News headlines screaming that yet another Microsoft Windows vulnerability has been discovered, is in the wild or has just been patched are two a penny. Such has it ever been. News headlines declaring that a 'major security problem' has been found with Linux are a different kettle of fish. So when reports of an attack that could circumvent verification of X.509 security certificates, and by so doing bypass both secure sockets layer (SSL) and Transport Layer Security (TLS) website protection, people sat up and took notice. Warnings have appeared that recount how the vulnerability can impact upon Debian, Red Hat and Ubuntu distributions. Red Hat itself issued an advisory warning that "GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification... An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid." In all, at least 200 operating systems actually use GnuTLS when it comes to implementing SSL and TLS and the knock-on effect could mean that web applications and email alike are vulnerable to attack. And it's all Linux's fault. Or is it?
The problem with all of this would appear to have started with the best intentions; a programmer working for Red Hat discovered the flaw and Red Hat then issued that advisory which suggested users apply a product update to fix it. All good stuff, with a quick discovery and time to patch ratio. The problem itself, or at least the problem I have here, would more accurately be with the reporting of the flaw. The Internet social media grapevine, Linux and general IT discussion forums, security vendors and before any time at all publications which should know better, all started claiming that this was a Linux bug. A bug, a flaw, with Linux that has been in place for longer than 10 years no less. Linux is flawed, Linux is dangerous, Linux is not as secure as fanboys would have you believe. What a load of rot!
This flaw is very similar indeed to the recent one involving Apple's iOS encryption bug in that it involves the goto command. In the iOS case it was, as I understand it, just a single goto fail command that screwed things up, whereas as far as Linux is concerned it is a whole series of goto cleanup calls that have errors. Here's the thing though, these errors are in the GnuTLS library. This library has been an accepted part of the Linux OS for years now, and Red Hat in particular which is so often used as a web server OS, and so surprise has been expressed by many (quite rightly) at how it could go undetected so long in an open source OS. The big security positive argued when it comes to any open source product is that anyone can access the source code and test any part of it at will, which should mean that security flaws are that much harder to escape attention. I'm with those who say it's a glaring error that the GnuTLS library wasn't checked until now, allowing this error to go unnoticed and available to anyone who might have spotted it and wanted to exploit it for criminal gain. That's a given. What isn't a given, in my opinion, is saying that Linux itself is flawed. That the Linux OS has a major security problem.
Actually, the library (which is maintained by a separate group to the Linux OS one) has a major security problem. The library which isn't used just by Linux distributions (which have patched against the vulnerability) and so the claim of it being a Linux problem are not really valid. Maybe I am splitting hairs here, and let me just state that as a Windows, Android and iOS user but not a Linux one I certainly have no fanboy axe to grind, but this sounds a lot like those who would blame Internet Explorer or Microsoft for an Adobe Reader vulnerability...
No, you don't need to reinstall the whole OS. You might just need to download some drivers.
Rubberman was merely stating that there might be some pieces of hardware on your machine which require proprietary drivers and that proprietary drivers might not be installed when the Ubuntu operating system is first installed.
To troubleshoot this problem, open a terminal in Ubuntu and run the two commands specified by rubberman (lspci and lsusb) and repost their output.
The lspci command will list details of hardware connected to your pci bus. The lsusb command will list details of USB devices connected to your computer. This will give an idea of what hardware devices you have.
Also lspci -v will show more detailed information about the hardware, including the name of the Linux kernel module/driver which handles that piece of hardware (if any). That might help to track down any driver problems.
Once we can see what hardware you are using, someone here will be able to direct you to the correct drivers, if any are required.
Also, you mentioned network problems. What output do you get from the command ifconfig? That will show the networking status of your PC in Ubuntu and will show which, if any of your network interfaces are configured and running.
i've problem with spam email in ubuntu 1204 LTS use ispconfig3,...
each spam email detected by server (ispconfig3) it's not send to client (outlook), its stopped in sever,..
how to allow/by pass all email contain spam to client???
what must i set???
I agree with using server-side redirection. When 301 and 302s are used, I see it as telling the user you know what page they want, but you're getting them to do the work and waste time mucking around to move to another URL, rather than just taking it within your stride and silently feeding them the appropriate content.
I see it as a waste of time. Yes, it's only a fraction of a second, but it adds up. Logging into and out of my Google Account takes a considerable amount of time while I wait for a handful of redirections to exeute.
I will, however, acknowledge that the preservation of post data across 301s is sometimes useful, but I can't come up with a situation off the top of my head where you couldn't simply copy $_POST across to $_SESSION and redirect.
I don't see Dani's as a situation requiring preservation of post data though (nothing personal, prove me wrong and so on). Since the data would've already been posted without being encrypted, you might as well get on with processing the login and returning a 301 redirect if appropriate.
Are you using WiFi, or wired Ethernet? If WiFi, then you probably need to install the proprietary driver and firmware for your WiFi hardware. Run "lspci" and "lsusb" and post the output here. Then I can help you get the proper drivers and firmware installed.
FWIW, this is not an uncommon problem with Ubuntu or other Linux systems that do not install proprietary drivers/firmware by default.
I am looking for a free/open-source application similar to RescueTime. The features that I am looking for are automatic app tracking and optionally website tracking. Also, I would like to have the posibility to install the application on multiple computers and centralize all the statistics on a central server.
Do you know of any apps that might meet these requirements or at least about open-source apps that could be adapted?
I am using Ubuntu 12.10 with my Windows as each have a seperate partition and i am wondering about this...drivers are missing and when i try to get on line say that it can't get on line and i wonder if Usb 3.0 can have a way to let ubuntu can install and work on it...or will have to get drivers on Cd as i am talking through laptop and install it on ubuntu to fix this issue and will have no net on it or what i do to update it as ubuntu 12.10 is smooth but can't have audio to play on and wish any can help, thanks all.
Good suggestions Jorge. I am writing a lot of PHP code these days, and you can do it in PHP on the server side. I was just hoping that someone knew a quick and easy approach for Dani, without requiring that she write a bunch more code. :-)
I actually had something similar I was working on a few weeks ago with the 301 redirect. I wasnt working with posted data (actually exception data), but in any event I had to implement a server side redirect instead using a 301 because i would loose the exception with the 301. In asp.net this is accomplished using the Server.Transfer() method. Not sure about PHP or whatever other server side scripting you are doing.
Also, couldnt you just capture the post data, save it to a session variable(s), then redirect?
Dani, what browser are you using? My people suggested that you try another, like Firefox which has good diagnostic and tracing tools to help determine what is going on. In any case, they think it is a browser issue most likely. In any case, we haven't seen this issue with our Mozilla-based proxy browsers.