Solved HIGH security update OpenSSL announced
@girish I don’t know if Cloudron uses OpenSSL but they announced a high security issue update:
Thanks for the heads up. Such security updates would be applied through the automatic Ubuntu security updates. Which is enabled on Cloudrons.
You can run
unattended-upgrade -dto get the updates. Note that the new openssl release itself is coming only on 25th. So, I expect it to come to ubuntu over the weekend.
@girish I think it's good if you guys can have a look at OpenSSL in Ubuntu/Cloudron.
If Cloudron uses OpenSSL then there is an issue as:
Ubuntu 18.04 hasn't updated OpenSSL since the 1.1.1 release on 11 sep 2018
Ubuntu 20.04 hasn't updated OpenSSL since 1.1.1f release on 31 march 2020
As you can see here https://www.openssl.org/news/openssl-1.1.1-notes.html there are several security issues and the latest release today (1.1.1.k) even 2 High CVE's.
What do you guys think of this?
Ubuntu 18.04: ~# openssl version -a OpenSSL 1.1.1 11 Sep 2018 Ubuntu 20.04: ~# openssl version -a OpenSSL 1.1.1f 31 Mar 2020
@imc67 The packages will come via ubuntu security updates. Automatic security updates are already enabled on all Cloudron servers.
The version of the upstream package may not match the ubuntu package. For example, the security fix was merged as https://launchpad.net/ubuntu/+source/openssl/1.1.1f-1ubuntu2.3 into focal (so the version is still at 'f'). On my ubuntu 20, I was able to apply the update immediately:
# apt info openssl ... Package: openssl Version: 1.1.1f-1ubuntu2.2 ... # apt update # apt install openssl # apt info openssl ... Package: openssl Version: 1.1.1f-1ubuntu2.3 ...
Curiously, it has some time in the future
# openssl version OpenSSL 1.1.1f 31 Mar 2020
For ubuntu 18, it seems the update hasn't propagated yet for DO mirrors atleast. I think the patch is at https://launchpad.net/ubuntu/+source/openssl/1.1.1-1ubuntu2.1~18.04.9 (so that's the package version you want to look for).
On ubuntu 18, I see the package is
1.1.1-1ubuntu2.1~18.04.6. It should become
1.1.1-1ubuntu2.1~18.04.9at some point.
@girish with your, again, excellent explanation I can sleep well tonight
@imc67 I am a bit surprised that I am not seeing the Ubuntu 18 yet. I don't know if this is a mirror issue or what Anyway, I will try it again later today and see if it comes through.
@imc67 In any case, only newer versions are affected:
OpenSSL versions 1.1.1h and newer are affected by this issue.
So Ubuntu was probably not vulnerable.
@mehdi I think there are two CVEs -CVE-2021-3449 and CVE-2021-3450. The former is patched into unbuntu but not latter. I think your explanation is probably why the latter didn't need a fix.
Ubuntu notice - https://ubuntu.com/security/notices/USN-4891-1