Hi. Openssl is a delicate component, used by many other packages. As a consequence, it is only patched if there is a strong need. Looking at the pull request you've linked to, this falls outside of the openssl threat model since it is local only. I'm not sure Ubuntu has a stricter threat model for openssl. I'm going to ask around but even if Ubuntu does, it is probably an exploit that is difficult to pull off on a component that is risky to touch. Overall I don't think it is likely that focal receives a corresponding update.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/1915906 Title: Ensure SRP BN_mod_exp follows the constant time path Status in openssl package in Ubuntu: Confirmed Bug description: Hello, I'd like to point out that there are two fixes missing from the upstream, is there any chance to get them incorporated? https://github.com/openssl/openssl/pull/13888 https://github.com/openssl/openssl/pull/13889 There was no CVE assigned, it was fixed between 1.1.1i and 1.1.1j. Best regards To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1915906/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
