There's a highest severity security hole in openssl v3.0.x where x<7. The patched version (3.0.7) has officially dropped on November 1, 2022.
How to install/update openssl 3.0.7 on an Ubuntu 22.04 system?
Update: The vulnerability has been downgraded from Critical to High.
First, you need to know that there are TWO ways to fix a vulnerability: Upgrading and Patching.
This means that a fully-secure openssl package in Ubuntu WON'T be version 3.0.7. That's why we need to know the specific CVE(s) for the vulnerabilities.
Second, lets find those CVE(s). A bit of search-engine-fu reveals that the OpenSSL 3.0.7 release targets two CVEs:
Third, let's look at CVE-2022-3602 in the Ubuntu CVE Tracker:
This tells us a couple of important things:
openssl.Fourth, let's dig a little deeper by looking at package details the tracker:
Now we know the exact version numbers of openssl packages that are patched and secure.
Finally, let's see if our 22.04 system has that secure package version
$ apt list openssl
Listing... Done
openssl/jammy-updates,jammy-security,now 3.0.2-0ubuntu1.6 amd64 [installed,automatic]
It's not the secure version (recall that the secure version is 3.0.2-0ubuntu1.7). But it was released today, so a simple sudo apt update and sudo apt upgrade shows an openssl update, then:
$ apt list openssl
Listing... Done
openssl/jammy-security,now 3.0.2-0ubuntu1.7 amd64 [installed,automatic]
SECURE! This system is now running a package that has been patched by the Ubuntu Security Team to mitigate CVE-2022-3602.
Checking if CVE-2022-3786 is also mitigated is left as an exercise for the student.
One final note: If a lot of this information was new to you (patching, CVEs, tracker, confusing version numbers), then one easy way to pierce the veil and understand what's going on is a couple episodes of the Ubuntu Security Podcast, a short weekly discussion of security-related topics from the Ubuntu Security Team. They want you to understand it!
