Trying to understand the function/purpose/effectiveness of LTS

Ralf Mardorf silver.bullet at zoho.com
Sun Apr 26 21:29:43 UTC 2020 

On Sun, 26 Apr 2020 21:18:09 +0100, Shamim Shahriar wrote:
>[snip] We use Nessus for security scanning/testing, and all these
>servers are complaining about OpenSSL 1.0.x and TLSv1 and TLSv1.1.

Hi,

obviously it does check against outdated versions, but not if those
versions have security patches applied.

>[snip] I am genuinely trying to understand, what is the benefit having
>LTS if none of the security issues are taken care of. [snip]

[weremouse at moonstudio ~]$ lsb_release -a
LSB Version:	core-9.20160110ubuntu0.2-amd64:core-9.20160110ubuntu0.2-noarch:security-9.20160110ubuntu0.2-amd64:security-9.20160110ubuntu0.2-noarch
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.6 LTS
Release:	16.04
Codename:	xenial
[weremouse at moonstudio ~]$ grep openssl:amd64 /var/log/dpkg.log | grep up | tail -5
2018-03-29 02:12:25 upgrade openssl:amd64 1.0.2g-1ubuntu4.10 1.0.2g-1ubuntu4.11
2018-04-19 21:52:36 upgrade openssl:amd64 1.0.2g-1ubuntu4.11 1.0.2g-1ubuntu4.12
2018-06-27 06:25:49 upgrade openssl:amd64 1.0.2g-1ubuntu4.12 1.0.2g-1ubuntu4.13
2018-12-06 22:25:01 upgrade openssl:amd64 1.0.2g-1ubuntu4.13 1.0.2g-1ubuntu4.14
2019-03-01 10:15:45 upgrade openssl:amd64 1.0.2g-1ubuntu4.14 1.0.2g-1ubuntu4.15
[weremouse at moonstudio ~]$ apt-get changelog openssl | head -28
Get:1 http://changelogs.ubuntu.com openssl 1.0.2g-1ubuntu4.15 Changelog [158 kB]
openssl (1.0.2g-1ubuntu4.15) xenial-security; urgency=medium

  * SECURITY UPDATE: 0-byte record padding oracle
    - debian/patches/CVE-2019-1559.patch: go into the error state if a
      fatal alert is sent or received in ssl/d1_pkt.c, ssl/s3_pkt.c.
    - CVE-2019-1559

 -- Marc Deslauriers <marc.deslauriers at ubuntu.com>  Tue, 26 Feb 2019 13:16:01 -0500

openssl (1.0.2g-1ubuntu4.14) xenial-security; urgency=medium

  * SECURITY UPDATE: PortSmash side channel attack
    - debian/patches/CVE-2018-5407.patch: fix timing vulnerability in
      crypto/bn/bn_lib.c, crypto/ec/ec_mult.c.
    - CVE-2018-5407
  * SECURITY UPDATE: timing side channel attack in DSA
    - debian/patches/CVE-2018-0734-pre1.patch: address a timing side
      channel in crypto/dsa/dsa_ossl.c.
    - debian/patches/CVE-2018-0734-1.patch: fix timing vulnerability in
      crypto/dsa/dsa_ossl.c.
    - debian/patches/CVE-2018-0734-2.patch: fix mod inverse in
      crypto/dsa/dsa_ossl.c.
    - debian/patches/CVE-2018-0734-3.patch: add a constant time flag in
      crypto/dsa/dsa_ossl.c.
    - CVE-2018-0734

 -- Marc Deslauriers <marc.deslauriers at ubuntu.com>  Tue, 04 Dec 2018 08:38:18 -0500

Regards,
Ralf

More information about the ubuntu-users mailing list