OpenSSL released a security advisory, warning users of two recently discovered vulnerabilities:
Their recommendation is as follows:
OpenSSL 1.0.2 users should upgrade to 1.0.2h
OpenSSL 1.0.1 users should upgrade to 1.0.1t
However, the latest version available for Trusty (14.04) is 1.0.1f-1ubuntu2.19. How come such an old version is still being provided and how do I mitigate this?
The current version does indeed include the mitigations for these vulnerabilities. Rather than keeping up with the OpenSSL releases, the security team prefers to backport fixes.
You can confirm that the package contains the mitigation for the CVEs listed in the question by downloading the Debian packaging for the openssl package:
apt-get source openssl
You will find a file named openssl_1.0.1f-1ubuntu2.19.debian.tar.gz in the current directory. Extract the contents and list the contents of debian/patches:
$ ls debian/patches ... CVE-2016-2107.patch CVE-2016-2108-1.patch CVE-2016-2108-2.patch ...