[Bug 1649657] Re: OpenSSL version is not dependable

Michael Truog 1649657 at bugs.launchpad.net
Tue Dec 13 18:41:46 UTC 2016 

This problem needs to be handled as a bug due to its effect on OpenSSL
use.  Handling single patches with the Ubuntu OpenSSL package creates
this problem, due to the lack of a version update.  Instead, Ubuntu
should be using mainline OpenSSL to avoid problems like
https://en.wikipedia.org/wiki/OpenSSL#Predictable_private_keys_
.28Debian-specific.29 .  If there are any problems with using mainline
OpenSSL, they could always be added there, but it would be strange that
there should be any at this point in time, which should make it hard to
justify the current Ubuntu practice of only using individual patches.

Switching to using the mainline OpenSSL source code would help to avoid
liability that would otherwise fall on Ubuntu, for failure with
individual OpenSSL source code changes.  My main concern is having a
dependable OpenSSL version to check based on the public OpenSSL
vulnerabilities that are published.  The situation we have now makes the
Ubuntu OpenSSL version useless, which prevents any reliable checking and
automatically makes the Ubuntu OpenSSL look insecure, or at least
untrustworthy, due to the custom effort required to merge patches.  With
a change to use mainline OpenSSL, usage of OpenSSL can check the version
returned to evaluate if usage is secure.  This is important due to
programming language usage of OpenSSL and the potential for impact on
runtime use.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1649657

Title:
  OpenSSL version is not dependable

Status in openssl package in Ubuntu:
  New

Bug description:
  Greetings!

  Is there any reason why Ubuntu 14.04 LTS openssl version is still
  1.0.1f?

  From https://www.openssl.org/news/openssl-1.0.1-notes.html there have
  been a lot of patches since that version. In fact this critical patch
  https://www.openssl.org/news/vulnerabilities.html#2016-6304 is only
  available in latest version OpenSSL 1.0.1u [22 Sep 2016].

  I run the below:
  sudo apt-get update
  sudo apt-get install openssl libssl-dev
  openssl version -a

  And I got:
  $ openssl version -a
  OpenSSL 1.0.1f 6 Jan 2014
  built on: Fri Sep 23 12:19:57 UTC 2016
  platform: debian-amd64
  options:  bn(64,64) rc4(8x,int) des(idx,cisc,16,int) blowfish(idx) 
  compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
  OPENSSLDIR: "/usr/lib/ssl"

  Does this mean that 4 hours and 10 minutes ago 1.0.1f was rebuilt?

  Best,
  - Nestor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1649657/+subscriptions

More information about the foundations-bugs mailing list