Been spending most of the day scrubbing away that vuln in my facility here.... now here's the fun part: imagine just how many embedded devices (most of which get orphaned from a software maintenance perspective the moment they hit the store shelves) are gonna have this flaw. There's been the discussion of crappy home broadband CPE... Only a matter of time before someone fakes the certificate and breaks a "trusted" software update method, or heck... a dns explot + fake certificate = several million compromised payment card terminals. On Wed, Mar 5, 2014 at 4:58 PM, jim deleskie <deleskie@gmail.com> wrote:
Doing some serious adjusting of my tinfoil today over his :)
-jim
On Wed, Mar 5, 2014 at 5:03 PM, Jay Ashworth <jra@baylink.com> wrote:
----- Original Message -----
From: "Leo Bicknell" <bicknell@ufp.org>
On Mar 4, 2014, at 9:07 PM, Jay Ashworth <jra@baylink.com> wrote:
Is this the *same* bug that just broke in Apple code last week?
No, the Apple bug was the existence of an /extra/ "goto fail;".
The GnuTLS bug was that it was /missing/ a "goto fail;".
I'm figuring the same developer worked on both, and just put the line in the wrong repository. :)
Those who speculate that these bugs happened at the behest of the NSA would probably agree with you.
Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
-- -- Tom Morris, KG4CYX Mad Scientist and Operations Manager, WDNA-FM 88.9 Miami - Serious Jazz! 786-228-7087 151.820 Megacycles