5

In light of the current security issues with openssl 1.1.1x we had to upgade our (Ubuntu) systems from source, as apt only showed that the latest openssl (1.1.1f) was the newest

UPDATE CVE-2022-0778

after running sudo apt update/upgrade, openssl was still version 1.1.1f, which is vulnerable - at least on Ubuntu 20.04

richardwhitney
  • 253
  • I’m not sure how better to explain it, beyond what I wrote in my answer; but Ubuntu’s openssl will still say it is 1.1.1f, even though it has the security fixes for CVE-2022-0778. If dpkg -l libssl1.1 reports version 1.1.1f-1ubuntu2.12, you’re fine. – Stephen Kitt Mar 22 '22 at 17:20
  • some of our systems are arm64 and report ii libssl1.1:arm64 1.1.1-1ubuntu2.1~1 arm64 after updating - this one is running 18.04 - do you think this is safe? – richardwhitney Mar 22 '22 at 18:05
  • See the security notice I linked to in my answer, it lists all the fixed versions in still-supported Ubuntu releases — libssl1.1 1.1.1-1ubuntu2.1~18.04.15 for 18.04. Your output is truncated, but you should be safe. – Stephen Kitt Mar 22 '22 at 18:09

2 Answers2

7

as root: (or use sudo)

$ sudo su
# cd /usr/src
# wget https://www.openssl.org/source/openssl-3.0.2.tar.gz
# tar zxvf openssl-3.0.2.tar.gz
# cd openssl-3.0.2
# ./Configure
# make
# make install

if you have an old version of OpenSSL installed, you may have to do:

# cd /usr/lib/ssl
# unlink openssl.cnf
# ln -s /usr/local/ssl/openssl.cnf openssl.cnf
# ldconfig
# openssl version

if you see OpenSSL 3.0.2 - it was successful

otherwise, if you receive an error that openssl could not be found or something

if you have an x86_64 architecture

# ldconfig /usr/local/lib64
Emoticon
  • 3
richardwhitney
  • 253
  • Beware the version change may not be reflected in the "openssl version" command at a bash shell prompt due to shell cache. To clear the shell's cache, use the hash -r command. – Linux Beginner Sep 27 '22 at 06:13
  • or sudo reboot then followed by the last line above ldconfig /usr/local/lib64 – Laenka-Oss Oct 01 '22 at 21:06
3

Even though the versions of OpenSSL in Ubuntu correspond to older versions, they are patched to include fixes for known security issues.

For example, in 20.04 (the latest LTS):

openssl (1.1.1f-1ubuntu2.12) focal-security; urgency=medium

    

  • SECURITY UPDATE: Infinite loop in BN_mod_sqrt()
      

    • debian/patches/CVE-2022-0778-1.patch: fix infinite loop in
crypto/bn/bn_sqrt.c.
      • 

    • debian/patches/CVE-2022-0778-2.patch: add documentation of
BN_mod_sqrt() in doc/man3/BN_add.pod.
      • 

    • debian/patches/CVE-2022-0778-3.patch: add a negative testcase for
BN_mod_sqrt in test/bntest.c, test/recipes/10-test_bn_data/bnmod.txt.
      • 

    • CVE-2022-0778
      • 

    

    •

In 21.10 (the latest release):

openssl (1.1.1l-1ubuntu1.2) impish-security; urgency=medium

    

  • SECURITY UPDATE: Infinite loop in BN_mod_sqrt()
      

    • debian/patches/CVE-2022-0778-1.patch: fix infinite loop in
crypto/bn/bn_sqrt.c.
      • 

    • debian/patches/CVE-2022-0778-2.patch: add documentation of
BN_mod_sqrt() in doc/man3/BN_add.pod.
      • 

    • debian/patches/CVE-2022-0778-3.patch: add a negative testcase for
BN_mod_sqrt in test/bntest.c, test/recipes/10-test_bn_data/bnmod.txt.
      • 

    • CVE-2022-0778
      • 

    

    •

See also the corresponding security notice.

On supported releases of Ubuntu (and other distributions), you shouldn’t ever need to build software yourself to address security issues, as long as you keep your installations updated.

Stephen Kitt
  • 434,908