Ubuntu
openssl package

OpenSSL is not up-to-date in Ubuntu 13.10

Bug #1307532 reported by jean-christophe manciot on 2014-04-14

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	openssl (Ubuntu)	Invalid	Undecided	Unassigned

Bug Description

I have noticed that OpenSSL and libssl have been updated to release 1.0.1e. When you take a careful look at the latest release on the official site, it's 1.0.1g: http://www.openssl.org/news/

You might want to check this screenshot on my machine: https://docs.google.com/document/d/1UaYD0IhZdpeZydJ8MA1h5nOjTBbFLlW8VSI3LSoKTY4/edit?usp=sharing

The OpenSSL version is 1.0.1e when the latest official sources are 1.0.1g!

Build date and version are 2 very different things!

CVE References

2014-0160

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2014-04-14:

#1

Thanks for taking the time to report this bug and helping to make Ubuntu better. This is not a bug, but rather expected behavior:
https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions

Please feel free to report any other bugs you may find.

Changed in openssl (Ubuntu):
status:	New → Invalid

Revision history for this message

jean-christophe manciot (manciot-jeanchristophe) wrote on 2014-04-14:

#2

You cannot say that you've not been warned.
It's up to you to stick with the old OpenSSL release.
I'm going to build the last 1.0.1g on my system from the sources.

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2014-04-14:

#3

What exactly are you warning us about?

Security fixes are backported to the stable openssl versions that are in each release.

For example, heartbleed (CVE-2014-0160) was fixed in 1.0.1e-3ubuntu1.2 released April 7th with the following USN:

http://www.ubuntu.com/usn/usn-2165-1/

Revision history for this message

jean-christophe manciot (manciot-jeanchristophe) wrote on 2014-04-15:

#4

Someone has updated openssl with sources dated 11th of feb, weeks before the Heartbleed issue was made public.
The last official sources were updated on the 7th of April (not the built date, the sources date).

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2014-04-15:

#5

Try:

openssl version -b

What's the result?

Revision history for this message

jean-christophe manciot (manciot-jeanchristophe) wrote on 2014-04-15:

#6

Now that I've compiled the latest OpenSSL sources available here (1.0.1g): http://www.openssl.org/source/

I can check the OpenSSL version with "openssl version -a" (not -b; with this you only get the built date, not the version which really matters): https://docs.google.com/document/d/1...it?usp=sharing

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2014-04-15:

#7

-a is only the date at which the original version came out, that isn't the date that matters for Ubuntu since, like most distros, we backport security fixes.

-b will show you when the package was built, and that is what is important.

You probably shouldn't attempt to maintain your own openssl, it will be much easier to stay up-to-date with security fixes if you use the one packaged.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Related questions

openssl in Ubuntu: OpenSSL versions discrepancy

Remote bug watches

Bug watches keep track of this bug in other bug trackers.