Serious security bug found in Linux



A very serious bug has been found in the Open Source GnuTLS package. Many programs and the Linux operating system itself use this package to deal with the encryption of data streams. The bug was discovered during a routine code audit by Red Hat, and appears to be a simple error by a programmer. This is as opposed to the flaw intentionally inserted into the cryptography algorithm by the NSA to enable them to eavesdrop on encrypted communications. The NSA flaw does not affect Linux.

The fix is available and I have explicitly confirmed that it has been included in an update for GnuTLS on CentOS that was made available this morning. I have installed it on my server and firewall here which all use CentOS and ensured that nothing else obvious is broken. I have no idea whether this update requires a reboot, but I will reboot all of the affected CentOS systems after the updates have been installed.

This fix is not yet available for Fedora. Check the updates for your own distribution to verify whether this fix has been included or not.

Part of the news here is that serious security bugs in Linux, as this one is, are few and far between so it gets heavy media coverage. The other part of the news, and the part that will get little or no coverage, is that it is only because the code is Open Source that Red Hat could perform an audit and discover the problem. The open source aspect of this code is also the reason that the fix is available so quickly after the problem is discovered, and the ease with which I can confirm that it is included in the new version of the GnuTLS package by looking at the changelog.

The link below goes into more detail, if you are interested.