Questions about openssl in Ubuntu mirrors
wei tang
tangwei.thu at gmail.com
Wed May 25 07:29:13 UTC 2022
Hello, maintainers:
I am Tang Wei, a researcher in the field of open-source package management
in Nanyang Technological University in Singapore. I am writing to you to
ask some questions about the openssl package in Ubuntu mirrors. I would be
grateful if you could give me some further details.
I noticed that CVE-2022-1292 affected openssl 1.1.1-1.1.1n and
1.0.2-1.0.2zd. It is fixed in upstream versions, OpenSSL 1.1.1o and
OpenSSL 1.0.2ze. And you fixed it in ubuntu revisions,
1.1.1-1ubuntu2.1~18.04.17, 1.1.1f-1ubuntu2.13, and 1.1.1l-1ubuntu1.3.
My first question is why you modify and patch the old versions rather than
directly updating the version to 1.1.1o. Debian maintainers seem to update
to 1.1.1o in their mirrors. (
http://mirror.coganng.com/debian/pool/main/o/openssl/) There is no
compatibility issues from 1.1.1f to 1.1.1o. It seems an easier way to
update it rather than patching it manually, isn't it? Why not update it?
My second question is that openssl1.0.2g-1ubuntu4 in xenial is still
affected by CVE-2022-1292. And it has been fixed in OpenSSL 1.0.2ze. Why
don't you patch it like other ubuntu releases and leave it vulnerable. If
it is caused by development cost, why not provide 1.0.2ze in xenial mirrors?
I look forward to hearing from you.
Thanks so much.
Tang Wei
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20220525/054bd958/attachment-0001.html>
More information about the Ubuntu-devel-discuss
mailing list