OpenSSL version is not dependable
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Greetings!
Is there any reason why Ubuntu 14.04 LTS openssl version is still 1.0.1f?
From https:/
I run the below:
sudo apt-get update
sudo apt-get install openssl libssl-dev
openssl version -a
And I got:
$ openssl version -a
OpenSSL 1.0.1f 6 Jan 2014
built on: Fri Sep 23 12:19:57 UTC 2016
platform: debian-amd64
options: bn(64,64) rc4(8x,int) des(idx,
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=
OPENSSLDIR: "/usr/lib/ssl"
Does this mean that 4 hours and 10 minutes ago 1.0.1f was rebuilt?
Best,
- Nestor
CVE References
Changed in openssl (Ubuntu): | |
status: | New → Invalid |
This problem needs to be handled as a bug due to its effect on OpenSSL use. Handling single patches with the Ubuntu OpenSSL package creates this problem, due to the lack of a version update. Instead, Ubuntu should be using mainline OpenSSL to avoid problems like https:/ /en.wikipedia. org/wiki/ OpenSSL# Predictable_ private_ keys_.28Debian- specific. 29 . If there are any problems with using mainline OpenSSL, they could always be added there, but it would be strange that there should be any at this point in time, which should make it hard to justify the current Ubuntu practice of only using individual patches.
Switching to using the mainline OpenSSL source code would help to avoid liability that would otherwise fall on Ubuntu, for failure with individual OpenSSL source code changes. My main concern is having a dependable OpenSSL version to check based on the public OpenSSL vulnerabilities that are published. The situation we have now makes the Ubuntu OpenSSL version useless, which prevents any reliable checking and automatically makes the Ubuntu OpenSSL look insecure, or at least untrustworthy, due to the custom effort required to merge patches. With a change to use mainline OpenSSL, usage of OpenSSL can check the version returned to evaluate if usage is secure. This is important due to programming language usage of OpenSSL and the potential for impact on runtime use.