Questions about openssl in Ubuntu mirrors

Thomas Ward teward at thomas-ward.net
Mon Jun 6 04:20:43 UTC 2022 

Regarding your first question about why we don’t update directly to newer versions, etc.:

Once a version of OpenSSL (or most libraries) is released in Ubuntu, like many other pieces of software they’re more or less ‘version locked’.  For the most part, this answer on Ask Ubuntu is still more or less accurate: https://askubuntu.com/a/151304/10616

*That applies for OpenSSL as well*


Regarding your second question about Xenial:

All Ubuntu releases have a set period of standard support.  For interim non-LTS releases, this is 9 months.

For LTS releases, this is five years from the initial release date.  After those five years, it leaves the standard support period.  After which, Canonical (typically, from my observations) provides Extended Security Maintenance coverage through the Ubuntu Advantage for Infrastructure subscription support programs.

For Xenial 16.04, the Standard Support period ended in April 2021.  (see Ubuntu 16.04 LTS (Xenial Xerus) released<https://lists.ubuntu.com/archives/ubuntu-announce/2016-April/000207.html>).  When Standard Support ended, and Xenial entered the Extended Security Maintenance period, the standard cadence of the Ubuntu Security Team patching items in Xenial moved from the standard xenial-security repositories into the Ubuntu Advantage ESM repositories which you need to subscribe to Ubuntu Advantage for Infrastructure to get entitlement (note you need one license for each system you want to protect this way, so it can get Expensive).

In the Corporate IT environment (in which lethargy, inertia, extremely legacy software, etc. are reasons that you cannot immediately upgrade from 16.04 to 18.04 or migrate to even newer Ubuntu), ESM allows an extra 5 years to get through those problems with the goal of migration or retiring of those legacy systems.  For the average user outside of corporations, anyone who is on 16.04 should be migrating to newer Ubuntu, or forking out the cash per server to cover the ‘legacy’ software via ESM.



NOTE: I do not speak as a representative of Canonical, or the Ubuntu Security Team, or any other Ubuntu leadership role in this email.  The aforementioned information is based on my observations, information I’ve collected via my FT job in discussions with Canonical where we actually have UA-I subscriptions, and other resources and discussions with members of Canonical’s development teams thanks to my connections as an Ubuntu member.



Thomas


From: Ubuntu-devel-discuss <ubuntu-devel-discuss-bounces at lists.ubuntu.com> On Behalf Of wei tang
Sent: Wednesday, May 25, 2022 03:29
To: ubuntu-devel-discuss at lists.ubuntu.com
Cc: christoph.martin at uni-mainz.de; kurt at roeckx.be
Subject: Questions about openssl in Ubuntu mirrors

Hello, maintainers:
I am Tang Wei, a researcher in the field of open-source package management in Nanyang Technological University in Singapore. I am writing to you to ask some questions about the openssl package in Ubuntu mirrors. I would be grateful if you could give me some further details.

I noticed that CVE-2022-1292 affected openssl 1.1.1-1.1.1n and 1.0.2-1.0.2zd.  It is fixed in upstream versions, OpenSSL 1.1.1o and OpenSSL 1.0.2ze. And you fixed it in ubuntu revisions, 1.1.1-1ubuntu2.1~18.04.17, 1.1.1f-1ubuntu2.13, and 1.1.1l-1ubuntu1.3.

My first question is why you modify and patch the old versions rather than directly updating the version to 1.1.1o. Debian maintainers seem to update to 1.1.1o in their mirrors. (http://mirror.coganng.com/debian/pool/main/o/openssl/)  There is no compatibility issues from 1.1.1f to 1.1.1o. It seems an easier way to update it rather than patching it manually, isn't it?  Why not update it?

My second question is that openssl1.0.2g-1ubuntu4 in xenial is still affected by CVE-2022-1292. And it has been fixed in OpenSSL 1.0.2ze. Why don't you patch it like other ubuntu releases and leave it vulnerable. If it is caused by development cost, why not provide 1.0.2ze in xenial mirrors?

I look forward to hearing from you.
Thanks so much.
Tang Wei
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20220606/fb64eee0/attachment-0001.html>

More information about the Ubuntu-devel-discuss mailing list