Critical Linux Flaw Threatens More Systems Than You Think

[ddpruitt]

we know of companies that have lost millions because of this bug.

Yeah, ok, what happened to the backups? What happened to TESTING software in a VM environment. I find it difficult to accept your comment.

Don't know why this go downvoted, but I agree. You don't lose data due to a bug unless you're doing something else wrong. Google shows that this issued did exist on Server 2008 but a hotfix was released for it and that anyone who had backups was fine. To top it off it's a strange corner condition that only shows up with a sysadmin being lazy IMHO (Move it yourself don't have the OS do it, that always screws stuff up).

 

[Solandri]

Don't know why this go downvoted, but I agree. You don't lose data due to a bug unless you're doing something else wrong.

You'd be surprised what goes on in companies without a strong or competent IT department. At the company I used to work for, I set up a company file server. The employees' PCs I set to automatically backup to the server. The accounting computer in particular I backed up AND pointed the accounting software's database backup to write to a separate location on the server, AND I had the accountant occasionally save the backup to an external flash drive. (The server got its own backups too.)Last year I got a call from the company. Over the years since I'd left, they'd replaced the accounting computer with a new one and had continued to operate like normal. The hard drive died and they'd called me out of desperation because they didn't know what to do. They hadn't set up the automatic backups on the new computer like I had, they'd pointed the accounting software's database backup to the same hard drive as the original data files, and they hadn't made external backups. Except for paper receipts and printouts, their accounting data for the entire year was just gone.While it's tempting to blame people for their stupidity in these cases, I think a more holistic approach is healthier. As aviation industry accident investigators say, there is no single cause for a plane crash. It is the confluence of a variety of factors, decisions, and mistakes which cause the accident. Even if one factor is particularly glaring, the industry is improved if all contributing factors are reviewed and corrected. In other words, just because a bug is incredibly rare and requires immense stupidity on the part of the user to trigger, that's no excuse not to fix the bug.

 

[mstngs351]

You'll note that this critical flaw was fixed the very same day. You Microsloth fanboys WON'T get that kind of speed from Microsloth to fix a critical error. Linux remains to be one of if not the BEST OS bar none. And it's free unlike Microsloth Winbloze.

From Redhat"Nikos Mavrogiannopoulos of the Red Hat Security Technologies Team and GnuTLS project discovered a certificate verification security issue affecting GnuTLS on February 19th, 2014 whilst auditing the code. We then used our standard processes to notify and work with other affected distributions in advance. Updates to correct this flaw were released on 3rd March 2014 from Red Hat, GnuTLS, and others."Def not the same day... Plus complaints about such insecurities in the GnuTLS code go back to 2008.

 

[alextheblue]

In other words, just because a bug is incredibly rare and requires immense stupidity on the part of the user to trigger, that's no excuse not to fix the bug.

True, but didn't he say it was fixed? I don't think he was excusing anything... hence why he mentioned the hotfix.

 

[randomizer]

If this was a flaw in OpenSSL we'd have something to be concerned about. Since practically nothing uses GnuTLS this flaw will be forgotten about by next week.

 

[NetMage]

As others have pointed out, it is hardly surprising. Almost no one is going to say "I think this is a good day to audit some Linux code" rather than create new stuff.