Debian security flaw illustrates open source development risks, Gartner says

News

Debian security flaw illustrates open source development risks, Gartner says

Antony Savvas

A major security flaw in the Debian Linux distribution illustrates the security risk of open source software, says analyst Gartner.

The Sans Institute recently issued a "yellow alert" concerning a Secure Sockets Layer (SSL) security vulnerability in some Debian distributions of the Linux operating system.

The vulnerability, which affects encryption key pairs used by the Debian OpenSSL package, could enable unauthorised parties to access encrypted transaction data, passwords, financial information and other sensitive data.

A Debian advisory offers recommendations for patching the software and regenerating the encryption keys.

Gartner said, "This vulnerability - which was apparently introduced by Debian's developers, not open-source OpenSSL developers - highlights one of the risks of using software products that incorporate open-source modules."

In May 2006, said Gartner, the Debian developers chose to make changes to the OpenSSL package used in Debian to fix what appeared to be a memory leak, rather than wait for the OpenSSL developer community to investigate and address the issue.

The Debian "fix" resulted in a serious weakness in the OpenSSL random-number generator, that made it easy for attackers to discover encryption keys.

"In general, encryption code should not be modified without a very thorough process designed to determine the impact of the modifications," said Gartner.





Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy