Huge Hole in Open Source Software Found, Leaves Millions Vulnerable
Click on the source for the entire article.
Another reason not to use and trust this failure of an OS.
If you are interested, here’s information and tools to exploit this bug: http://metasploit.com/users/hdm/tools/debian-openssl/
A simple programming error reduced the entropy in the generated program keys created by the OpenSSL library.
Just two lines of code created crippling security holes in four different open source operating systems, 25 application programs, and millions of internet-attached computer systems. The vulnerability was publicly discovered for the first time May 13, after having left the door open nearly two years.
The error reduced the number of keys that Linux can generate from 2^128 to approximately 2^15. Fixing the key problem is not as simple as fixing a buffer overflow vulnerability, another typical security flaw. As the keys generated our actual files, merely patching the system will not change these files. Every single key will need to be replaced in a difficult and time consuming process. Further keys need to be certified and distributed, which takes more time and is error prone.
The Valgrind code caused errors, so the programmers simply commented out all the code, including the other methods of generating randomness on accident. Only the code which utilized the process ID, an integer ranging from 0 to 32,767, remained to provide randomness.
One developer more alarmingly points out that the vulnerability has showed a perhaps fatal flaw in the state of the open source industry and in the computer security in general. One programmer can make a major change which can be blindly accepted by other developers with little understanding of the implications.