Score:0

Updating OpenSSL 3.0.10 in Ubuntu 22.04.3

US flag

How to update openssl in Ubuntu 22.04 LTS. The current version is openssl 3.0.2. But it have vulnerability. So I need to update to openssl 3.0.10. It's still not available in Ubuntu repository.

The following are the vulnerability with openssl 3.0.2: CVE-2023-2975, CVE-2023-3446 and CVE-2023-3817

guiverc avatar
cn flag
What CVE/vulnerability are you worried about? As security fixes are backported to the current packages by default you need to look up what vulnerability you're worried about & start from there using https://ubuntu.com/security/cves or other site.
Mohammed Fawaz M avatar
md
Iam worried about the following CVE.CVE-2023-2975,CVE-2023-3446,CVE-2023-3817
Score:2
vn flag

Please don't do anything you'll regret later. Let's go through these CVEs and see what they're about:

CVE-2023-3817 & CVE-2023-3446

Published: 31/19 July 2023

Issue summary: Checking excessively long DH keys or parameters may be very slow.
...
An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack.

CVE-2023-2975

Published: 14 July 2023

Issue summary: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence.
...
As this issue does not affect non-empty associated data authentication and we expect it to be rare for an application to use empty associated data entries this is qualified as Low severity issue.

The first 2 (CVE-2023-3817 & CVE-2023-3446) causes a long response time under certain conditions (which could theoretically lead to a DoS situation), and the last one (CVE-2023-2975) causes unauthenticated empty data.

All those CVEs are rated as low severity, meaning they'll get a patch when the Ubuntu Security Team believes this can fit into the releases schedule.

If you think you can make a better judgment of the CVEs than the Ubuntu Security Team, you are of course welcome to compile a newer version of the library yourself, but in this case you'll also have to maintain this for yourself going forward.

Most users are better off trusting the Ubuntu Security Team in these matters.

I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.