Checking most recent package versions

Asked by Paul Furnival on 2015-12-16

The OpenSSL Security advisory ( states that "OpenSSL 1.0.1 users should upgrade to 1.0.1q" however, the latest package available in the ubuntu repository is 1.0.1f-1ubuntu2.16.

How do I know if this is the correct version & why can't I find 1.0.1q as advised by openSSL

Thanks for any help in advance

Question information

English Edit question
Ubuntu openssl Edit question
No assignee Edit question
Last query:
Last reply:

I suggest you report a bug

Paul Furnival (paul-furnival) said : #2

I don't think this is a bug; it's more likely to be my lack of understanding on how the Ubuntu package numbering system works.

The question really is "how do I know what updates from the source (in this instance OpenSSL) are in the most currently available package (in this case 1.0.1f-1ubuntu2.16) and how do I tie the version numbers together.

Manfred Hampl (m-hampl) said : #3

With the publication of Trusty, Ubuntu has provided openssl 1.0.1f-1ubuntu2.
Meanwhile there were some bug fixes and further development of openssl.
General strategy of Ubuntu is to keep the original version of the software and just to do bug fixing, but not to do version upgrades in an already published Ubuntu release (especially for LTS releases).
So you will not find any upgrades to openlssl (1.0.1g, 1.0.1h or 1.0.2* etc.) in trusty, but Ubuntu adds additional numbers at the end of the version number 1.0.1f to denote bug fixes done.
I do not know any source where you could find the translation of the Ubuntu version number to the version number of the official openssl source. The change log will indicate the bugs that were fixed by the updates.

Change log for openssl 1.0.1f-1ubuntu2.16 in trusty:

openssl (1.0.1f-1ubuntu2.16) trusty-security; urgency=medium

  * SECURITY UPDATE: Certificate verify crash with missing PSS parameter
    - debian/patches/CVE-2015-3194.patch: add PSS parameter check to
    - CVE-2015-3194
    - debian/patches/CVE-2015-3195.patch: fix leak in
    - CVE-2015-3195
  * SECURITY UPDATE: Race condition handling PSK identify hint
    - debian/patches/CVE-2015-3196.patch: fix PSK handling in
      ssl/s3_clnt.c, ssl/s3_srvr.c.
    - CVE-2015-3196

So the vulnerabilities from have been solved in the current openssl version on trusty (as far as applicable to 1.0.1*, those in 1.0.2* are not relevant here).

Can you help with this problem?

Provide an answer of your own, or ask Paul Furnival for more information if necessary.

To post a message you must log in.