libssl1.1 wrong fix?

[partizanes]

Hello, anyone can me explain why for libssl1.1 proposed fix as a package 3.0.2 version and how can fix that?

I have
libssl1.1/now 1.1.1t amd64 [installed,local]
libssl3/jammy-updates,jammy-security,now 3.0.2-0ubuntu1.9 amd64 [installed,automatic]
openssl/jammy-updates,jammy-security,now 3.0.2-0ubuntu1.9 amd64 [installed]

Thank you!

[DmitriyLewen]

Hello @partizanes
Thanks for your interest to Trivy!

For OS packages(dpkg, apk, rpm) we use advisories of vendor OS. (e.g. CVE-2022-0778)
Source name of libssl1.1 is openssl:

That is why fixed version is 3.0.2.

how can fix that?

You need to update/remove this package.

Regards, Dmitriy

[partizanes]

@DmitriyLewen
At first I try to install all last update from official repo.When it didn't work i manualy build deb package sslib version 1.1.1t and install it. Also i have 3.0.2-0ubuntu1.9 amd64. The version > fixed version on screen.. It turns out that I have all the latest versions and still get an error. I can't remove libssl1.1 it because it has dependencies in the OS (ubuntu-minimal, python3 and etc ). Maybe I do not understand something and I will be grateful to you if you tell me.

[DmitriyLewen]

you have 2 package:

1. libssl1.1. libssl1.1 is part of openssl source package - https://packages.ubuntu.com/en/source/focal/openssl. This source package contains vulnerabilities that was fixed in 3.0.2 version. So your libssl1.1 library contains these vulnerabilities.
   Also i couldn't find 1.1.1t version. Looks like versions 1.1.1x are only used for focal ubuntu. If i understand correctly you need to use libssl3 for jammy ubuntu - https://packages.ubuntu.com/en/source/jammy/openssl
2. openssl. This library has actual version and doesn't have vulnerabilities.

[partizanes]

Thank you for answer!

But i already have libssl3(.0.2-0ubuntu1.9 amd64) and can`t remove libssl1.1 because have dependency in ubuntu OS 22.04 (ubuntu-minimal, python3 and etc )

apt list --installed | grep ssl

libssl1.1/now 1.1.1f-1ubuntu2 amd64 [installed,local]
libssl3/jammy-updates,jammy-security,now 3.0.2-0ubuntu1.9 amd64 [installed,automatic]
openssl/jammy-updates,jammy-security,now 3.0.2-0ubuntu1.9 amd64 [installed]

At the beginning, 1.1.1f-1ubuntu2 was installed on the system and to update it, I downloaded the openssl-1.1.1t.tar.gz sources, compiled them and selected the files needed for libssl1.1, after which I built the libssl1.1_1.1.1t_amd64 package. deb

Can you please tell me how can I remove or replace the vulnerable package?

[DmitriyLewen]

Hello @partizanes
Sorry for confusing you about vulnerabilities in 1.1.1t version.

I checked NVD and looks like 1.1.1t(as separate package) doesn't contain these vulnerabilities.

But there is some problem to exclude these CVEs from result:

Ubuntu doesn't have information about openssl 1.1.1x package for Jammy Ubuntu.
This Ubuntu version uses openssl 3.x.x. This is why Ubuntu advisory database only include 3.x.x fixed versions.
We can't get information about fixed version for openssl 1.1.1x.

This is special case, so i think you can filter these CVE or create module to handle these CVE.

Regards, Dmitriy