Trying to understand the function/purpose/effectiveness of LTS
Tony Arnold
tony.arnold at manchester.ac.uk
Mon Apr 27 08:27:13 UTC 2020
Hi Shamim,
On Sun, 2020-04-26 at 21:18 +0100, Shamim Shahriar wrote:
> I have been tasked with looking after a few Ubuntu LTS (16) servers.
> We
> use Nessus for security scanning/testing, and all these servers are
> complaining about OpenSSL 1.0.x and TLSv1 and TLSv1.1. However, as I
> try
> to run update and upgrade -- there does not appear to be any update
> for
> OpenSSL or any of the relevant packages (Apache, Nginx, OpenSSH).
> The
> best I could find through google search is manual injection of
> OpenSSL,
> which has the potential to break anything and everything that may
> rely
> on the older version of the libraries. Also, if I have to do manual
> injection, that forfeits the purpose of having a LTS (in my opinion).
OpenSSL and TLS are encryption standard used by web servers during
https connections. The versions of these encryption standards that are
allowed by the web server are controlled by the Apache or Nginx
configuration files and not by the version of the software packages
installed.
I would disallow OpenSSL and limit TLS to a minimum version of 1.2.
Is Nessus reporting on what the web server is allowing, or are you
using authenticated scanning and it's reporting the package versions?
It sounds like the former to me.
Hope this helps.
Regards,
Tony.
--
Tony Arnold MBCS, CITP | Senior IT Security Analyst | Directorate of IT Services | G64, Kilburn Building | The University of Manchester | Manchester M13 9PL | T: +44 161 275 6093 | M: +44 773 330 0039
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3588 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20200427/a59cc91a/attachment.bin>
More information about the ubuntu-users
mailing list