Why hasn't Trusty received the updates for OpenSSL's CVE-2016-2108 and CVE-2016-2107? [duplicate]

OpenSSL released a security advisory, warning users of two recently discovered vulnerabilities:

  • Memory corruption in the ASN.1 encoder (CVE-2016-2108)
  • Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)

Their recommendation is as follows:

OpenSSL 1.0.2 users should upgrade to 1.0.2h
OpenSSL 1.0.1 users should upgrade to 1.0.1t

However, the latest version available for Trusty (14.04) is 1.0.1f-1ubuntu2.19. How come such an old version is still being provided and how do I mitigate this?


The current version does indeed include the mitigations for these vulnerabilities. Rather than keeping up with the OpenSSL releases, the security team prefers to backport fixes.

You can confirm that the package contains the mitigation for the CVEs listed in the question by downloading the Debian packaging for the openssl package:

apt-get source openssl

You will find a file named openssl_1.0.1f-1ubuntu2.19.debian.tar.gz in the current directory. Extract the contents and list the contents of debian/patches:

$ ls debian/patches
...
CVE-2016-2107.patch
CVE-2016-2108-1.patch
CVE-2016-2108-2.patch
...