apt-news security notification messages may be too vague for users who are not extremely familiar with internal Ubuntu processes

Status changed to 'Confirmed' because the bug affects multiple users.

How about something simple like saying what commands are needed?

That this message shows even if the package it up to date on the system feels like a bug to me.

Sorry for the silence here, and thank you everyone for your feedback!

I've forwarded this feedback to the authors of the APT News message.

This is related to #2027674 where we agreed that there should be an apt-news feature to only display a message like this if the package in question is out-of-date. Let's leave this bug open to represent that.

I should add: Thank you especially for the considerate and well-thought-out critique of the message and suggestions on how to make it better. This is genuinely helpful and will go into making future messages better.

I think the more important issue is that the notice shows up even after the updates are installed. That should not be the case.

Completely agree with the consensus here – I found myself trying to guess which binaries to check against. Related issue is that on our 22.04.2 LTS virtual machines the output of:

~$ openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

...doesn't show the same version number resolution as: https://launchpad.net/ubuntu/+source/openssl

The Jammy Jellyfish (supported)
OpenSSL trunk series
3.0.2-0ubuntu1.10 security, updates (main) 2023-05-30
3.0.2-0ubuntu1 release (main) 2022-04-01

So despite apt stating `0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded` the wording of this message left me feeling uneasy that I had missed something and the message is telling me that further action is required. This ultimately led me to this launchpad discussion.

Could someone here document the commands for the wider community so that others who discover this page can feel confident that their versions of openssl and libssl3 are patched.

in the meantime, and for those seeking for answers, what commands should we run to ensure we have the latest patch for this openssl bug?

I can't believe how stupid I am. I've been trying for days to find out why I can't install the latest openssl becasue this message (# An OpenSSL vulnerability has recently been fixed with USN-6188-1 & 6119-1:
# CVE-2023-2650: possible DoS translating ASN.1 object identifiers.
# Ensure you have updated the package to its latest version.) continues to pop up no matter what I've done.

In my defense I have had a issue with a website over online credit card and purchase and it had me a little rattled. So I'm thinking this may be the reason and Ubuntu Guys are trying to tell me something here.

Maybe I should have figured out days ago that it was just a suggestion to make sure I had the latest version (which I did check from the beginning but an online forum said I had the wrong version) but I didn't even consider that until about day 4 of seeing this message and got into some serious trouble trying to fix a problem that wasn't EVER there. I took my operating system to the point of being able to boot to the purple screen with no mouse and nothing else working. I'm baaaack without reinstalling it but it's only by the grace of god. I admit, I'm very ignorant but maybe in the future we could be a little more specific with messages of this type for the stupid like me?
Thank you

I've already filed an item when we discussed bug 2027674 to work on to make this possible by gating particular news based on a package being present and below a given version. That should eventually address this.

But for expectations, it is likely taking a while to get to it (my gut feeling says somewhen in the 24.04 cycle).

=> SC-1587