On 11/04/2021 01:04, @lbutlr wrote:
> On 10 Apr 2021, at 12:57, Juri Haberland <j...@koschikode.com> wrote:
>> On 10/04/2021 19:52, @lbutlr wrote:
>>> On 10 Apr 2021, at 09:55, B Shea <ad...@sheacomputers.net> wrote:
>>>> OpenSSL (Ubuntu default/repo version): 1.1.1f 31 Mar 2020
>>>
>>> There have been a few critical patches to open SSL in the last year,
>>> including a very important one to 1.1.1k just recently.
>>>
>>> Not to do with your issue, but I suspect updating both openssl and Dovecot
>>> are good first steps.
>>
>> That is the version as distributed by Ubuntu with security fixes
>> backported as usual for most Linux distributions...
>
> If the date is May 2020, then no, it hasn't.
>
> As I said, there have been many patches since then, including one very
> important one very recently (end of march, beginning of April).
>
$ lsb_release --description
Description: Ubuntu 20.04.2 LTS
$ openssl version
OpenSSL 1.1.1f 31 Mar 2020
$ dpkg -l | grep openssl
ii openssl 1.1.1f-1ubuntu2.3 amd64 Secure Sockets Layer
toolkit - cryptographic utility
$ zcat /usr/share/doc/openssl/changelog.Debian.gz | head -n 16
openssl (1.1.1f-1ubuntu2.3) focal-security; urgency=medium
* SECURITY UPDATE: NULL pointer deref in signature_algorithms processing
- debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in
ssl/statem/extensions.c.
- debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt
<= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm.
- debian/patches/CVE-2021-3449-3.patch: add a test to
test/recipes/70-test_renegotiation.t.
- debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are
always in sync in ssl/s3_lib.c, ssl/ssl_lib.c,
ssl/statem/extensions.c, ssl/statem/extensions_clnt.c,
ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c.
- CVE-2021-3449
-- Marc Deslauriers <marc.deslauri...@ubuntu.com> Mon, 22 Mar 2021
07:37:17 -0400
So yes, it is up-to-date.
Cheers,
Juri
