[Cryptography] It's GnuTLS's turn: "Critical new bug in crypto library leaves Linux, apps open to drive-by attacks"
alan at clueserver.org
alan at clueserver.org
Tue Jun 3 16:19:17 EDT 2014
> "A recently discovered bug in the GnuTLS cryptographic code library puts
> users of Linux and hundreds of other open source packages at risk of
> surreptitious malware attacks until they incorporate a fix developers
> quietly pushed out late last week."
>
> http://arstechnica.com/security/2014/06/critical-new-bug-in-crypto-library-leaves-linux-apps-open-to-drive-by-attacks/
>
> It's a buffer overflow induced by sending an overly long session ID.
> Allegedly code execution has already been demonstrated.
>
> So now we've had serious attacks on Apple's private SSL implementation,
> OpenSSL, and now GnuTLS. Is anything left standing? What does Windows
> use for its SSL implementation?
I would start auditing OpenSSH right now. I expect that will be next.
More information about the cryptography
mailing list