Ubuntu
openssl package

Update to include changes in 1.1.1.e

Asked by Andy Edwards

Are there any plans to update the Ubuntu packages to pull in the changes in OpenSSL 1.1.1e (or even 1.1.1f)?

Specifically, 1.1.1e brings in a fix for CVE-2019-1551. We'd like to update to a version that has that fix (and CVEs are the kind of thing that come with deadlines to be resolved by) but the fix isn't in the latest Ubuntu package for Bionic.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu openssl Edit question
Assignee:
No assignee Edit question
Solved by:
Manfred Hampl
Solved:
Last query:
Last reply:
Revision history for this message
Best Manfred Hampl (m-hampl) said : 		#1

This is a known problem
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1551.html

Revision history for this message
Andy Edwards (andy-edwards) said : 		#2

FYI 1.1.1g is now released and includes https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1967

Revision history for this message
Andy Edwards (andy-edwards) said : 		#3

https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1967.html has now asserted that the CVEs in 1.1.1g also do not apply to Ubuntu Bionic. Might as well close this off as solved.

Revision history for this message
Andy Edwards (andy-edwards) said : 		#4

Thanks Manfred Hampl, that solved my question.