Score:4

How can I know that Ubuntu 18.04 Bionic's latest OpenSSL is really 1.1.1n?

cn flag

According to Ubuntu's CVE-2022-0778 this release should address the CVE. However, when I look at the OpenSSL version I can't really tell that it is 1.1.1n. I do see that it was built on Mar 9 prior to:

  • OpenSSL making the source available to the public
  • Ubuntu distro managers importing OpenSSL 1.1.1n into their repo (which may just be a public facing repo)

So, how would I know that this is truly 1.1.1n?

Ubuntu 18.04 system after upgrade

OpenSSL 1.1.1  11 Sep 2018
built on: Wed Mar  9 12:13:40 2022 UTC
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,
--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-vxXVMf/openssl-1.1.1=. 
-fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE 
-DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM 
-DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM 
-DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM 
-DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM 
-DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
Seeding source: os-specific

Distro Maintainer

Ubuntu Repo: https://git.launchpad.net/ubuntu/+source/openssl

Tags:

* 3b83ed56dea2b735e31731fd042b52ff869f9a97 - 
(tag: import/1.1.1n-1, origin/debian/sid) 1.1.1n-1 
(patches unapplied) (c: Wed, 16 Mar 2022 04:33:58 +0000) 
(a: Tue, 15 Mar 2022 19:46:18 +0100) <Sebastian Andrzej Siewior>%

applied/1.1.1n-1
*   d4d5eeef3576b16013c48abc435c5da889cedf1b - (tag: applied/1.1.1n-1, 
origin/applied/debian/sid) 1.1.1n-1 (patches applied) 
(c: Wed, 16 Mar 2022 04:33:58 +0000) 
(a: Tue, 15 Mar 2022 19:46:18 +0100) <Sebastian Andrzej Si
Score:6
cn flag

Once a security update is in status released, the simple thing to do is apply updates, apt update && apt upgrade

Consider implementing some kind of patch management report to confirm all hosts are updated and compliant. These range from simple scripts to products you might buy.

So, how would I know that this is truely 1.1.1n?

Ubuntu's fix for CVE-2022-0778 is not 1.1.1n. Like other stable distributions, they have a habit of backporting only the specific fix to their chosen version. Read the table again, and notice that bionic is openssl 1.1.1-1ubuntu2.1~18.04.15 The funny-looking version string appended at the end is important, it indicates which build.

build on Mar 9 prior to openssl making the source available to the public

It takes time to build and test software. Ubuntu, like other distros, is on a list to get notified prior to general announcement. Reduces time users are exposed to flaws.

A build date is a good sanity check that you have the required patch level, but realize it is possible to be built before upstream's announcement without needing a time machine.

Ubuntu distro managers importing openssl 1.1.1n into their repo (which may just be a public facing repo)

Beware making conclusions about what in version control actually goes into a fix for your version. Based on the branch names, that probably has to do with Ubuntu comparing to Debian sid or upstream releases. Not bionic.

Refer to the security advisory.

Peter Kahn avatar
cn flag
Thanks for this. This really helps.
Score:4
cn flag

So, how would I know that this is truely 1.1.1n?

it won't be 1.1.1n as, as John Mahowald says, Ubuntu will have backported the fix into their supported version for 18.04 which from the linked table is 1.1.1-1ubuntu2.1~18.04.15.

You can find out what openssl packages are installed on your system using

apt list --installed | grep openssl

You can examine the changelog to see what updates have been applied/backported

apt-get changelog openssl 

or even look on the Ubuntu changelog server.

The changelog confirms that openssl 1.1.1-1ubuntu2.1~18.04.15 has patches applied for CVE-2022-0778.

Benjamin Hastings avatar
ne flag
For Ubuntu 20.04.4 LTS, I assume the patch is in openssl 1.1.1f as per changelog: * openssl (1.1.1f-1ubuntu2.12) focal-security; urgency=medium * SECURITY UPDATE: Infinite loop in BN_mod_sqrt() - debian/patches/CVE-2022-0778-1.patch: fix infinite loop in crypto/bn/bn_sqrt.c. - debian/patches/CVE-2022-0778-2.patch: add documentation of BN_mod_sqrt() in doc/man3/BN_add.pod.
John Mahowald avatar
cn flag
No need to assume, the security advisory says focal is 1.1.1f-1ubuntu2.12. Again, the release string at the end is important to indicate which build has the backported fix - upstream 1.1.1f is 31 Mar 2020 and does not have this. A package change log is nice to confirm, but the primary reference should be the advisory.
Score:0
us flag

Type

openssl version

At command prompt

Mine gives

OpenSSL 1.1.1m 14 Dec 2021

John Mahowald avatar
cn flag
OpenSSL version is unfortunately not enough, because backports exist. This is the same mistake that unsophisticated vulnerability scans make. Read the advisory.
us flag
I'm guessing a backport would also show a different version string if it is a different version: It is calling openssl directly.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.