Updating openssl in the snap directories

NDGodin13 · August 6, 2024, 4:22pm

I need to update openssl in the following directories. I have tried to adjust the channel to “stable/edge” but it still shows the outdated version. Any ideas on how to resolve this?

Path : /snap/curl/2266/usr/lib/x86_64-linux-gnu/libssl.so.1.1 Reported version : 1.1.1f Fixed version : 1.1.1za

Path : /snap/curl/2266/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 Reported version : 1.1.1f Fixed version : 1.1.1za

Path : /snap/core20/2393/usr/lib/x86_64-linux-gnu/libssl.so.1.1 Reported version : 1.1.1f Fixed version : 1.1.1za

Path : /snap/core20/2393/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 Reported version : 1.1.1f Fixed version : 1.1.1za

Path : /snap/core20/2393/usr/bin/openssl Reported version : 1.1.1f Fixed version : 1.1.1za

Path : /snap/core20/2386/usr/lib/x86_64-linux-gnu/libssl.so.1.1 Reported version : 1.1.1f Fixed version : 1.1.1za

Path : /snap/core20/2386/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 Reported version : 1.1.1f Fixed version : 1.1.1za

Path : /snap/core20/2386/usr/bin/openssl Reported version : 1.1.1f Fixed version : 1.1.1za

mborzecki1 · August 7, 2024, 12:23pm

Can you explain what you are trying to do? Those files come from snaps, which are read only and individual files cannot be updated by the user.

NDGodin13 · August 7, 2024, 12:31pm

So essentially our vulnerability scanner is flagging those versions and the remediation is to update to the fixed version. I am relatively new to Ubuntu and Snaps so I am trying to understand how they are updated or if I am at the mercy of the publisher to update those versions. If I cant update them I just need justification as to why I cant update those versions of things.

ogra · August 7, 2024, 1:20pm

what are the exact CVE numbers it flags and have you checked CVEs | Ubuntu ?

note that ubuntu never updates versions but instead backports the single security fixes, some badly crafted security scanners simply do not check for the actual vulnerability in code but blindly look at version numbers which gets you false positives …

and on a side-note, only the snap package maintainer can update the libs … the store usually sends out a notification to the packager if there is an open CVE in a snap so they can re-trigger a build to have it pick up the fix (so you should file an issue against the snap package … snap info <package name> should give you a hint where to file it)

NDGodin13 · August 7, 2024, 2:11pm

I just checked https://ubuntu.com/security/CVE-2024-5535 as you had suggested. In the table for the referenced CVE under Jammy it says does not exist, Now is that stating the vulnerability does not exist or a fix for it does not exist? Thank you for your response, I am newer in having to manage Ubuntu systems.

ogra · August 7, 2024, 2:56pm

first of all, please note that we are talking about a low priority vulnerability … these are typically only fixed on a best effort base anyway …

looking at:

https://ubuntu.com/security/cves?q=2024-5535

this says that the package openssl1.0 does not exist in the archive after 18.04 … the package that exists there is just called openssl and has been fixed …

if you check the link you gave above now, you will find that the fix has been released in 20.04 for the package version 1.1.1f-1ubuntu2.23

now you can check the core20 snap:

$ grep libssl /snap/core20/current/snap/manifest.yaml 
    - libssl1.1=1.1.1f-1ubuntu2.22
    - libssl1.1=1.1.1f-1ubuntu2.22
    - libssl1.1=1.1.1f-1ubuntu2.22
$

and indeed this is still vulnerable, but a new version of the deb has been released to the ubuntu archive, so the next release of the core20 snap will have this fix automatically (it is very likely in the edge, beta or candidate channels of the snap already) …

for curl you should contact the maintainer of the curl snap to hit the rebuild button so the curl snap will pick it up as well …

in any case you should consider switching to a better security scanner tool, i’m pretty sure it will still report the vulnerability even after the snap has been updated since it seems to only look at version strings but not at the actual fixes …

NDGodin13 · August 7, 2024, 3:18pm

Unfortunately I dont have control over the vulnerability scanner that is being used, it populates as a critical vulnerability which blew my mind when i looked at the actual CVE and it said LOW.

this is the system details,

Ubuntu 22.04.4 LTS (GNU/Linux 6.5.0-45-generic x86_64)

I ran the command and this was the output.

grep libssl /snap/core20/current/snap/manifest.yaml - libssl1.1=1.1.1f-1ubuntu2.23 - libssl1.1=1.1.1f-1ubuntu2.23 - libssl1.1=1.1.1f-1ubuntu2.23

so now from what you are saying “if you check the link you gave above now, you will find that the fix has been released in 20.04 for the package version 1.1.1f-1ubuntu2.23” Then this is not actually an issue and the scanner is tagging it for no reason.

Thank you for helping me understand this a bit better with the Snaps and versions.

ogra · August 7, 2024, 5:44pm

Hah, sorry I just got a core20 update over here, my system was simply behind, indeed it is fixed already in the stable channel

Even if you don’t have the power yourself to change the scanner, you should talk to the person that has it…

You will constantly get false positives with that tool on Ubuntu and the fact that it even categories a CVE that upstream considers low wrongly as critical is seriously worrying…