Ubuntu – How do new package versions find their way to the LTS distribution? (Current example: OpenSSL)

18.04opensslpackage-managementupdatesupgrade

I'm running several Ubuntu 18.04 machines all of which need OpenSSL.

Recently, OpenSSL reported a security problem: https://www.openssl.org/news/secadv/20200421.txt (CVE-2020-1967).

I did install OpenSSL via the Ubuntu standard packages, no custom package sources here nor did I compile it myself.
So, since this is the case and since I'm using a currently maintained LTS distribution (18.04 as mentioned), I assumed that running apt update and apt upgrade would be sufficient to get the latest updates and be safe from that vulnerability. But, no. Obviously, it is more complicated.

According to https://launchpad.net/ubuntu/+source/openssl there is an OpenSSL package version for Ubuntu which reacts to the aforementioned CVE-2020-1967. However, it still contains 1.1.1f in its version name, whereas the OpenSSL version where the problem is fixed is actually 1.1.1g (according to their advice).
And, more important: That package is only for Focal Fossa (20.04).

So, I thought I take the chance to learn a few things about the internals of Ubuntu and how package version make their way to my computer:

How come that new packages are only created for newer LTS
distributions and older ones are left vulnerable?
How does that process work in general?
What is the average time between a vulnerability being publicly
announced and patched packages being available via apt upgrade?

Best Answer

How come that new packages are only created for newer LTS distributions and older ones are left vulnerable? is simply FALSE, and let's show you how you can determine that for yourself:

First, Let's take a look at the Ubuntu CVE Tracker.

Key in your CVE number, and you will see:

The Ubuntu Security Team has already worked this issue.
Some Ubuntu releases required new packages, others did not.
The tracker includes the exact package version with the fix.

Second, lots of folks get confused by the Debian/Ubuntu concept of a snapshot release model. Under this model, the software in a single release (like 19.10 or 20.04) is NOT incremented by new releases...even most security releases.

Exceptions: There are a few exceptions, like web browsers, that always get the newest versions on older releases.

HOWEVER, "not incremented" doesn't mean "not fixed". Lots of packages get security patches after release without being upgraded to a new version. Let's say that again: Users are encouraged to update to newer packages because most users don't have the skill or patience to patch and recompile a package. Distros like Ubuntu, however, have engineers who do have that skill and patience.

It's risk management: Newer packages may introduce bugs and haven't been tested with the release, so most packages are patched instead.

Finally, let's build on those two elements and let's take a look at the example of OpenSSL in CVE-2020-1967:

The Ubuntu Security Team evaluated the vulnerability in six different releases of Ubuntu. The vulnerability was present in one of those releases.
The upstream release (for users) is version 1.1.1g
The Security Team patched the vulnerability in 20.04's package 1.1.1f. Since they added a patch instead of merging the new upstream release, they couldn't claim it was 1.1.1f anymore, nor was it 1.1.1g. It was something else, so it's called 1.1.1f-1ubuntu2. Note that the '2' in 'ubuntu2' indicates this is the third patch of that package since it came from upstream.
That labeling scheme for patches isn't accidental - it's carefully designed so you can see at a glance how many patches came from Debian, and how many from Ubuntu. Also, it's still alphanumerically sortable so apt will always correctly identify the highest version to install.
Finally, after review and testing, the patched package openssl 1.1.1f-1ubuntu2 was uploaded to 20.04 (Focal) before release. Had the patch occurred after release, it would be in the focal-security repository. This is one reason it's important to keep the -security repo in your sources, and to keep Unattended Upgrades active.

NOTES:

Wily Werewolf (15.10) has already reached End of Life and no longer supported. If you are running this version, I strongly suggest you upgrade.
linux-lts-saucy kernel version appears that it doesn't have that vulnerability . That's version 3.11.0-26.45-precise1 . I would suggest any 3.11.x version, but this is still not ideal ; newer versions are preferable.
Tracking linux in the tracker for this CVE for a given release will track the base kernel shipped in that release. Tracking linux-lts-* in the tracker for this CVE will track an HWE kernel, available only in LTS editions which get HWE updates. Until all of them are "released" or "fixed", for all Source packages and all relevant distributions on the Tracker, you are not going to be able to 'avoid' the CVE.

Ubuntu – How to install OpenSSL 1.1.1 and libSSL package

In fact your question was duplicate and the same question already appeared in Upgrade openssl 1.1.0 to 1.1.1 in Ubuntu 18.04.

As already answered by @Kevin Bowen, openssl 1.1.1 is not in the current Ubuntu repositories, you will need to download, compile, and install the latest OpenSSL version manually.

The same thing I too suggested in the beginning in comments section. My favorite is always to install in /opt, so I suggested that too in comments section.

If you don't want to do, then you will be stuck for ever!

What is OpenSSL?

