subject:"\[Touch\-packages\] \[Bug 1908733\] Re\: CVE\-2020\-1971 OpenSSL package upgrade issue"

[Touch-packages] [Bug 1908733] Re: CVE-2020-1971 OpenSSL package upgrade issue

2020-12-23 Thread Olexandr

Hello,

I know, it might look as i replaced Ubuntu OpenSSL packages with
Ondrej's OpenSSL package. But i didnt. And here is a big problem for a
lot of people. Please link:
https://github.com/oerdnj/deb.sury.org/issues/1512

When regular user of Ubuntu 18.04 LTS want to install PHP7.4 pretty much
only way is to add ppa:ondrej/php and after that install PHP7.4. But
after ppa:ondrej/php added, for some reason it replaces Ubuntu OpenSSL
packages with Ondrej's OpenSSL packages.

A lot of guides in Internet describe how to install PHP7.4 via
"ppa:ondrej/php", so i believe this issue affect a lot of
people/companies, which run public facing webservers with PHP7.4 and
Ubuntu 18.04.

I would be really grateful if someone with expertise and knowledge could
check Github link (https://github.com/oerdnj/deb.sury.org/issues/1512),
and advice (or just post their thoughts) about this situation.

Thank you.

** Bug watch added: github.com/oerdnj/deb.sury.org/issues #1512
   https://github.com/oerdnj/deb.sury.org/issues/1512

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1908733

Title:
  CVE-2020-1971 OpenSSL package upgrade issue

Status in openssl package in Ubuntu:
  Invalid

Bug description:
  Hello,

  I have tested it on 4 vurtual machines (details below):

  # uname -a
  Linux web2 4.15.0-128-generic #131-Ubuntu SMP Wed Dec 9 06:57:35 UTC 2020 
x86_64 x86_64 x86_64 GNU/Linux

  
  # lsb_release -rd
  Description:Ubuntu 18.04.5 LTS
  Release:18.04

  $ apt-cache policy openssl
  openssl:
Installed: 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1
Candidate: 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1
Version table:
   *** 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 500
  500 http://ppa.launchpad.net/ondrej/apache2/ubuntu bionic/main amd64 
Packages
  100 /var/lib/dpkg/status
   1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 500
  500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 
Packages
   1.1.1-1ubuntu2.1~18.04.7 500
  500 http://il.archive.ubuntu.com/ubuntu bionic-updates/main amd64 
Packages
  500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 
Packages
   1.1.0g-2ubuntu4 500
  500 http://il.archive.ubuntu.com/ubuntu bionic/main amd64 Packages


  My OpenSSL version is: openssl 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1

  I wanted to install patch to fix "CVE-2020-1971" on my virtual
  machines. But found next issue: there is article (
  https://ubuntu.com/security/CVE-2020-1971) with package name
  (version), where "CVE-2020-1971" issues is fixed -->
  "1.1.1-1ubuntu2.1~18.04.7".

  Normal (expected?) behaviour for me (in my case) is to do next:

  sudo apt update
  sudo apt upgrade

  After this all packages in my system should be upgraded to latest
  versions.

  But in fact - OpenSSL package remained same
  1.1.1g-1+ubuntu18.04.1+deb.sury.org+1

  When i check:

  $ apt list openssl
  Listing... Done
  openssl/bionic,now 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 amd64 [installed]
  N: There are 3 additional versions. Please use the '-a' switch to see them.

  $ apt list openssl -a
  Listing... Done
  openssl/bionic,now 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 amd64 [installed]
  openssl/bionic 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 amd64
  openssl/bionic-updates,bionic-security 1.1.1-1ubuntu2.1~18.04.7 amd64
  openssl/bionic 1.1.0g-2ubuntu4 amd64

  Ok, lets install latest package --> 1.1.1-1ubuntu2.1~18.04.7:

  sudo apt install openssl=1.1.1-1ubuntu2.1~18.04.7

  And here i receive next:

  
  Reading package lists... Done
  Building dependency tree
  Reading state information... Done
  The following packages will be DOWNGRADED:
openssl
  0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 0 not upgraded.
  Need to get 614 kB of archives.
  After this operation, 132 kB disk space will be freed.
  Do you want to continue? [Y/n] yn
  Get:1 http://il.archive.ubuntu.com/ubuntu bionic-updates/main amd64 openssl 
amd6

