Re: CVE-2022-2068 stretch
Hi,
On Fri, Jul 01, 2022 at 03:30:36PM +0000, jostutz wrote:
> object: CVE-2022-2068
>
> https://security-tracker.debian.org/tracker/CVE-2022-2068
>
> https://www.openssl.org/news/secadv/20220621.txt
>
> Hello,
>
> the openssl page reads the issue affects 'OpenSSL versions 1.0.2, 1.1.1 and 3.0'
> 1.1.1 is the basename for openssl packages on Debian10 and 11 (1.1.1n-0+debXXuX)
>
> On one hand, the cve tracker page indicates stretch vulnerable,
>
> But on the other hand:
>
> - Debian9 has last candidate 1.1.0l-1~deb9u6 (from stable and backports)
> - the Stretch page https://packages.debian.org/stretch/libssl1.1 and apt-get source openssl both indicate 1.1.0
>
> So am I wrong, or does the debian tracker page display an error?
> By the way, I know Stretch is not supported anymore, but things are as they are some machines are still using Stretch and require upgrade.
1.1.0 is not supported anymore by upstream, so it is not listed in the
advisories. That said, issues need to be tiraged specifically for the
versions in Debian itself, and I believe in this case would have
affected as well the c_rehash script in stretch.
It might recieve still an update in the ELTS project, see
https://wiki.debian.org/LTS/Extended .
Regards,
Salvatore
Reply to: