Yes there was a security hole in Linux, but Red Hat already fixed it

Luckily enough for all of us Red Hat quickly found, patched and distributed a fix. Originally reported by Ars Technica, the fix was available by the time the general public was made aware of it. It’s actually fairly similar to a certain security hole that lived for a year and could have allowed for exploits to be used in the wild.

To explain the exploit simply, when a device using SSL for security should have failed or rejected a certificate in a certain manner it didn’t. Instead, it greeted it with open arms and hug like any proper security certificate. This unintentional behavior could have allowed for an entity not part of the authentication (your browser and the site are the only parties that should be present for the exchange) to simply step in to take a peek at all data that is being exchanged. Primarily login information and any other encrypted data.

What could allow for such an awful action to be possible? A bad “goto” statement. In programming, a goto statement in most languages tell a program to move its’ running logic to another part of the program and complete the instructions there. This statement was present twice in gnuTLS, a secure communications library. Many Linux based operating systems and programs relied upon this library as a source for verifying that whatever they did could be trusted so that users would be safe.

Red Hat found the exploit in a security audit and worked extremely quickly to inform and update the linux community. This is an excellent example of the security of open source in action. The audit may have been prompted by the recent security scare on Apple devices, but it was handled openly and swiftly. Users of all types and levels were alerted at the same time in an open format. There was no secrecy nor any wondering of when a patch would be released. Even if Red Hat couldn’t have provided a fix (Ha, extremely unlikely for that brilliant bunch), the discovery of the exploit and communication would have allowed for those with the proper expertise in the community to act.

If you’re using a Linux distro then it would be prudent for you to check for an update now. If your distribution hasn’t provided a patch, I would expect for it to arrive shortly if it has any decent level of support. There aren’t any known exploits of this security hole being used in the wild. By the time one could be created and seriously mobilized, most currently unpatched systems should be updated.

Sources: Ars Technica; ZDNet