On 11/04/2021 01:04, @lbutlr wrote:
On 10 Apr 2021, at 12:57, Juri Haberland juri@koschikode.com wrote:
On 10/04/2021 19:52, @lbutlr wrote:
On 10 Apr 2021, at 09:55, B Shea admin@sheacomputers.net wrote:
OpenSSL (Ubuntu default/repo version): 1.1.1f 31 Mar 2020
There have been a few critical patches to open SSL in the last year, including a very important one to 1.1.1k just recently.
Not to do with your issue, but I suspect updating both openssl and Dovecot are good first steps.
That is the version as distributed by Ubuntu with security fixes backported as usual for most Linux distributions...
If the date is May 2020, then no, it hasn't.
As I said, there have been many patches since then, including one very important one very recently (end of march, beginning of April).
$ lsb_release --description Description: Ubuntu 20.04.2 LTS $ openssl version OpenSSL 1.1.1f 31 Mar 2020 $ dpkg -l | grep openssl ii openssl 1.1.1f-1ubuntu2.3 amd64 Secure Sockets Layer toolkit - cryptographic utility
$ zcat /usr/share/doc/openssl/changelog.Debian.gz | head -n 16 openssl (1.1.1f-1ubuntu2.3) focal-security; urgency=medium
- SECURITY UPDATE: NULL pointer deref in signature_algorithms processing
- debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in ssl/statem/extensions.c.
- debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt <= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm.
- debian/patches/CVE-2021-3449-3.patch: add a test to test/recipes/70-test_renegotiation.t.
- debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are always in sync in ssl/s3_lib.c, ssl/ssl_lib.c, ssl/statem/extensions.c, ssl/statem/extensions_clnt.c, ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c.
- CVE-2021-3449
-- Marc Deslauriers marc.deslauriers@ubuntu.com Mon, 22 Mar 2021 07:37:17 -0400
So yes, it is up-to-date.
Cheers, Juri