Ubuntu
openssl package

Please upgrade to openssl 1.1.1g or later for 20.04

Bug #1911211 reported by Jim Campbell
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

There is a CVE for openssl ( https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967 ) which has been resolved in openssl v1.1.1g. The currently-shipped version for Ubuntu 20.04 is 1.1.1f. I do see 1.1.1i as a branch in launchpad, but that appears to be an import from Debian Sid.

Please upgrade as you are able. I would be willing to test this package. Thank you!

CVE References

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

We fixed that issue in the 1.1.1f-1ubuntu2 package:

openssl (1.1.1f-1ubuntu2) focal; urgency=medium

  * SECURITY UPDATE: Segmentation fault in SSL_check_chain
    - debian/patches/CVE-2020-1967-1.patch: add test for CVE-2020-1967 in
      test/recipes/70-test_sslsigalgs.t.
    - debian/patches/CVE-2020-1967-2.patch: fix NULL dereference in
      SSL_check_chain() for TLS 1.3 in ssl/t1_lib.c.
    - debian/patches/CVE-2020-1967-3.patch: fix test in
      test/recipes/70-test_sslsigalgs.t.
    - debian/patches/CVE-2020-1967-4.patch: fix test in
      test/recipes/70-test_sslsigalgs.t.
    - CVE-2020-1967

 -- Marc Deslauriers <email address hidden> Mon, 20 Apr 2020 07:53:50 -0400

Changed in openssl (Ubuntu):
status: New → Fix Released
Revision history for this message
Jim Campbell (jwcampbell) wrote :

A colleague is hitting an issue where this bug (or one like it) appears to still be present.

We're on openssl 1.1.1f-1ubuntu2.1:

dpkg -l openssl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-=================-============-====================================================
ii openssl 1.1.1f-1ubuntu2.1 amd64 Secure Sockets Layer toolkit - cryptographic utility

But are hitting this issue when connecting to an internal site:

$ curl --verbose https://internal-website.company.com
* Trying 192.168.1.76:443...
* TCP_NODELAY set
* Connected to internal-website.company.com (192.168.1.76) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (OUT), TLS alert, handshake failure (552):
* error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type
* Closing connection 0
curl: (35) error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type

This issue is resolved when we manually compile the 1.1.1g. From that coworker ... "t's annoying but setting LD_LIBRARY_PATH to a tmp directory where I downloaded and compiled 1.1.1g is a usable workaround"

Let me know if you need further information.

Changed in openssl (Ubuntu):
status: Fix Released → Incomplete
Jim Campbell (jwcampbell)
Changed in openssl (Ubuntu):
status: Incomplete → New
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

That is because the Ubuntu package sets a more secure security level than the 1.1.1g version you are compiling yourself.

Does it work if you add the following to your curl command line?

--ciphers 'DEFAULT:@SECLEVEL=1'

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

You can also try this:

https://discourse.ubuntu.com/t/default-to-tls-v1-2-in-all-tls-libraries-in-20-04-lts/12464/8

Revision history for this message
Jim Campbell (jwcampbell) wrote :

Thank you, Marc. The work around that you gave:

--ciphers 'DEFAULT:@SECLEVEL=1'

did allow him to access our internal site. We are going to see about upgrading the software behind that internal site, and work for a resolution there.

Thank you very much for your time and effort.

Steve Beattie (sbeattie)
Changed in openssl (Ubuntu):
status: New → Invalid
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.