A new *n*x bug got discovered in TLS certificate handling that is similar to the recently discovered iOS and OS X “goto fail” security issue.
This time the fix is performing a few replacements linke this:
-goto cleanup;
+goto fail;
Plus one addition:
+fail: // ADDED
+ result = 0;
Applications depending on GnuTLS are affected (there are other libraries providing TLS like OpenSSL), which are many.
Two must-do things:
- Closely watch the Linux, BDS, other *n*x and application security updates, as exploits will be available soon
- Read via: existential type crisis : The Story of the GnuTLS Bug as it explains the bug, tracks down the cause, and talks about “lessons to learn”.
I’m with Jan Wildeboer here and updates should get in very soon: Read the rest of this entry »