Public bug reported: Hi,
Ubuntu 24.04 is currently set to use OpenSSL 3.0.13 which is now quite a bit behind the latest patch level on that OpenSSL branch, namely 3.0.17. There are a number of fixes between 3.0.13 and 3.0.17 which are listed here: https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md#openssl-30 To highlight one example vulnerability, which looks potentially serious: Changes between 3.0.14 and 3.0.15 [3 Sep 2024] "Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an other Name subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program." Thanks! David ** Affects: openssl (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2125752 Title: OpenSSL package in Ubuntu 24.04 needs updating To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2125752/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
