Why hasn't Trusty received the updates for OpenSSL's CVE-2016-2108 and CVE-2016-2107? [duplicate]

security updates openssl

OpenSSL released a security advisory, warning users of two recently discovered vulnerabilities:

  • Memory corruption in the ASN.1 encoder (CVE-2016-2108)
  • Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)

Their recommendation is as follows:

OpenSSL 1.0.2 users should upgrade to 1.0.2h
OpenSSL 1.0.1 users should upgrade to 1.0.1t

However, the latest version available for Trusty (14.04) is 1.0.1f-1ubuntu2.19. How come such an old version is still being provided and how do I mitigate this?


The current version does indeed include the mitigations for these vulnerabilities. Rather than keeping up with the OpenSSL releases, the security team prefers to backport fixes.

You can confirm that the package contains the mitigation for the CVEs listed in the question by downloading the Debian packaging for the openssl package:

apt-get source openssl

You will find a file named openssl_1.0.1f-1ubuntu2.19.debian.tar.gz in the current directory. Extract the contents and list the contents of debian/patches:

$ ls debian/patches
...
CVE-2016-2107.patch
CVE-2016-2108-1.patch
CVE-2016-2108-2.patch
...

Related

XServer Error could not create lock file
How to go back to previous version of Thunderbird on 18.04?
IcedTea-8 cannot run any jnlp application (maybe due to openjdk-11?)
ATI Catalyst doesn't retain changes after reboot when setting extended display
Does Canonical provide paid support for individuals?
14.04, I have Disabled CPU throttling, but installing Atlas says: "CPU Throttling apparently enabled"
Can't locate ISO for Lubuntu 20.04.1
Is there a faster way to download Ubuntu?
How to change QT (KDE) application icons for gnome?
How do I backup all files? (.dbus and dconf backup problems)
Can't install Steam because of unmet dependencies
Thunderbird strange behaviour. Ubuntu 21.04