I swear to the sweet baby Jesus that if it isn't one thing it's another in network security. First there was Heartbleed that caused all my company's banking clients to flip their shit. Everything was cool on my end because all of our Linux servers used GnuTLS or Windows IIS. Heartbleed only affected OpenSSL users.
Well ZDNet recently reported on a major flaw with GnuTLS! Crap! From ZDNet:
According to RedHat, which issued an advisory for the latest bug on Saturday, GnuTLS runs an insufficient check on the session ID length during the TLS/SSL handshake between a client and server.According to the article the only versions not affected are 3.1.25, 3.2.15 or 3.3.3. Checking the repositories for Ubuntu, the only version of Ubuntu that contains a GnuTLS version that is not susceptible to the bug is Utopic Unicorn (14.10) which hasn't been released yet. Crap! The version in the Utopic repositories is currently 3.2.15.
"A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code," the company wrote.
That leaves two options:
- Download and install from source
- Update your apt sources to use Utopic Unicorn's repositories
- Change into your /etc/apt directory
- Create a backup of your sources.list file
cp sources.list sources.list.bak
- Edit sources.list with your favorite text editor
- Replace your current version's name with utopic. I tested this on 12.04, so I replaced precise with utopic
- Save sources.list then update apt
- Next upgrade!
dpkg: error: configuration error: /etc/dpkg/dpkg.cfg.d/multiarch:1: unknown option 'foreign-architecture'What you need to do is remove the /etc/dpkg/dpkg.cfg.d/multiarch file, then you can run sudo apt-get -f install to fixanything you're missing.
E: Sub-process /usr/bin/dpkg returned an error code (2)
After doing this I ran gnutls-cli -v and received the following output:
gnutls-cli 3.2.15Boom! GnuTLS 3.2.15! Hack me now!
Copyright (C) 2000-2014 Free Software Foundation, and others, all rights reserved.
This is free software. It is licensed for use, modification and
redistribution under the terms of the GNU General Public License,
version 3 or later <http://gnu.org/licenses/gpl.html>
In all honesty, and for stability purposes the method in this article probably isn't the recommended way. You should probably just install from source...