A flaw in GnuTLS, which would enable an attacker to bypass certificate validation checks, has been patched. Fixes are being pushed to all major Linux distributions. Nikos Mavrogiannopoulos, the developer of GnuTLS, announced on Monday that an audit performed by Red Hat discovered the “important (and at the same time embarrassing) bug.” At issue is the certificate verification checks used by GnuTLS. Using a specific type of fake certificate, an attacker would be able to get GnuTLS to accept it as valid, granting access to what would otherwise be secure communications. If successful, that enables them with the ability to sit on the wire and monitor traffic in clear text, or inject code of their choosing – creating a wider surface of attack. The issue impacts versions of GnuTLS 3.2.11 / 3.1.21 and earlier. The fix is available now in versions 3.2.12 3.1.22. According to the security advisories on LWN, Debian, Mageia, Oracle, Red Hat, Scientific Linux, Slackware, SUSE, and Ubuntu have all pushed updated versions to their users. It’s advised that these patches are applied immediately. The lesson to learn with the disclosure of this bug isn’t that it’s embarrassing. Flaws happen in code, and some of them will be serious. No, embarrassment shouldn’t be the focus. The lesson here is that code analysis works, and consistent checks after the code as been deployed could catch things that might be missed during normal QA audits. This is exactly why Red Hat wanted the audits performed. But unfortunately, they’re a massive enterprise operation, so they have the time, and more importantly, the resources to push such initiatives into reality. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe