6

OpenSSL released a security advisory, warning users of two recently discovered vulnerabilities:

  • Memory corruption in the ASN.1 encoder (CVE-2016-2108)
  • Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)

Their recommendation is as follows:

OpenSSL 1.0.2 users should upgrade to 1.0.2h
OpenSSL 1.0.1 users should upgrade to 1.0.1t

However, the latest version available for Trusty (14.04) is 1.0.1f-1ubuntu2.19. How come such an old version is still being provided and how do I mitigate this?

Nathan Osman
  • 32,155
  • 1
    As can be seen from the CVE tracker: https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2108.html, https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2107.htm; fixes have been released. – muru May 04 '16 at 06:18
  • @muru The question you linked to is more generic and deals with finding out whether a package has been updated or not. This one approaches the issue from the perspective of someone who doesn't think the package has been updated yet, even if the CVE tracker claims it has. OpenSSL is also a bit of a special case here since the package in the archives is often several releases behind upstream. – Nathan Osman May 04 '16 at 06:22
  • 2
    So, do we go about making a post for every CVE that affects OpenSSL? Better to redirect people to the USN and the CVE tracker. – muru May 04 '16 at 06:23
  • 2
    @muru it may be better to convert this into a generic question for OpenSSL then. I'm not really opposed to having questions for specific issues with OpenSSL since they are infrequent and tend to cause a lot of concern. Having specific CVEs in the body (or even title) increases the chances that someone will land here from Google. – Nathan Osman May 04 '16 at 06:24
  • 1
    Sure. I'm just wondering if we'll end up implementing a CVE tracker here. (I'm not all that certain of the infrequency of OpenSSL vulnerabilities.) – muru May 04 '16 at 06:26
  • @muru remember, this question isn't "AAAH OPENSSL IS VULNERABLE - WHAT TO DO!!?!1" but rather it is "OpenSSL doesn't appear to be updated - why?". – Nathan Osman May 04 '16 at 06:28
  • 1
    @muru 's second link doesn't work because missing l at the end. https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2107.html – Braiam May 04 '16 at 14:16

1 Answers1

21

The current version does indeed include the mitigations for these vulnerabilities. Rather than keeping up with the OpenSSL releases, the security team prefers to backport fixes.

You can confirm that the package contains the mitigation for the CVEs listed in the question by downloading the Debian packaging for the openssl package:

apt-get source openssl

You will find a file named openssl_1.0.1f-1ubuntu2.19.debian.tar.gz in the current directory. Extract the contents and list the contents of debian/patches:

$ ls debian/patches
...
CVE-2016-2107.patch
CVE-2016-2108-1.patch
CVE-2016-2108-2.patch
...
Nathan Osman
  • 32,155
  • 2
    After applying this update, Qualys SSL Labs still reports that my server is vulnerable to CVE-2016-2107. Does the application itself (nginx, in this case) have an effect on whether the vulnerability is mitigated? – Elkvis Jun 28 '16 at 19:15
  • @Elkvis did you restart nginx after applying the update? – Nathan Osman Jun 28 '16 at 20:52
  • Yes. The machine itself has been restarted a number of times since the update. dpkg -s openssl shows that openssl_1.0.1f-1ubuntu2.19 is installed. Same with libssl. – Elkvis Jun 29 '16 at 12:05
  • I am having the same issue, @Elkvis. Did you manage to solve this problem? – Greg Dubicki Aug 28 '16 at 21:42
  • @GregDubicki No, I never did. I gave up on it. – Elkvis Aug 29 '16 at 13:59
  • I resolved it by updating the following packages apart from openssl itself: libssl-dev libssl-doc libssl1.0.0 and restarting nginx then. I am not sure which packaged helped and don't have time to check that now, but my problem is solved, @Elkvis . – Greg Dubicki Aug 30 '16 at 19:00