Solved HIGH security update OpenSSL announced

imc67

@girish I don’t know if Cloudron uses OpenSSL but they announced a high security issue update:

https://mta.openssl.org/pipermail/openssl-announce/2021-March/000196.html

nebulon

Thanks for the heads up. Such security updates would be applied through the automatic Ubuntu security updates. Which is enabled on Cloudrons.

girish

You can run unattended-upgrade -d to get the updates. Note that the new openssl release itself is coming only on 25th. So, I expect it to come to ubuntu over the weekend.

imc67

@girish I think it's good if you guys can have a look at OpenSSL in Ubuntu/Cloudron.

If Cloudron uses OpenSSL then there is an issue as:

Ubuntu 18.04 hasn't updated OpenSSL since the 1.1.1 release on 11 sep 2018
Ubuntu 20.04 hasn't updated OpenSSL since 1.1.1f release on 31 march 2020

As you can see here https://www.openssl.org/news/openssl-1.1.1-notes.html there are several security issues and the latest release today (1.1.1.k) even 2 High CVE's.

What do you guys think of this?

Ubuntu 18.04:
~# openssl version -a
OpenSSL 1.1.1  11 Sep 2018

Ubuntu 20.04:
~# openssl version -a
OpenSSL 1.1.1f  31 Mar 2020

girish

@imc67 The packages will come via ubuntu security updates. Automatic security updates are already enabled on all Cloudron servers.

The version of the upstream package may not match the ubuntu package. For example, the security fix was merged as https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.3 into focal (so the version is still at 'f'). On my ubuntu 20, I was able to apply the update immediately:

# apt info openssl
...
Package: openssl
Version: 1.1.1f-1ubuntu2.2
...

# apt update
# apt install openssl
# apt info openssl
...
Package: openssl
Version: 1.1.1f-1ubuntu2.3
...

Curiously, it has some time in the future

# openssl version
OpenSSL 1.1.1f  31 Mar 2020

For ubuntu 18, it seems the update hasn't propagated yet for DO mirrors atleast. I think the patch is at https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.1~18.04.9 (so that's the package version you want to look for).

girish

On ubuntu 18, I see the package is 1.1.1-1ubuntu2.1~18.04.6. It should become 1.1.1-1ubuntu2.1~18.04.9 at some point.

imc67

@girish with your, again, excellent explanation I can sleep well tonight

Thanks!

girish

@imc67 I am a bit surprised that I am not seeing the Ubuntu 18 yet. I don't know if this is a mirror issue or what Anyway, I will try it again later today and see if it comes through.

mehdi

@imc67 In any case, only newer versions are affected:

OpenSSL versions 1.1.1h and newer are affected by this issue.

According to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3450

So Ubuntu was probably not vulnerable.

girish

@mehdi I think there are two CVEs -CVE-2021-3449 and CVE-2021-3450. The former is patched into unbuntu but not latter. I think your explanation is probably why the latter didn't need a fix.

girish

Ubuntu notice - https://ubuntu.com/security/notices/USN-4891-1