Debian security flaw illustrates open source development risks, Gartner says


Debian security flaw illustrates open source development risks, Gartner says

Antony Savvas

A major security flaw in the Debian Linux distribution illustrates the security risk of open source software, says analyst Gartner.

The Sans Institute recently issued a "yellow alert" concerning a Secure Sockets Layer (SSL) security vulnerability in some Debian distributions of the Linux operating system.

The vulnerability, which affects encryption key pairs used by the Debian OpenSSL package, could enable unauthorised parties to access encrypted transaction data, passwords, financial information and other sensitive data.

A Debian advisory offers recommendations for patching the software and regenerating the encryption keys.

Gartner said, "This vulnerability - which was apparently introduced by Debian's developers, not open-source OpenSSL developers - highlights one of the risks of using software products that incorporate open-source modules."

In May 2006, said Gartner, the Debian developers chose to make changes to the OpenSSL package used in Debian to fix what appeared to be a memory leak, rather than wait for the OpenSSL developer community to investigate and address the issue.

The Debian "fix" resulted in a serious weakness in the OpenSSL random-number generator, that made it easy for attackers to discover encryption keys.

"In general, encryption code should not be modified without a very thorough process designed to determine the impact of the modifications," said Gartner.

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy