongoing investigation of a deep mystery that impacts people who left the company quite a long time ago and some of the lessons herein are applicable to any worker with a pension (at times of financial uncertainties)



  7. Links 07/02/2023: Endless OS 5.0 and Voice.AI GPL Violations

    Links for the day



  8. No Doubt Microsoft Unleashed Another 'Tay', Spreading Bigotry Under the Guise of Hey Hi (AI)

    Reprinted with permission from Ryan



  9. Links 07/02/2023: Fedora 39 Development Plans Outlines

    Links for the day



  10. IRC Proceedings: Monday, February 06, 2023

    IRC logs for Monday, February 06, 2023



  11. Links 06/02/2023: Escuelas Linux 8.0 and Many Political Issues

    Links for the day



  12. Links 06/02/2023: Sparky 6.6 and IPFire 2.27 – Core Update 173

    Links for the day



  13. Taking Back Control or Seizing Autonomy Over the News Cycle (Informing People, Culling the Marketing)





  14. Reality Versus Fiction: EPO Insiders Versus EPO Web Site and UPC 'Churnalists'

    The "official" sources of the European Patent Office (EPO), as well as the sedated "media" that the EPO is bribing for further bias, cannot tell the truth about this very large institution; for proper examination of Europe's largest patent office one must pursue the interpretation by longtime veterans and insiders, who are increasingly upset and abused (they're being pressured to grant patents in violation of the charter of the EPO)



  15. Links 06/02/2023: Linux 6.2 RC7 and Fatal Earthquake

    Links for the day



  16. IRC Proceedings: Sunday, February 05, 2023

    IRC logs for Sunday, February 05, 2023



  17. Links 05/02/2023: Wayland in Bookworm and xvidtune 1.0.4

    Links for the day



  18. Links 05/02/2023: Pakistan Blocks Wikipedia, Musharraf Dies

    Links for the day



  19. IRC Proceedings: Saturday, February 04, 2023

    IRC logs for Saturday, February 04, 2023



  20. Links 04/02/2023: FOSDEM Happening and Ken Thompson in SoCal Linux Expo

    Links for the day



  21. 2023 is the Year Taxpayers' Money Goes to War and Energy Subsidies, Not Tech

    Now that a lot of powerful and omnipresent ‘tech’ (spying and policing) companies are rotting away we have golden opportunities to bring about positive change and maybe even recruit technical people for good causes



  22. Getting Back to Productive Computer Systems Would Benefit Public Health and Not Just Boost Productivity

    “Smartphoneshame” (shaming an unhealthy culture of obsession with “apps”) would potentially bring about a better, more sociable society with fewer mental health crises and higher productivity levels



  23. Links 04/02/2023: This Week in KDE and Many More Tech Layoffs

    Links for the day



  24. Dotcom Boom and Bust, Round 2

    The age of technology giants/monopolies devouring everything or military-funded (i.e. taxpayers-subsidised) surveillance/censorship tentacles, in effect privatised eyes of the state, may be ending; the United States can barely sustain that anymore and raising the debt ceiling won't solve that (buying time isn't the solution)



  25. Society Would Benefit From a Smartphoneshame Movement

    In a society plagued by blackmail, surveillance and frivolous lawsuits it is important to reconsider the notion of “smart” phone ownership; these devices give potentially authoritarian companies and governments far too much power over people (in the EU they want to introduce new legislation that would, in effect, ban Free software if it enables true privacy)



  26. IRC Proceedings: Friday, February 03, 2023

    IRC logs for Friday, February 03, 2023



  27. IRC Proceedings: Thursday, February 02, 2023

    IRC logs for Thursday, February 02, 2023



  28. Links 03/02/2023: Proton 7.0-6 Released, ScummVM 2.7 Testing

    Links for the day



  29. Links 03/02/2023: OpenSSH 9.2 and OBS Studio 29.0.1

    Links for the day



  30. Links 03/02/2023: GNU C Library 2.37

    Links for the day


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts