SECURE! This system is now running a package that has been patched by the Ubuntu Security Team to mitigate CVE-2022-3602.Ĭhecking if CVE-2022-3786 is also mitigated is left as an exercise for the student. Openssl/jammy-security,now 3.0.2-0ubuntu1.7 amd64 But it was released today, so a simple sudo apt update and sudo apt upgrade shows an openssl update, then: $ apt list openssl It's not the secure version (recall that the secure version is 3.0.2-0ubuntu1.7). Openssl/jammy-updates,jammy-security,now 3.0.2-0ubuntu1.6 amd64 But it's still secure that CVE has been mitigated.įinally, let's see if our 22.04 system has that secure package version $ apt list openssl Reminder: It's patched, so the version number is NOT 3.0.7.Now we know the exact version numbers of openssl packages that are patched and secure. A patched package has already been released.įourth, let's dig a little deeper by looking at package details the tracker:.The Ubuntu Security Team is already tracking the issue. This tells us a couple of important things: Third, let's look at CVE-2022-3602 in the Ubuntu CVE Tracker: A bit of search-engine-fu reveals that the OpenSSL 3.0.7 release targets two CVEs: That's why we need to know the specific CVE(s) for the vulnerabilities. This means that a fully-secure openssl package in Ubuntu WON'T be version 3.0.7. Upstreams usually make patches available specifically for this purpose. Ubuntu (and many other distros) prefer to patch because upgrading can introduce new bugs and regressions.But both methods are long-accepted practices. Upstreams emphasize " upgrade" in their public announcements simply because most folks don't know how to patch.First, you need to know that there are TWO ways to fix a vulnerability: Upgrading and Patching.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |