A major security flaw in the
Debian Linux distribution illustrates the
security risk of open source software, says analyst
Gartner.
The Sans Institute recently issued a "yellow alert" concerning a
Secure Sockets Layer (SSL) security vulnerability in some Debian
distributions of the Linux operating system.
The vulnerability, which affects encryption key pairs used by
the Debian OpenSSL package, could enable unauthorised parties to
access encrypted transaction data, passwords, financial information
and other sensitive data.
A Debian
advisory offers recommendations for patching the software and
regenerating the encryption keys.
Gartner said, "This vulnerability - which was apparently
introduced by Debian's developers, not open-source OpenSSL
developers - highlights one of the risks of using software products
that incorporate open-source modules."
In May 2006, said Gartner, the Debian developers chose to make
changes to the OpenSSL package used in Debian to fix what appeared
to be a memory leak, rather than wait for the OpenSSL developer
community to investigate and address the issue.
The Debian "fix" resulted in a serious weakness in the OpenSSL
random-number generator, that made it easy for attackers to
discover encryption keys.
"In general, encryption code should not be modified without a
very thorough process designed to determine the impact of the
modifications," said Gartner.