Debian Linux Suffers From 'Major Security Flaw,' Gartner Warns
The open source operating system is said to be vulnerable to hacks that could leave users' personal data exposed to identity thieves.
A popular distribution of the Linux open source operating system is vulnerable to hacks that could leave users' personal data exposed to identity thieves, according to IT consulting group Gartner.
The problem: Debian GNU/Linux's implementation of the Secure Sockets Layer communications protocol "made it easy for attackers to discover encryption keys," Gartner said in its report.
Encryption keys are bits of information that allow computers to interpret coded information.
Debian uses the open source OpenSSL version of Secure Sockets Layer. Gartner said the security glitch can be traced to the fact that Debian developers implemented changes to OpenSSL to fix a memory leak without first consulting the OpenSSL development community.
"The Debian 'fix' resulted in a serious weakness in the OpenSSL random number generator," the researchers said. The vulnerability "highlights one of the risks of using software products that incorporate open-source modules," Gartner said in the report, which was issued last week.
Gartner said the Debian organization was unresponsive to its attempts to contact it about the issue. "We believe this experience confirms our view that open-source process communications require significant improvements," Gartner said.
Debian has issued a patch to fix the problem. Gartner is advising businesses that use Debian GNU/Linux to implement the patch and regenerate all cryptographic keys generated by Debian OpenSSL versions beginning with 0.9.8c-1.
In general, businesses that use open source software need to adopt vulnerability management processes that include an application inventory to identify "open-source software dependencies" and ensure all current patches have been implemented, Gartner said.
The Debian project was launched in 1993 by Purdue University student Ian Murdock.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.