 4 1.1.1-1ubuntu2.1~18.04.7 [614 kB]
  Fetched 614 kB in 0s (1,367 kB/s)
  dpkg: warning: downgrading openssl from 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 
to  

1.1.1-1ubuntu2.1~18.04.7

  Is this correct behavior? Why newest version (mentioned in
  https://ubuntu.com/security/CVE-2020-1971) considered as DOWNGRADE?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1908733/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-pack

[Touch-packages] [Bug 1908733] Re: CVE-2020-1971 OpenSSL package upgrade issue

2020-12-22 Thread Seth Arnold

Hello, you've replaced the Ubuntu OpenSSL packages with Ondrej's OpenSSL
packages. You can ask him if he has performed the corresponding update
yet: https://github.com/oerdnj/deb.sury.org

Thanks

** Information type changed from Private Security to Public Security

** Changed in: openssl (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1908733

Title:
  CVE-2020-1971 OpenSSL package upgrade issue

Status in openssl package in Ubuntu:
  Invalid

Bug description:
  Hello,

  I have tested it on 4 vurtual machines (details below):

  # uname -a
  Linux web2 4.15.0-128-generic #131-Ubuntu SMP Wed Dec 9 06:57:35 UTC 2020 
x86_64 x86_64 x86_64 GNU/Linux

  
  # lsb_release -rd
  Description:Ubuntu 18.04.5 LTS
  Release:18.04

  $ apt-cache policy openssl
  openssl:
Installed: 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1
Candidate: 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1
Version table:
   *** 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 500
  500 http://ppa.launchpad.net/ondrej/apache2/ubuntu bionic/main amd64 
Packages
  100 /var/lib/dpkg/status
   1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 500
  500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 
Packages
   1.1.1-1ubuntu2.1~18.04.7 500
  500 http://il.archive.ubuntu.com/ubuntu bionic-updates/main amd64 
Packages
  500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 
Packages
   1.1.0g-2ubuntu4 500
  500 http://il.archive.ubuntu.com/ubuntu bionic/main amd64 Packages


  My OpenSSL version is: openssl 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1

  I wanted to install patch to fix "CVE-2020-1971" on my virtual
  machines. But found next issue: there is article (
  https://ubuntu.com/security/CVE-2020-1971) with package name
  (version), where "CVE-2020-1971" issues is fixed -->
  "1.1.1-1ubuntu2.1~18.04.7".

  Normal (expected?) behaviour for me (in my case) is to do next:

  sudo apt update
  sudo apt upgrade

  After this all packages in my system should be upgraded to latest
  versions.

  But in fact - OpenSSL package remained same
  1.1.1g-1+ubuntu18.04.1+deb.sury.org+1

  When i check:

  $ apt list openssl
  Listing... Done
  openssl/bionic,now 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 amd64 [installed]
  N: There are 3 additional versions. Please use the '-a' switch to see them.

  $ apt list openssl -a
  Listing... Done
  openssl/bionic,now 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 amd64 [installed]
  openssl/bionic 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 amd64
  openssl/bionic-updates,bionic-security 1.1.1-1ubuntu2.1~18.04.7 amd64
  openssl/bionic 1.1.0g-2ubuntu4 amd64

  Ok, lets install latest package --> 1.1.1-1ubuntu2.1~18.04.7:

  sudo apt install openssl=1.1.1-1ubuntu2.1~18.04.7

  And here i receive next:

  
  Reading package lists... Done
  Building dependency tree
  Reading state information... Done
  The following packages will be DOWNGRADED:
openssl
  0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 0 not upgraded.
  Need to get 614 kB of archives.
  After this operation, 132 kB disk space will be freed.
  Do you want to continue? [Y/n] yn
  Get:1 http://il.archive.ubuntu.com/ubuntu bionic-updates/main amd64 openssl 
amd6

 4 1.1.1-1ubuntu2.1~18.04.7 [614 kB]
  Fetched 614 kB in 0s (1,367 kB/s)
  dpkg: warning: downgrading openssl from 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 
to  

1.1.1-1ubuntu2.1~18.04.7

  Is this correct behavior? Why newest version (mentioned in
  https://ubuntu.com/security/CVE-2020-1971) considered as DOWNGRADE?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1908733/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1908733] Re: CVE-2020-1971 OpenSSL package upgrade issue

[Touch-packages] [Bug 1908733] Re: CVE-2020-1971 OpenSSL package upgrade issue

2 matches

Site Navigation

Mail list logo

Footer information