A major security flaw in the Debian Linux distribution illustrates the security risk of open source software, says...
The Sans Institute recently issued a "yellow alert" concerning a Secure Sockets Layer (SSL) security vulnerability in some Debian distributions of the Linux operating system.
The vulnerability, which affects encryption key pairs used by the Debian OpenSSL package, could enable unauthorised parties to access encrypted transaction data, passwords, financial information and other sensitive data.
Gartner said, "This vulnerability - which was apparently introduced by Debian's developers, not open-source OpenSSL developers - highlights one of the risks of using software products that incorporate open-source modules."
In May 2006, said Gartner, the Debian developers chose to make changes to the OpenSSL package used in Debian to fix what appeared to be a memory leak, rather than wait for the OpenSSL developer community to investigate and address the issue.
The Debian "fix" resulted in a serious weakness in the OpenSSL random-number generator, that made it easy for attackers to discover encryption keys.
"In general, encryption code should not be modified without a very thorough process designed to determine the impact of the modifications," said Gartner.