OpenSSL is a command line cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them.

Most network communication apps and tools that use TLS / SSL protocols may have some OpenSSL tools installed in them. If you’re going to be using applications and packages that depend on the latest versions of OpenSSL, you may have to manually install it on Ubuntu systems.

OpenSSL relies on two important libraries that are part of the OpenSSL project:

libssl provides the client and server-side implementations for SSLv3 and TLS.

libcrypto provides general cryptographic and X.509 support needed by SSL/TLS but not logically part of it

The default toolket of OpenSSL that comes with Ubuntu isn’t the latest. To get the latest, you must download it yourself and install.

Guide to install the latest version of openssl 1.1.1b on Ubuntu 18.04.

Step 1 : Download openssl 1.1.1b

Download the latest openssl 1.1.1b release from from Ubuntu source package….

OpenSSL Cryptography and SSL/TLS Toolkit

Figure-1: Download openssl 1.1.1b

You can also easily install openssl 1.1.1b package by running the commands below…

wget https://www.openssl.org/source/openssl-1.1.1b.tar.gz

Step 2 : Install Openssl from the tar.gb package

Now create /opt/openssl directory:

$ sudo mkdir /opt/openssl Figure-2: Create folder for openssl under /opt directory.

Now that you’ve downloaded the correct archive package for your system into ~/Downloads folder, run the following commands to install Openssl.

$ sudo tar xfvz ~/Downloads/openssl-1.1.1b.tar.gz --directory /opt/openssl

Figure-3: Extraction into /opt/openssl is complete.

$ perl --version Figure-4: Perl version.

Export LD_LIBRARY_PATH environment variable with the following value:

$ export LD_LIBRARY_PATH=/opt/openssl/lib

Verify that LD_LIBRARY_PATH is set with correct value by this command:

$ echo $LD_LIBRARY_PATH

Figure-5: Value of environment variable LD_LIBRARY_PATH is /opt/openssl/lib.

Issue the config commands:

 $ cd /opt/openssl/openssl-1.1.1b
 $ sudo ./config --prefix=/opt/openssl --openssldir=/opt/openssl/ssl

Figure-6: config command

Next, issue make command:

$ sudo make

Issue make test command to check for possible errors:

$ sudo make test

Figure-7: Bingo! All tests successful.

Issue make install commands:

$ sudo make install

Where is openssl binary being located?

Issue the following commands:

$ sudo updatedb                              # rebuild library cache
$ locate openssl | grep /opt/openssl/bin

Figure-8: Locate openssl binary.

The directory /usr/bin also has openssl binary which is an earler version. The presence of this unwanted openssl binary /usr/bin/openssl is going to cause us trouble, so we have to check this out!

Issue the following commands in order to tackle /usr/bin/openssl binary:

$ cd /usr/bin
$ ls -l openssl
$ sudo mv openssl openssl.old       # rename earlier version openssl to openssl.old

Figure-9: Rename earlier version of openssl binary to openssl.old.

Step 3 : Setup PATH environment variable

Openssl needs to set PATH environment variables which is to be set as shown below.

Create a file called openssl.sh under /etc/profile.d/ directory.

$ sudo touch /etc/profile.d/openssl.sh
$ sudo vi /etc/profile.d/openssl.sh

Add the following contents:

#!/bin/sh
export PATH=/opt/openssl/bin:${PATH}
export LD_LIBRARY_PATH=/opt/openssl/lib:${LD_LIBRARY_PATH}

Save and close the file. Make it executable using the following command.

$ sudo chmod +x /etc/profile.d/openssl.sh

Then, set the environment variables permanently by running the following command:

 $ source /etc/profile.d/openssl.sh

Log out or reboot your system.

Now, check the PATH environment variable:

$ echo $PATH

Figure-10: PATH envirnement variable having /opt/openssl/bin directory

$ which openssl Figure-11: The binary 'openssl' is under '/opt/openssl/bin' directory

Now, check the openssl version using command:

$ openssl version

Figure-12: openssl latest version

Now, check the openssl version using command line tool:

$ openssl

Figure-13: Check version through 'openssl' command line.

What will happen if LD_LIBRARY_PATH is not properly set?

$ openssl

Figure-14: Error thrown by 'openssl' command line when 'LD_LIBRARY_PATH' is not properly set.

As decribed by Step-3, you must set LD_LIBRARY_PATH to correct value which is /opt/openssl/lib

$ export LD_LIBRARY_PATH=/opt/openssl/lib:$LD_LIBRARY_PATH

Summary:

This method downloads, extracts, compiles, and installs the latest OpenSSL version 1.1.1b manually.

Best Answer

Related Solutions

Ubuntu – Are the systems vulnerable from CVE-2016-5696

NOTES:

Ubuntu – How to install OpenSSL 1.1.1 and libSSL package

Related Question