Ubuntu

FIPS supported package for libssl module

Asked by Arie Saveliev

We are currently implementing a Ubuntu 16.04 LTS Xenial on our desktops and as part of our implementation we are working with NIST and DISA, as we are required to ensure that our system is FIPS compliant. During the latest vulnerability scan for our system (using Nessus scanner by Tenable) we found an outdated package for OpenSSL, which is fips certified with the version libssl1.0.0_1.0.2g-1ubuntu4.fips.4.6.3 (4.6.3), that has known vulnerabilities that were addressed in version libssl1.0.0_1.0.2g-1ubuntu4.9 (4.9).

Is there a plan for releasing newer package for libssl that will be based off of the newer version and include all the vulnerability fixes?

I am basing my info on the data posted in the FIPS section for 16.04 LTS: https://docs.ubuntu.com/security-certs/en/fips-16.html

Please let me know if there are other sources that I am not aware of and that the documentation is outdated.

Question information

Language:
English Edit question
Status:
Expired
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#1

Why Ubuntu 16.04 when 18.04 is available an also LTS and 20.04 is being released in a few weeks. Why the older version?

Revision history for this message
Arie Saveliev (ariesaveliev) said : 		#2

The obvious reason is, as stated previously - this is a government project, thus is requires FIPS compliance and the only version that is CURRENTLY compliance is 16.04. According to Canonical site the 18.04 is in the process of being compliant, but it is not compliant yet: https://ubuntu.com/security/certifications

As per my original question, 4 out 5 FIPS compliant packages in 16.04 are updated, yet the "libssl" module is not and I am trying to find out, whether it's on the roadmap for development and what is the due date for its availability?

Revision history for this message
Launchpad Janitor (janitor) said : 		#3

This question was expired because it remained in the 'Open' state without activity for the last 15 days.