Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

HIGH security update OpenSSL announced

Scheduled Pinned Locked Moved Solved Support
securityupdates
11 Posts 4 Posters 550 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • imc67I Offline
    imc67I Offline
    imc67 translator
    wrote on last edited by girish
    #1

    @girish I don’t know if Cloudron uses OpenSSL but they announced a high security issue update:

    https://mta.openssl.org/pipermail/openssl-announce/2021-March/000196.html

    1 Reply Last reply
    2
  • nebulonN Offline
    nebulonN Offline
    nebulon Staff
    wrote on last edited by
    #2

    Thanks for the heads up. Such security updates would be applied through the automatic Ubuntu security updates. Which is enabled on Cloudrons.

    1 Reply Last reply
    1
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by
    #3

    You can run unattended-upgrade -d to get the updates. Note that the new openssl release itself is coming only on 25th. So, I expect it to come to ubuntu over the weekend.

    imc67I 1 Reply Last reply
    2
  • imc67I Offline
    imc67I Offline
    imc67 translator
    replied to girish on last edited by
    #4

    @girish I think it's good if you guys can have a look at OpenSSL in Ubuntu/Cloudron.

    If Cloudron uses OpenSSL then there is an issue as:

    Ubuntu 18.04 hasn't updated OpenSSL since the 1.1.1 release on 11 sep 2018
    Ubuntu 20.04 hasn't updated OpenSSL since 1.1.1f release on 31 march 2020

    As you can see here https://www.openssl.org/news/openssl-1.1.1-notes.html there are several security issues and the latest release today (1.1.1.k) even 2 High CVE's.

    What do you guys think of this?

    Ubuntu 18.04:
    ~# openssl version -a
    OpenSSL 1.1.1  11 Sep 2018
    
    Ubuntu 20.04:
    ~# openssl version -a
    OpenSSL 1.1.1f  31 Mar 2020
    
    girishG 1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to imc67 on last edited by
    #5

    @imc67 The packages will come via ubuntu security updates. Automatic security updates are already enabled on all Cloudron servers.

    The version of the upstream package may not match the ubuntu package. For example, the security fix was merged as https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.3 into focal (so the version is still at 'f'). On my ubuntu 20, I was able to apply the update immediately:

    # apt info openssl
    ...
    Package: openssl
    Version: 1.1.1f-1ubuntu2.2
    ...
    
    # apt update
    # apt install openssl
    # apt info openssl
    ...
    Package: openssl
    Version: 1.1.1f-1ubuntu2.3
    ...
    

    Curiously, it has some time in the future

    # openssl version
    OpenSSL 1.1.1f  31 Mar 2020
    

    For ubuntu 18, it seems the update hasn't propagated yet for DO mirrors atleast. I think the patch is at https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.1~18.04.9 (so that's the package version you want to look for).

    1 Reply Last reply
    2
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by
    #6

    On ubuntu 18, I see the package is 1.1.1-1ubuntu2.1~18.04.6. It should become 1.1.1-1ubuntu2.1~18.04.9 at some point.

    1 Reply Last reply
    1
  • imc67I Offline
    imc67I Offline
    imc67 translator
    wrote on last edited by
    #7

    @girish with your, again, excellent explanation I can sleep well tonight 😃

    Thanks!

    girishG mehdiM 2 Replies Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to imc67 on last edited by
    #8

    @imc67 I am a bit surprised that I am not seeing the Ubuntu 18 yet. I don't know if this is a mirror issue or what 🤔 Anyway, I will try it again later today and see if it comes through.

    1 Reply Last reply
    0
  • mehdiM Offline
    mehdiM Offline
    mehdi App Dev
    replied to imc67 on last edited by
    #9

    @imc67 In any case, only newer versions are affected:

    OpenSSL versions 1.1.1h and newer are affected by this issue.

    According to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3450

    So Ubuntu was probably not vulnerable.

    girishG 1 Reply Last reply
    1
  • girishG Offline
    girishG Offline
    girish Staff
    replied to mehdi on last edited by
    #10

    @mehdi I think there are two CVEs -CVE-2021-3449 and CVE-2021-3450. The former is patched into unbuntu but not latter. I think your explanation is probably why the latter didn't need a fix.

    1 Reply Last reply
    1
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by
    #11

    Ubuntu notice - https://ubuntu.com/security/notices/USN-4891-1

    1 Reply Last reply
    1

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.