6

I just read a description of CVE-2020-1971, which indicates that a patch was released today for openSSL, the patched version is 1.1.1i -- my version of Ubuntu 20.04.1 LTS is running openSSL version 1.1.1f. From last March.

Software Updater says that my system is up to date. I am hoping that this openSSL update is released by Canonical by tomorrow... can anyone confirm they are working on this?

frogola
  • 197
  • Also related: How do I update apache2 to the latest version on Debian jessie? – marcelm Dec 10 '20 at 12:07
  • Related: https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions https://www.debian.org/security/faq#version https://access.redhat.com/security/updates/backporting https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-update-backport.html – sarnold Dec 15 '20 at 00:07
  • I think the key is to run apt update before listing available versions with apt list or trying an upgrade with apt install. In this particular case: apt list openssl --installed returns: openssl/now 1.1.1f-1ubuntu2 amd64 [installed,local] while apt update && apt list openssl --installed returns: openssl/focal,now 1.1.1f-1ubuntu2 amd64 [installed,upgradable to: 1.1.1f-1ubuntu2.1] – mirekphd Dec 25 '20 at 12:14

1 Answers1

14

When a CVE question comes up, your first stop should be Ubuntu's CVE tracker at https://ubuntu.com/security.

  1. Here's what the Ubuntu CVE tracker said about this CVE and this package when I checked:

    enter image description here

  2. Let's double-check that openssl 1.1.1f-1ubuntu2.1 is available for apt to download and install:

    $ apt-cache madison openssl   // 20.04 system, matching the question
openssl | 1.1.1f-1ubuntu2          | focal 
openssl | 1.1.1f-1ubuntu2.1        | focal-security  <----- There it is
openssl | 1.1.1f-1ubuntu2.1        | focal-updates   <----- And there, too

  3. For the curious, let's take a look at the Launchpad page for that package to determine the patched 20.04 version's upload date (08 December 2020 / 08.12.2020) :

    enter image description here

  4. Check your installed package version using apt list openssl.

    $ apt list openssl
Listing... Done
openssl/focal-updates,focal-security, now 1.1.1f-1ubuntu2.1 amd64 [installed]
    • For most users, Unattended Upgrades has already downloaded and installed many -security upgrades like this automatically and silently. Rapidly rolling out security patches without pestering you is exactly what it is intended for.

Background: There are two ways to handle security updates.

  1. Update to a newer release that incorporates the change. Since most users have no idea how to apply a patch, this is a common recommendation. For unskilled users, this is an easy and reasonably safe method. This will update you to 1.1.1i

  2. Apply the patch to the current version. Since the Ubuntu Security Team engineers DO know how to apply and test patches, this is how Ubuntu security updates work. Ubuntu provides a patched version, not a new version. This will update you from 1.1.1f-1ubuntu2 to 1.1.1f-1ubuntu2.1. Yes, your -v flag will say 1.1.1f, and that's correct. But you are still patched; the vuln can no longer affect you.

muru
  • 197,895
  • 55
  • 485
  • 740
user535733
  • 62,253