Critical GnuTLS bug.

1,095 registered users | 0 active users | 1 LpH | Statistics
Login | Create New User

Welcome to IWETHEY!

Post #387,217 by pwhysall 3/5/14 3:26:37 AM Reply	Critical GnuTLS bug. Even better than Apple's recent underpants-down moment: http://arstechnica.c...to-eavesdropping/ Here's the word from the GnuTLS developers: http://www.gnutls.or...#GNUTLS-SA-2014-2 A vulnerability was discovered that affects the certificate verification functions of all gnutls versions. A specially crafted certificate could bypass certificate validation checks. It's pretty serious. As one of the Ars commenters points out, it's not end-users who are going to cause problems, as they generally update pretty regularly; it's large-scale webhosts for whom the testing and rollout of a patch like this is a Big Deal.
Post #387,222 by boxley 3/5/14 9:36:14 AM Reply	a snark to the folks that didnt like my mitigating controls for lack of TLS. Just asked them if I could use this link instead. Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 58 years. meep
Post #387,231 by malraux 3/5/14 11:54:24 AM Reply	Worse than the OSX one for sure, because ... there's no central place to get an update, either. Each different system type that incorporates the library will need the patch, so we'll be waiting on Ubuntu, RedHat, Amazon, you name it. The bug has been there since 2003, not 2005. So, Greg, is this now why you don't particularly like GNU products...? ;-) Regards, -scott Welcome to Rivendell, Mr. Anderson.
Post #387,238 by boxley 3/5/14 4:02:13 PM Reply	redhat is out Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 58 years. meep
Post #387,246 by folkert 3/5/14 4:53:09 PM 3/5/14 5:44:16 PM Reply	Actually... yes there is one issued on the 3rd. RHSA-2014-0247 for V5.X... Already installed at this point. (I had to get source and compile and install as CentOS is a tick behind) -- greg@gregfolkert.net "No snowflake in an avalanche ever feels responsible." --Stanislaw Jerzy Lec Edited by folkert March 5, 2014, 05:44:16 PM EST Expand All History
Post #387,245 by folkert 3/5/14 4:38:47 PM 3/5/14 4:39:29 PM Reply	Sure... I really never said... I particularly liked them... (ok...) I just dislike them less. *edit is intentional. -- greg@gregfolkert.net "No snowflake in an avalanche ever feels responsible." --Stanislaw Jerzy Lec Edited by folkert March 5, 2014, 04:39:29 PM EST Expand All History

Critical GnuTLS bug. - (pwhysall) - (5) - March 5, 2014, 03:26:37 AM EST

a snark to the folks that didnt like my mitigating - (boxley) - March 5, 2014, 09:36:14 AM EST

Worse than the OSX one for sure, because - (malraux) - (3) - March 5, 2014, 11:54:24 AM EST

redhat is out -NT - (boxley) - (1) - March 5, 2014, 04:02:13 PM EST

Actually... yes there is one issued on the 3rd. - (folkert) - March 5, 2014, 05:44:16 PM EST

Sure... I *really* never said... - (folkert) - March 5, 2014, 04:39:29 PM EST

iwethey.org

Wanted: Web developer, command line junkie getting his freak on.
97 ms