Ubuntu
openssl package

Ubuntu 14.04 LTS openssl version is still 1.0.1f

Asked by Nestor Urquiza

Greetings!

Is there any reason why Ubuntu 14.04 LTS openssl version is still 1.0.1f?

From https://www.openssl.org/news/openssl-1.0.1-notes.html there have been a lot of patches since that version. In fact this critical patch https://www.openssl.org/news/vulnerabilities.html#2016-6304 is only available in latest version OpenSSL 1.0.1u [22 Sep 2016].

I run the below:
sudo apt-get update
sudo apt-get install openssl libssl-dev
openssl version -a

And I got:
$ openssl version -a
OpenSSL 1.0.1f 6 Jan 2014
built on: Fri Sep 23 12:19:57 UTC 2016
platform: debian-amd64
options: bn(64,64) rc4(8x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"

Does this mean that 4 hours and 10 minutes ago 1.0.1f was rebuilt?

Best,
- Nestor

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu openssl Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#1

I suggest you report a bug

Revision history for this message
Manfred Hampl (m-hampl) said : 		#2

Yes, a new version of openssl for Ubuntu Trusty was provided a few hours ago, with an update from 1.0.1f-1ubuntu2.20 to 1.0.1f-1ubuntu2.21 with a fix for CVE-2016-2182

Standard procedure in Ubuntu is keeping the version that was current when the Ubuntu release was published, and backporting bug fixes into that version.

Status regarding CVE-2016-6304 is
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6304.html
and
https://bugs.launchpad.net/bugs/cve/2016-6304

Revision history for this message
Manfred Hampl (m-hampl) said : 		#3

And another reference that this vulnerability has already been taken care of:
http://www.ubuntu.com/usn/usn-3087-1/

Revision history for this message
Nestor Urquiza (nestoru) said : 		#4

Thanks Manfred for the explanations. Would you please let me know how can I make sure that openssl is 1.0.1f-1ubuntu2.21? I don't even see it as 1.0.1f-1ubuntu2.20. What I see is OpenSSL 1.0.1f 6 Jan 2014 as I mentioned in the original post. Most likely there is a different way to check openssl version?

I run the commands again just to make sure but as you can see below I see no difference in the output:

$ sudo apt-get install openssl libssl-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
libssl-dev is already the newest version.
openssl is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 136 not upgraded.

$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04 LTS"

$ openssl version -a
OpenSSL 1.0.1f 6 Jan 2014
built on: Fri Sep 23 12:19:57 UTC 2016
platform: debian-amd64
options: bn(64,64) rc4(8x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"

Thanks in advance,
- Nestor

Revision history for this message
Manfred Hampl (m-hampl) said : 		#5

The command

apt-cache policy openssl

will show details about the version that you have installed.

Remark:
the output
"0 upgraded, 0 newly installed, 0 to remove and 136 not upgraded." shows that there are updates available for 136 packages that you have installed on your system. There might be security-related updates among them, so you should consider installing them.

the program update-manager should show the package updates that are available for your system.

Can you help with this problem?

Provide an answer of your own, or ask Nestor Urquiza for more information if necessary.

To post a message you must log in.