[Bug 1908733] Re: CVE-2020-1971 OpenSSL package upgrade issue
Seth Arnold
1908733 at bugs.launchpad.net
Tue Dec 22 23:55:25 UTC 2020
Hello, you've replaced the Ubuntu OpenSSL packages with Ondrej's OpenSSL
packages. You can ask him if he has performed the corresponding update
yet: https://github.com/oerdnj/deb.sury.org
Thanks
** Information type changed from Private Security to Public Security
** Changed in: openssl (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1908733
Title:
CVE-2020-1971 OpenSSL package upgrade issue
Status in openssl package in Ubuntu:
Invalid
Bug description:
Hello,
I have tested it on 4 vurtual machines (details below):
# uname -a
Linux web2 4.15.0-128-generic #131-Ubuntu SMP Wed Dec 9 06:57:35 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
# lsb_release -rd
Description: Ubuntu 18.04.5 LTS
Release: 18.04
$ apt-cache policy openssl
openssl:
Installed: 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1
Candidate: 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1
Version table:
*** 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 500
500 http://ppa.launchpad.net/ondrej/apache2/ubuntu bionic/main amd64 Packages
100 /var/lib/dpkg/status
1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 500
500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 Packages
1.1.1-1ubuntu2.1~18.04.7 500
500 http://il.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
1.1.0g-2ubuntu4 500
500 http://il.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
My OpenSSL version is: openssl 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1
I wanted to install patch to fix "CVE-2020-1971" on my virtual
machines. But found next issue: there is article (
https://ubuntu.com/security/CVE-2020-1971) with package name
(version), where "CVE-2020-1971" issues is fixed -->
"1.1.1-1ubuntu2.1~18.04.7".
Normal (expected?) behaviour for me (in my case) is to do next:
sudo apt update
sudo apt upgrade
After this all packages in my system should be upgraded to latest
versions.
But in fact - OpenSSL package remained same
1.1.1g-1+ubuntu18.04.1+deb.sury.org+1
When i check:
$ apt list openssl
Listing... Done
openssl/bionic,now 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 amd64 [installed]
N: There are 3 additional versions. Please use the '-a' switch to see them.
$ apt list openssl -a
Listing... Done
openssl/bionic,now 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 amd64 [installed]
openssl/bionic 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 amd64
openssl/bionic-updates,bionic-security 1.1.1-1ubuntu2.1~18.04.7 amd64
openssl/bionic 1.1.0g-2ubuntu4 amd64
Ok, lets install latest package --> 1.1.1-1ubuntu2.1~18.04.7:
sudo apt install openssl=1.1.1-1ubuntu2.1~18.04.7
And here i receive next:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be DOWNGRADED:
openssl
0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 0 not upgraded.
Need to get 614 kB of archives.
After this operation, 132 kB disk space will be freed.
Do you want to continue? [Y/n] yn
Get:1 http://il.archive.ubuntu.com/ubuntu bionic-updates/main amd64 openssl amd6 4 1.1.1-1ubuntu2.1~18.04.7 [614 kB]
Fetched 614 kB in 0s (1,367 kB/s)
dpkg: warning: downgrading openssl from 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 to 1.1.1-1ubuntu2.1~18.04.7
Is this correct behavior? Why newest version (mentioned in
https://ubuntu.com/security/CVE-2020-1971) considered as DOWNGRADE?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1908733/+subscriptions
More information about the foundations-bugs
mailing list