Checking most recent package versions

Asked by Paul Furnival on 2015-12-16

The OpenSSL Security advisory (https://www.openssl.org/news/secadv/20151203.txt) states that "OpenSSL 1.0.1 users should upgrade to 1.0.1q" however, the latest package available in the ubuntu repository is 1.0.1f-1ubuntu2.16.

How do I know if this is the correct version & why can't I find 1.0.1q as advised by openSSL

Thanks for any help in advance

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu openssl Edit question
Assignee:
No assignee Edit question
Last query:
2015-12-16
Last reply:
2015-12-16

I suggest you report a bug

Paul Furnival (paul-furnival) said : #2

I don't think this is a bug; it's more likely to be my lack of understanding on how the Ubuntu package numbering system works.

The question really is "how do I know what updates from the source (in this instance OpenSSL) are in the most currently available package (in this case 1.0.1f-1ubuntu2.16) and how do I tie the version numbers together.

Manfred Hampl (m-hampl) said : #3

With the publication of Trusty, Ubuntu has provided openssl 1.0.1f-1ubuntu2.
Meanwhile there were some bug fixes and further development of openssl.
General strategy of Ubuntu is to keep the original version of the software and just to do bug fixing, but not to do version upgrades in an already published Ubuntu release (especially for LTS releases).
So you will not find any upgrades to openlssl (1.0.1g, 1.0.1h or 1.0.2* etc.) in trusty, but Ubuntu adds additional numbers at the end of the version number 1.0.1f to denote bug fixes done.
I do not know any source where you could find the translation of the Ubuntu version number to the version number of the official openssl source. The change log will indicate the bugs that were fixed by the updates.

Change log for openssl 1.0.1f-1ubuntu2.16 in trusty:
http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.0.1f-1ubuntu2.16/changelog

openssl (1.0.1f-1ubuntu2.16) trusty-security; urgency=medium

  * SECURITY UPDATE: Certificate verify crash with missing PSS parameter
    - debian/patches/CVE-2015-3194.patch: add PSS parameter check to
      crypto/rsa/rsa_ameth.c.
    - CVE-2015-3194
  * SECURITY UPDATE: X509_ATTRIBUTE memory leak
    - debian/patches/CVE-2015-3195.patch: fix leak in
      crypto/asn1/tasn_dec.c.
    - CVE-2015-3195
  * SECURITY UPDATE: Race condition handling PSK identify hint
    - debian/patches/CVE-2015-3196.patch: fix PSK handling in
      ssl/s3_clnt.c, ssl/s3_srvr.c.
    - CVE-2015-3196

So the vulnerabilities from https://www.openssl.org/news/secadv/20151203.txt have been solved in the current openssl version on trusty (as far as applicable to 1.0.1*, those in 1.0.2* are not relevant here).

Can you help with this problem?

Provide an answer of your own, or ask Paul Furnival for more information if necessary.

To post a message you must log in.