I just read a description of CVE-2020-1971, which indicates that a patch was released today for openSSL, the patched version is 1.1.1i -- my version of Ubuntu 20.04.1 LTS is running openSSL version 1.1.1f. From last March.
Software Updater says that my system is up to date. I am hoping that this openSSL update is released by Canonical by tomorrow... can anyone confirm they are working on this?
When a CVE question comes up, your first stop should be Ubuntu's CVE tracker at https://ubuntu.com/security.
Here's what the Ubuntu CVE tracker said about this CVE and this package when I checked:
openssl 1.1.1f-1ubuntu2.1, which is already in the Ubuntu repositories (focal-security pocket).Let's double-check that openssl 1.1.1f-1ubuntu2.1 is available for apt to download and install:
$ apt-cache madison openssl // 20.04 system, matching the question
openssl | 1.1.1f-1ubuntu2 | focal
openssl | 1.1.1f-1ubuntu2.1 | focal-security <----- There it is
openssl | 1.1.1f-1ubuntu2.1 | focal-updates <----- And there, too
For the curious, let's take a look at the Launchpad page for that package to determine the patched 20.04 version's upload date (08 December 2020 / 08.12.2020) :
Check your installed package version using apt list openssl.
$ apt list openssl
Listing... Done
openssl/focal-updates,focal-security, now 1.1.1f-1ubuntu2.1 amd64 [installed]
Background: There are two ways to handle security updates.
Update to a newer release that incorporates the change. Since most users have no idea how to apply a patch, this is a common recommendation. For unskilled users, this is an easy and reasonably safe method. This will update you to 1.1.1i
Apply the patch to the current version. Since the Ubuntu Security Team engineers DO know how to apply and test patches, this is how Ubuntu security updates work. Ubuntu provides a patched version, not a new version. This will update you from 1.1.1f-1ubuntu2 to 1.1.1f-1ubuntu2.1. Yes, your -v flag will say 1.1.1f, and that's correct. But you are still patched; the vuln can no longer affect you.
