When running:
sudo pro fix CVE-2023-0286
CVE-2023-0286: OpenSSL vulnerabilities https://ubuntu.com/security/CVE-2023-0286
2 affected source packages are installed: openssl, openssl1.0
(1/2, 2/2) openssl, openssl1.0:
A fix is available in Ubuntu standard updates.
{ apt update && apt install --only-upgrade -y libssl1.0.0 libssl1.1 openssl }
✔ CVE-2023-0286 is resolved.
The last line states that the CVE is resolved, but when checking it via apt policy, it is still the old version
apt policy openssl
openssl:
Installed: 1.1.1-1ubuntu2.1~18.04.14
Candidate: 1.1.1-1ubuntu2.1~18.04.14
Version table:
*** 1.1.1-1ubuntu2.1~18.04.14 500
500 https://'an-outdated-ubuntu-mirror' bionic-updates/main amd64 Packages
Reason for the update not working is because the repositories the machine is subscribed to do not contain the fix.
The bug I want to file is the last line of the 'pro fix' command, being ' ✔ CVE-2023-0286 is resolved.'
This (presumably) is stated there because the apt install command successfully was able to run, but that does not mean the CVE is fixed (in this case, I had no repository in my sources.list offering the patch).
Suggestion to change that last line to: "❌ CVE-2023-0286 is not resolved."
Reason for reporting this as a security issue is the false claiming of a fixed security vulnerability.
pro version: 27.13.3-18.01.1
When running: /ubuntu. com/security/ CVE-2023- 0286
sudo pro fix CVE-2023-0286
CVE-2023-0286: OpenSSL vulnerabilities
https:/
2 affected source packages are installed: openssl, openssl1.0
(1/2, 2/2) openssl, openssl1.0:
A fix is available in Ubuntu standard updates.
{ apt update && apt install --only-upgrade -y libssl1.0.0 libssl1.1 openssl }
✔ CVE-2023-0286 is resolved.
The last line states that the CVE is resolved, but when checking it via apt policy, it is still the old version 1~18.04. 14 1~18.04. 14 1~18.04. 14 500 /'an-outdated- ubuntu- mirror' bionic-updates/main amd64 Packages
apt policy openssl
openssl:
Installed: 1.1.1-1ubuntu2.
Candidate: 1.1.1-1ubuntu2.
Version table:
*** 1.1.1-1ubuntu2.
500 https:/
(expected version is 1.1.1-1ubuntu2. 1~18.04. 21, from the http:// security. ubuntu. com/ubuntu bionic- security/ main repository)
Reason for the update not working is because the repositories the machine is subscribed to do not contain the fix.
The bug I want to file is the last line of the 'pro fix' command, being ' ✔ CVE-2023-0286 is resolved.'
This (presumably) is stated there because the apt install command successfully was able to run, but that does not mean the CVE is fixed (in this case, I had no repository in my sources.list offering the patch).
Suggestion to change that last line to: "❌ CVE-2023-0286 is not resolved."
Reason for reporting this as a security issue is the false claiming of a fixed security vulnerability.