doctorow at March 5th, 2014 10:01 — #1
sysv at March 5th, 2014 10:26 — #2
On FreeBSD it's probably best to set
WITHOUT_GNUTLS in /etc/make.conf and rebuild all your ports.
Programs that require gnutls can be seen at http://www.freshports.org/security/gnutls/
Hopefully SELinux gets an audit asap.
joe_b at March 5th, 2014 10:27 — #3
However, most Linux apps (including browsers running on Linux) use OpenSSL, not GNUTLS, so the impact is less than the headlines would indicate.
pokso at March 5th, 2014 10:38 — #4
The GnuTLS lib is not very widely used, most apps use OpenSSL or NSS. The most prominent GnuTLS users are Mutt and some configurations of curl (a command-line http client).
xzzy at March 5th, 2014 11:02 — #5
Doesn't Debian use gnutls heavily?
I've never run debian but someone once upon a time told me that and I just accepted it as truth because I had no need to verify it.
knappa at March 5th, 2014 11:46 — #6
Looking at my system, it is a bit of a mixed bag.
Packages depending on
libcurl3 (openssl flavour): 94
acerplatanoides at March 5th, 2014 12:04 — #7
No pattern here, nope. No possibility of such a thing, either. Of course not. That would be paranoid.
marjae at March 5th, 2014 13:19 — #8
Any tips for those of us unable to install or update anything due to repository issues?
Aside from back up and finally try to install another version and hope the installer doesn't crash partway through breaking everything again?
I have an old Ubuntu installation on my machine. I haven't updated because Unity, because new versions break basic tools like scrollbars and break accessibility features, and because adware. I haven't been able to install or update anything for some time, because of repository issues.
[edit function broken again]
s2redux at March 5th, 2014 13:51 — #9
Since the GnuTLS error dates back to 2005, and the iOS error began in 2012, the only pattern I see here is coders not fully testing their error handling. Sometimes an error is just an error.
gilbertwham at March 5th, 2014 14:03 — #10
Aye, I'm still using 10.04, because I hate Unity, and 12 plays merry hell with my displays.
acerplatanoides at March 5th, 2014 14:06 — #11
I agree entirely that sometimes an error is just an error.
Errors can form patterns and they're worth not discounting out of hand (not saying you did), even if most theories are totally wrong, most violations of trust are disguised as errors by the perpetrators. .
jandrese at March 5th, 2014 14:17 — #12
The GNUTLS code is terrible though, they ignore common coding conventions and have it set up in a way that makes it difficult to integrate into real programs. It's just badly designed. The fact that an error like this existed was almost inevitable.
This is going to be a bit technical, so hold on.
The error is a mishandling of an error code from a function. By convention in C, you return 0 on success, and non-zero in case of failure. The number you return is generally either -1, or an error code. GNUTLS did the opposite, 0 is failure and 1 is success. When a different programmer in 2005 went and refactored the code, he forgot to account for this and programmed the thing assuming the certificate check returned normal error codes. It's a stupid bug, but it's one that is far too easy to make by accident given the rest of the codebase.
marjae at March 5th, 2014 14:18 — #13
I've got sensory issues. I can't use kde because of how it handles screen brightness, and can't use certain computers because they're too noisy or too bright [sometimes even the dimmest setting is still too bright to look at]. So when ou say 12 "plays merry hell with my displays," I suspect it inflicts a whole 'nother sensory nightmare.
gilbertwham at March 5th, 2014 14:26 — #14
My sympathies. No, my problem is just getting both monitors to behave. They're dropping support for 10.04 this year I believe. I'm going elsewhere.
marjae at March 5th, 2014 16:31 — #15
Yeah. They already dropped support for the version I use - I think the only version that supports the patches and fixes I need.
jandrese at March 6th, 2014 03:36 — #16
I'm running 13.04, but switched it to lxde, which seems to be a reasonable compromise between keeping up to date and not being driven insane by the UI. I actually tried Unity for awhile under the assumption that people on the internet are just haters and like to complain, but it really is as bad as they say. I couldn't figure out how to do a bunch of basic tasks, stuff that became immediately obvious once I switched to lxde.
I gave it a good shot too. Over two months before finally throwing in the towel. I guess you don't have to be Microsoft to totally screw up a user interface.
riking at March 6th, 2014 04:10 — #17
Wow - so there being no pattern was the actual problem!
gilbertwham at March 6th, 2014 07:00 — #18
My cousin's feller worked for Canonical for a bit, and worked with Shuttleworth a few times. He's under the impression he's fucking mental. Unity only goes to prove his supposition.
pawtuxet at March 6th, 2014 09:03 — #19
According to the same page, the security flaw was addressed on march 4th. It doesn't explicitly state to rebuild anything depending on gnutls after updating it, but I figure it wouldn't hurt.
jandrese at March 6th, 2014 09:21 — #20
It didn't change the API to the library, so you shouldn't need to rebuild dependent apps unless they're statically linked--which they shouldn't be.
next page →