Ubuntu – How to Verify OpenSSL Version 1.1.1n on Ubuntu 18.04 Bionic

opensslUbuntu

According to Ubuntu's CVE-2022-0778 this release should address the CVE. However, when I look at the OpenSSL version I can't really tell that it is 1.1.1n. I do see that it was built on Mar 9 prior to:

  • OpenSSL making the source available to the public
  • Ubuntu distro managers importing OpenSSL 1.1.1n into their repo (which may just be a public facing repo)

So, how would I know that this is truly 1.1.1n?

Ubuntu 18.04 system after upgrade

OpenSSL 1.1.1  11 Sep 2018
built on: Wed Mar  9 12:13:40 2022 UTC
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,
--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-vxXVMf/openssl-1.1.1=. 
-fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_USE_NODELETE 
-DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM 
-DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM 
-DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM 
-DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM 
-DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
Seeding source: os-specific

Distro Maintainer

Ubuntu Repo: https://git.launchpad.net/ubuntu/+source/openssl

Tags:

* 3b83ed56dea2b735e31731fd042b52ff869f9a97 - 
(tag: import/1.1.1n-1, origin/debian/sid) 1.1.1n-1 
(patches unapplied) (c: Wed, 16 Mar 2022 04:33:58 +0000) 
(a: Tue, 15 Mar 2022 19:46:18 +0100) <Sebastian Andrzej Siewior>%

applied/1.1.1n-1
*   d4d5eeef3576b16013c48abc435c5da889cedf1b - (tag: applied/1.1.1n-1, 
origin/applied/debian/sid) 1.1.1n-1 (patches applied) 
(c: Wed, 16 Mar 2022 04:33:58 +0000) 
(a: Tue, 15 Mar 2022 19:46:18 +0100) <Sebastian Andrzej Si

Best Answer

Once a security update is in status released, the simple thing to do is apply updates, apt update && apt upgrade

Consider implementing some kind of patch management report to confirm all hosts are updated and compliant. These range from simple scripts to products you might buy.

So, how would I know that this is truely 1.1.1n?

Ubuntu's fix for CVE-2022-0778 is not 1.1.1n. Like other stable distributions, they have a habit of backporting only the specific fix to their chosen version. Read the table again, and notice that bionic is openssl 1.1.1-1ubuntu2.1~18.04.15 The funny-looking version string appended at the end is important, it indicates which build.

build on Mar 9 prior to openssl making the source available to the public

It takes time to build and test software. Ubuntu, like other distros, is on a list to get notified prior to general announcement. Reduces time users are exposed to flaws.

A build date is a good sanity check that you have the required patch level, but realize it is possible to be built before upstream's announcement without needing a time machine.

Ubuntu distro managers importing openssl 1.1.1n into their repo (which may just be a public facing repo)

Beware making conclusions about what in version control actually goes into a fix for your version. Based on the branch names, that probably has to do with Ubuntu comparing to Debian sid or upstream releases. Not bionic.

Refer to the security advisory.

Related Topic