Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Navigation

    Cloudron Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    SOLVED HIGH security update OpenSSL announced

    Support
    security updates
    4
    11
    185
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • imc67
      imc67 last edited by girish

      @girish I don’t know if Cloudron uses OpenSSL but they announced a high security issue update:

      https://mta.openssl.org/pipermail/openssl-announce/2021-March/000196.html

      1 Reply Last reply Reply Quote 2
      • nebulon
        nebulon Staff last edited by

        Thanks for the heads up. Such security updates would be applied through the automatic Ubuntu security updates. Which is enabled on Cloudrons.

        1 Reply Last reply Reply Quote 1
        • girish
          girish Staff last edited by

          You can run unattended-upgrade -d to get the updates. Note that the new openssl release itself is coming only on 25th. So, I expect it to come to ubuntu over the weekend.

          imc67 1 Reply Last reply Reply Quote 2
          • imc67
            imc67 @girish last edited by

            @girish I think it's good if you guys can have a look at OpenSSL in Ubuntu/Cloudron.

            If Cloudron uses OpenSSL then there is an issue as:

            Ubuntu 18.04 hasn't updated OpenSSL since the 1.1.1 release on 11 sep 2018
            Ubuntu 20.04 hasn't updated OpenSSL since 1.1.1f release on 31 march 2020

            As you can see here https://www.openssl.org/news/openssl-1.1.1-notes.html there are several security issues and the latest release today (1.1.1.k) even 2 High CVE's.

            What do you guys think of this?

            Ubuntu 18.04:
~# openssl version -a
OpenSSL 1.1.1  11 Sep 2018

Ubuntu 20.04:
~# openssl version -a
OpenSSL 1.1.1f  31 Mar 2020
            girish 1 Reply Last reply Reply Quote 0
            • girish
              girish Staff @imc67 last edited by

              @imc67 The packages will come via ubuntu security updates. Automatic security updates are already enabled on all Cloudron servers.

              The version of the upstream package may not match the ubuntu package. For example, the security fix was merged as https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.3 into focal (so the version is still at 'f'). On my ubuntu 20, I was able to apply the update immediately:

              # apt info openssl
...
Package: openssl
Version: 1.1.1f-1ubuntu2.2
...

# apt update
# apt install openssl
# apt info openssl
...
Package: openssl
Version: 1.1.1f-1ubuntu2.3
...

              Curiously, it has some time in the future

              # openssl version
OpenSSL 1.1.1f  31 Mar 2020

              For ubuntu 18, it seems the update hasn't propagated yet for DO mirrors atleast. I think the patch is at https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.1~18.04.9 (so that's the package version you want to look for).

              1 Reply Last reply Reply Quote 2
              • girish
                girish Staff last edited by

                On ubuntu 18, I see the package is 1.1.1-1ubuntu2.1~18.04.6. It should become 1.1.1-1ubuntu2.1~18.04.9 at some point.

                1 Reply Last reply Reply Quote 1
                • imc67
                  imc67 last edited by

                  @girish with your, again, excellent explanation I can sleep well tonight 😃

                  Thanks!

                  girish mehdi 2 Replies Last reply Reply Quote 0
                  • girish
                    girish Staff @imc67 last edited by

                    @imc67 I am a bit surprised that I am not seeing the Ubuntu 18 yet. I don't know if this is a mirror issue or what 🤔 Anyway, I will try it again later today and see if it comes through.

                    1 Reply Last reply Reply Quote 0
                    • mehdi
                      mehdi App Dev @imc67 last edited by

                      @imc67 In any case, only newer versions are affected:

                      OpenSSL versions 1.1.1h and newer are affected by this issue.

                      According to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3450

                      So Ubuntu was probably not vulnerable.

                      girish 1 Reply Last reply Reply Quote 1
                      • girish
                        girish Staff @mehdi last edited by

                        @mehdi I think there are two CVEs -CVE-2021-3449 and CVE-2021-3450. The former is patched into unbuntu but not latter. I think your explanation is probably why the latter didn't need a fix.

                        1 Reply Last reply Reply Quote 1
                        • girish
                          girish Staff last edited by

                          Ubuntu notice - https://ubuntu.com/security/notices/USN-4891-1

                          1 Reply Last reply Reply Quote 1
                          • First post
                            Last post