Update/Upgrade to address CVE-2014-0224 does not change build date

Question

Ubuntu reports that updating to libssl1.0.0 and 1.0.1-4ubuntu5.14 will address CVE-2014-0224 (USN-2232-1)

That these are the installed libraries can be verified with apt-cache policy openssl:

apt-cache policy openssl
openssl:
  Installed: 1.0.1-4ubuntu5.14
  Candidate: 1.0.1-4ubuntu5.14
  Version table:
 *** 1.0.1-4ubuntu5.14 0
        500 http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1.0.1-4ubuntu3 0
        500 http://us-east-1.ec2.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

The vulnerability was reported on June 5, 2014 (see here)

After updating with apt-get update and apt-get upgrade, however, openssl version -a reports that the build date was before the date the vulnerability was reported.

openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Jun  2 19:37:18 UTC 2014
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"

My question:

Is the build date preceding the report date significant? Do I have to go outside the normal update/upgrade approach using apt and compile from source?

(Please note: this is not a duplicate of another question about CVE-2014-0224 (see here))

Good catch. I pasted in the version data before updating/upgrading. Both candidate and installed version are now 1.0.1-4ubuntu5.14. — vanillajohn, Jun 12 '14 at 18:33

saiarcot895 · Answer 1 · 2014-06-12T21:12:34.583

0

The build date is significant, but even though the date is before the report date, it seems that the CVEs have been fixed.

According to the openssl Precise source package page, the changelog entry lists four CVEs being fixed, but note that the changelog date is June 2, the same as the build date. Ubuntu Security first builds packages in their PPA and then copies them over, which is why it says June 5 on other places of their page.

NOTE: Due to a regression in the patch for CVE2014-0224, a new version of openssl has been released for all Ubuntu releases. The latest version of openssl for Precise is now 1.0.1-4ubuntu5.15 (the above link links to that source package). The version initially mentioned in the question is here.

edited Jun 12 '14 at 21:12

answered Jun 12 '14 at 19:09

saiarcot895

10,757
2
36
39

According to openssl Precise source package page there a newer patch for this CVE – vanillajohn Jun 12 '14 at 21:09
Indeed. The package was published 1-2 hours ago. – saiarcot895 Jun 12 '14 at 21:10

Update/Upgrade to address CVE-2014-0224 does not change build date

1 Answers1