Hello,
I know, it might look as i replaced Ubuntu OpenSSL packages with
Ondrej's OpenSSL package. But i didnt. And here is a big problem for a
lot of people. Please link:
https://github.com/oerdnj/deb.sury.org/issues/1512
When regular user of Ubuntu 18.04 LTS want to install PHP7.4 pretty much
only way is to add ppa:ondrej/php and after that install PHP7.4. But
after ppa:ondrej/php added, for some reason it replaces Ubuntu OpenSSL
packages with Ondrej's OpenSSL packages.
A lot of guides in Internet describe how to install PHP7.4 via
"ppa:ondrej/php", so i believe this issue affect a lot of
people/companies, which run public facing webservers with PHP7.4 and
Ubuntu 18.04.
I would be really grateful if someone with expertise and knowledge could
check Github link (https://github.com/oerdnj/deb.sury.org/issues/1512),
and advice (or just post their thoughts) about this situation.
Thank you.
** Bug watch added: github.com/oerdnj/deb.sury.org/issues #1512
https://github.com/oerdnj/deb.sury.org/issues/1512
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1908733
Title:
CVE-2020-1971 OpenSSL package upgrade issue
Status in openssl package in Ubuntu:
Invalid
Bug description:
Hello,
I have tested it on 4 vurtual machines (details below):
# uname -a
Linux web2 4.15.0-128-generic #131-Ubuntu SMP Wed Dec 9 06:57:35 UTC 2020
x86_64 x86_64 x86_64 GNU/Linux
# lsb_release -rd
Description:Ubuntu 18.04.5 LTS
Release:18.04
$ apt-cache policy openssl
openssl:
Installed: 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1
Candidate: 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1
Version table:
*** 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 500
500 http://ppa.launchpad.net/ondrej/apache2/ubuntu bionic/main amd64
Packages
100 /var/lib/dpkg/status
1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 500
500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64
Packages
1.1.1-1ubuntu2.1~18.04.7 500
500 http://il.archive.ubuntu.com/ubuntu bionic-updates/main amd64
Packages
500 http://security.ubuntu.com/ubuntu bionic-security/main amd64
Packages
1.1.0g-2ubuntu4 500
500 http://il.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
My OpenSSL version is: openssl 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1
I wanted to install patch to fix "CVE-2020-1971" on my virtual
machines. But found next issue: there is article (
https://ubuntu.com/security/CVE-2020-1971) with package name
(version), where "CVE-2020-1971" issues is fixed -->
"1.1.1-1ubuntu2.1~18.04.7".
Normal (expected?) behaviour for me (in my case) is to do next:
sudo apt update
sudo apt upgrade
After this all packages in my system should be upgraded to latest
versions.
But in fact - OpenSSL package remained same
1.1.1g-1+ubuntu18.04.1+deb.sury.org+1
When i check:
$ apt list openssl
Listing... Done
openssl/bionic,now 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 amd64 [installed]
N: There are 3 additional versions. Please use the '-a' switch to see them.
$ apt list openssl -a
Listing... Done
openssl/bionic,now 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 amd64 [installed]
openssl/bionic 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1 amd64
openssl/bionic-updates,bionic-security 1.1.1-1ubuntu2.1~18.04.7 amd64
openssl/bionic 1.1.0g-2ubuntu4 amd64
Ok, lets install latest package --> 1.1.1-1ubuntu2.1~18.04.7:
sudo apt install openssl=1.1.1-1ubuntu2.1~18.04.7
And here i receive next:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be DOWNGRADED:
openssl
0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 0 not upgraded.
Need to get 614 kB of archives.
After this operation, 132 kB disk space will be freed.
Do you want to continue? [Y/n] yn
Get:1 http://il.archive.ubuntu.com/ubuntu bionic-updates/main amd64 openssl
amd6
4 1.1.1-1ubuntu2.1~18.04.7 [614 kB]
Fetched 614 kB in 0s (1,367 kB/s)
dpkg: warning: downgrading openssl from 1.1.1g-1+ubuntu18.04.1+deb.sury.org+1
to
1.1.1-1ubuntu2.1~18.04.7
Is this correct behavior? Why newest version (mentioned in
https://ubuntu.com/security/CVE-2020-1971) considered as DOWNGRADE?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1908733/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-pack