I'm running several Ubuntu 18.04 machines all of which need OpenSSL.
Recently, OpenSSL reported a security problem: https://www.openssl.org/news/secadv/20200421.txt (CVE-2020-1967).
I did install OpenSSL via the Ubuntu standard packages, no custom package sources here nor did I compile it myself.
So, since this is the case and since I'm using a currently maintained LTS distribution (18.04 as mentioned), I assumed that running
apt update and
apt upgrade would be sufficient to get the latest updates and be safe from that vulnerability. But, no. Obviously, it is more complicated.
According to https://launchpad.net/ubuntu/+source/openssl there is an OpenSSL package version for Ubuntu which reacts to the aforementioned CVE-2020-1967. However, it still contains 1.1.1f in its version name, whereas the OpenSSL version where the problem is fixed is actually 1.1.1g (according to their advice).
And, more important: That package is only for Focal Fossa (20.04).
So, I thought I take the chance to learn a few things about the internals of Ubuntu and how package version make their way to my computer:
- How come that new packages are only created for newer LTS
distributions and older ones are left vulnerable?
- How does that process work in general?
- What is the average time between a vulnerability being publicly
announced and patched packages being available via