There's a good reason why no patch has been issued

Jul 13, 2015 09:42 GMT  ·  By

A new set of OpenSSL vulnerabilities have been identified, and all Linux distributions have been quick to implement patches in order to close these issues. As it turns out, none of the supported Ubuntu OSes has been affected, and no patch has been released.

Quite a few members of the Ubuntu community have been asking why their OS hasn't been patched against the recently discovered OpenSSL issues. They were right to ask that question since Ubuntu is using OpenSSL, but as it turns out, the maintainers found out that it wasn't necessary.

Some of you will also notice that the latest version of OpenSSL is now 1.0.2d, but the version present in the Ubuntu OSes doesn't match that. The thing is that most of the time Ubuntu maintainers don't just upgrade the package from one version to another. They simply take the patch and backport it to their version. This means the OpenSSL version in Ubuntu will differ from the one upstream, in this case, 1.0.2d.

Only Ubuntu 15.10 has been affected

To be fair, Ubuntu 15.10 (Wily Werewolf) was affected by the recent vulnerabilities, but that OS is still under development, and it hasn't been released just yet. Canonical's Marc Deslauriers explained that users don't have anything to worry about. "OpenSSL advisory doesn't affect any stable Ubuntu releases. (CVE-2015-1793). It does affect the development release, 15.10, where it will be fixed shortly," wrote Marc.

Ubuntu 15.10 (Wily Werewolf) has already been patched against the latest vulnerabilities, and the 1.0.2d version has been pushed into the repositories. Canonical always took these issues very seriously and stuff like this doesn't get delayed. We recently wrote that it took Firefox 39 almost a week to land in Ubuntu, but OpenSSL doesn't fall into the same category.

We also covered the CVE-2015-1793 vulnerability in great extent, and it's safe to say that it's not a major problem.