openSSL 1.1.1 security bug CVE-2020-1971 [duplicate]

updates openssl

I just read a description of CVE-2020-1971, which indicates that a patch was released today for openSSL, the patched version is 1.1.1i -- my version of Ubuntu 20.04.1 LTS is running openSSL version 1.1.1f. From last March.

Software Updater says that my system is up to date. I am hoping that this openSSL update is released by Canonical by tomorrow... can anyone confirm they are working on this?


When a CVE question comes up, your first stop should be Ubuntu's CVE tracker at https://ubuntu.com/security.

  1. Here's what the Ubuntu CVE tracker said about this CVE and this package when I checked:

    enter image description here

    • According to https://ubuntu.com/security/CVE-2020-1971, this CVE was mitigated in 20.04 in openssl 1.1.1f-1ubuntu2.1, which is already in the Ubuntu repositories (focal-security pocket).

  2. Let's double-check that openssl 1.1.1f-1ubuntu2.1 is available for apt to download and install:

    $ apt-cache madison openssl   // 20.04 system, matching the question
openssl | 1.1.1f-1ubuntu2          | focal 
openssl | 1.1.1f-1ubuntu2.1        | focal-security  <----- There it is
openssl | 1.1.1f-1ubuntu2.1        | focal-updates   <----- And there, too

  3. For the curious, let's take a look at the Launchpad page for that package to determine the patched 20.04 version's upload date (08 December 2020 / 08.12.2020) :

    enter image description here

  4. Check your installed package version using apt list openssl.

    $ apt list openssl
Listing... Done
openssl/focal-updates,focal-security, now 1.1.1f-1ubuntu2.1 amd64 [installed]
    • For most users, Unattended Upgrades has already downloaded and installed many -security upgrades like this automatically and silently. Rapidly rolling out security patches without pestering you is exactly what it is intended for.

Background: There are two ways to handle security updates.

  1. Update to a newer release that incorporates the change. Since most users have no idea how to apply a patch, this is a common recommendation. For unskilled users, this is an easy and reasonably safe method. This will update you to 1.1.1i

  2. Apply the patch to the current version. Since the Ubuntu Security Team engineers DO know how to apply and test patches, this is how Ubuntu security updates work. Ubuntu provides a patched version, not a new version. This will update you from 1.1.1f-1ubuntu2 to 1.1.1f-1ubuntu2.1. Yes, your -v flag will say 1.1.1f, and that's correct. But you are still patched; the vuln can no longer affect you.

Related

Program sub menus dark gray on black, thus illegible
I need a 3D Sketchup-like program [duplicate]
Ubuntu consumes too much battery
Save terminal output to a txt file
What is the library to be installed for `jasper.h` header file?
Dependency problem with mysql-server-core-5.5 [closed]
systemd in ubuntu 14.04
Revert accidental `dpkg --clear-selections`
Dual boot menu not showing after installation of Ubuntu 12.04
Ubuntu 17.10 - what is a default window manager? [closed]
`cal -h` command: Bash substring `${string:offset:length}` error
How to tweak/customize GTK theme?