Software // Operating Systems
News
5/28/2008
02:04 PM
Connect Directly
RSS
E-Mail
50%
50%

Debian Linux Suffers From 'Major Security Flaw,' Gartner Warns

The open source operating system is said to be vulnerable to hacks that could leave users' personal data exposed to identity thieves.

A popular distribution of the Linux open source operating system is vulnerable to hacks that could leave users' personal data exposed to identity thieves, according to IT consulting group Gartner.

The problem: Debian GNU/Linux's implementation of the Secure Sockets Layer communications protocol "made it easy for attackers to discover encryption keys," Gartner said in its report.

Encryption keys are bits of information that allow computers to interpret coded information.

Debian uses the open source OpenSSL version of Secure Sockets Layer. Gartner said the security glitch can be traced to the fact that Debian developers implemented changes to OpenSSL to fix a memory leak without first consulting the OpenSSL development community.

"The Debian 'fix' resulted in a serious weakness in the OpenSSL random number generator," the researchers said. The vulnerability "highlights one of the risks of using software products that incorporate open-source modules," Gartner said in the report, which was issued last week.

Gartner said the Debian organization was unresponsive to its attempts to contact it about the issue. "We believe this experience confirms our view that open-source process communications require significant improvements," Gartner said.

Debian has issued a patch to fix the problem. Gartner is advising businesses that use Debian GNU/Linux to implement the patch and regenerate all cryptographic keys generated by Debian OpenSSL versions beginning with 0.9.8c-1.

In general, businesses that use open source software need to adopt vulnerability management processes that include an application inventory to identify "open-source software dependencies" and ensure all current patches have been implemented, Gartner said.

The Debian project was launched in 1993 by Purdue University student Ian Murdock.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A UBM Tech Radio episode on the changing economics of Flash storage used in data tiering -- sponsored by Dell.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.