Join Log in
Score:8
Hossam Nabil avatar Ubuntu

How to Fix CVE-2023-2650- A Type Confusion Vulnerability in OpenSSL?

nl flag
Hossam Nabil

The error message you seeing is indicating that my system has not been updated to the latest version of OpenSSL, which includes a fix for the CVE-2023-2650 vulnerability. how To fix this:

Hit:1 http://us.archive.ubuntu.com/ubuntu jammy InRelease                                                           
Hit:2 http://us.archive.ubuntu.com/ubuntu jammy-updates InRelease                                                                                     
Hit:3 https://dl.google.com/linux/chrome/deb stable InRelease                                                                                         
Hit:4 https://packages.microsoft.com/repos/edge stable InRelease                                                                
Hit:5 http://us.archive.ubuntu.com/ubuntu jammy-backports InRelease 
Hit:6 https://esm.ubuntu.com/cis/ubuntu jammy InRelease
Hit:7 http://us.archive.ubuntu.com/ubuntu jammy-security InRelease
Hit:8 https://esm.ubuntu.com/apps/ubuntu jammy-apps-security InRelease
Hit:9 https://esm.ubuntu.com/apps/ubuntu jammy-apps-updates InRelease
Hit:10 https://esm.ubuntu.com/infra/ubuntu jammy-infra-security InRelease
Hit:11 https://esm.ubuntu.com/infra/ubuntu jammy-infra-updates InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
4 packages can be upgraded. Run 'apt list --upgradable' to see them.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
#
# An OpenSSL vulnerability has recently been fixed with USN-6188-1 & 6119-1:
# CVE-2023-2650: possible DoS translating ASN.1 object identifiers.
# Ensure you have updated the package to its latest version.
#
The following packages have been kept back:
  libspeechd2 speech-dispatcher speech-dispatcher-audio-plugins speech-dispatcher-espeak-ng
0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.

openssl version:

OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
2070
2 + 12
guiverc avatar
cn flag
guiverc
You mention a version but the package version is what matters (*which I didn't see you provide*. Reading https://ubuntu.com/security/CVE-2023-2650 will tell you package `3.0.2-0ubuntu1.10` contains the fix - do you have it? I don't see the message as saying you don't have it; only alerting you to check you have.
3
Reply
muru avatar
us flag
muru
Does this answer your question? [How can I tell if a CVE has been fixed in Ubuntu's repositories?](https://askubuntu.com/questions/563408/how-can-i-tell-if-a-cve-has-been-fixed-in-ubuntus-repositories)
2
Reply
Hossam Nabil avatar
nl flag
Hossam Nabil
Sorry, my dear friend, I thought it was a system problem. Excuse me, I am new to the Linux world <3
1
Reply
guiverc avatar
cn flag
guiverc
We all start somewhere/sometime, and asking questions is a great way to learn. FYI: Ubuntu is a *stable release* system, where fixes are backported to the existing version; thus why package versions are more useful in checking rather than version of the software (*as version of software won't change; it'll just get fixes backported to it; there are cases where it's more work to backport fixes than provide a new version - but those cases are extremely rare & avoided wherever possible as it's against the stable release model, stable release model often preferred by enterprise users*)
0
Reply
GammaGames avatar
in flag
GammaGames
To be fair, it would be less confusing if apt didn't show the warning when the updated package has been installed. I'm still seeing it too, kinda silly. To get your package version you can use `apt list openssl`
5
Reply
JayDin avatar
cn flag
JayDin
Please reopen the question. This is not a duplicate question as the `apt upgrade` message `# An OpenSSL vulnerability has recently been fixed with USN-6188-1 & 6119-1:` is new. I received this message today for the first time on 22.02. The duplicate link was from eight years ago and none of the answers seem applicable/relevant.
3
Reply
ve flag
Matifou
I agree the marking this post as duplicate to a 2014 one is quiet confusing. @guiverc do you have the relevant privileges to re-open? And/or to turn your comment into an answer? Thanks!
0
Reply
guiverc avatar
cn flag
guiverc
@Matifou no I'm just a user on this site (*my rep. rates me a 'TU' but that's still a user*) To me the question is a duplicate... and my *guess* as to what would be '*fitting*' for how this site is intended to run (*as I understand it*), is another answer on that duplicate using detail from this question as an example (maybe inc. *apt news* output, with detail from my first comment with example (`apt cache policy` maybe to get package version of installed) & reading the CVE notice & comparison etc.. That would be the *site appropriate* approach as I see it anyway
0
Reply
Bojan Kseneman avatar
ca flag
Bojan Kseneman
I can't answer the question because someone flagged is as duplicate, which it is clearly not - facepalm. Anyway you can turn off these messages with `sudo pro config set apt_news=False`
2
Reply
darthbith avatar
bd flag
darthbith
You can also run `sudo pro fix CVE-2023-2650` which shows that this CVE affects two packages, one of which is not yet fixed: `1 package is still affected: edk2`. Apparently (according to the message), Ubuntu Security Engineers are working on a fix
6
Reply
Ti Strga avatar
in flag
Ti Strga
@darthbith In my case we don't have `edk2` installed and the command you give prints "1/1 openssl", then goes on to display `CVE-2023-2650 is resolved.` However, the warning is still printed by all apt commands even after it agrees that the bug is fixed, so turning it off with Bojan's comment is still unfortunately required.
1
Reply
GrafiCode avatar
br flag
GrafiCode
@darthbith if you have nodejs installed: `1 package is still affected: nodejs` - `Sorry, no fix is available yet.` which IMHO is unsettling
0
Reply
Score:2
Artur Meinild avatar Ubuntu
vn flag
Artur Meinild

Your assumptions are unfortunately wrong. Let me decipher the message for you.

# An OpenSSL vulnerability has recently been fixed with USN-6188-1 & 6119-1:
# CVE-2023-2650: possible DoS translating ASN.1 object identifiers.
# Ensure you have updated the package to its latest version.

This is a service message telling you that there is a security update for OpenSSL. It's not an error, warning or anything like that at all.

The following packages have been kept back:
  libspeechd2 speech-dispatcher speech-dispatcher-audio-plugins speech-dispatcher-espeak-ng
0 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.

Since there is 4 packages held back, and none to be upgraded, it's evident that OpenSSL is already upgraded to the latest version.

If you run apt policy openssl you'll get:

openssl:
  Installed: 3.0.2-0ubuntu1.10 
  Candidate: 3.0.2-0ubuntu1.10
  Version table: 
  ...

This is the latest upgraded version.

The apt message is only a service, known as "APT News". To remove those messages, see this Q&A.

+ 0
Score:1
GammaGames avatar Ubuntu
in flag
GammaGames

This is still popping up for me. If you know the patched version (3.0.2-0ubuntu1.10), you can check your installed version with apt list openssl:

openssl/jammy-security,jammy-updates,now 3.0.2-0ubuntu1.10 amd64 [installed]

I haven't been able to get the warning to go away when I run sudo apt upgrade, but you can run sudo pro fix CVE-2023-2650 to check if you have any other vulnerable packages:

CVE-2023-2650: OpenSSL vulnerability
 - https://ubuntu.com/security/CVE-2023-2650

No affected source packages are installed.

✔ CVE-2023-2650 does not affect your system.
+ 1
Artur Meinild avatar
vn flag
Artur Meinild
[See here](https://askubuntu.com/questions/1441035/what-is-meant-by-apt-news/) to remove those apt messages.
2
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.