Debian security flaw illustrates open source development risks, Gartner says

A major security flaw in the Debian Linux distribution...

A major security flaw in the Debian Linux distribution illustrates the security risk of open source software, says analyst Gartner.

The Sans Institute recently issued a "yellow alert" concerning a Secure Sockets Layer (SSL) security vulnerability in some Debian distributions of the Linux operating system.

The vulnerability, which affects encryption key pairs used by the Debian OpenSSL package, could enable unauthorised parties to access encrypted transaction data, passwords, financial information and other sensitive data.

A Debian advisory offers recommendations for patching the software and regenerating the encryption keys.

Gartner said, "This vulnerability - which was apparently introduced by Debian's developers, not open-source OpenSSL developers - highlights one of the risks of using software products that incorporate open-source modules."

In May 2006, said Gartner, the Debian developers chose to make changes to the OpenSSL package used in Debian to fix what appeared to be a memory leak, rather than wait for the OpenSSL developer community to investigate and address the issue.

The Debian "fix" resulted in a serious weakness in the OpenSSL random-number generator, that made it easy for attackers to discover encryption keys.

"In general, encryption code should not be modified without a very thorough process designed to determine the impact of the modifications," said Gartner.



Enjoy the benefits of CW+ membership, learn more and join.

Read more on Hackers and cybercrime prevention



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: