Like all major Linux distributions, Ubuntu backports security and bug fixes so that updates do not break applications due to version incompatibilities.
Ubuntu only packages the latest versions of software when there is a new Ubuntu release. Then, for the life of each Ubuntu release, they keep software patched to ensure security and stability without introducing breaking changes.
The table below lists the OpenSSL version installed on each Ubuntu version. As long as your server's Ubuntu version has not reached its end of life, the OpenSSL installation on your server is being regularly updated with security patches.
Ubuntu Version | OpenSSL Version | Changelog |
---|---|---|
Ubuntu 24.04 | OpenSSL 3.0.13 | changelog |
Ubuntu 22.04 | OpenSSL 3.0.2 | changelog |
Ubuntu 20.04 | OpenSSL 1.1.1 | changelog |
Ubuntu 18.04 | OpenSSL 1.1.1 | changelog |
Ubuntu 16.04 | OpenSSL 1.0.2 | changelog |
Ubuntu 14.04 | OpenSSL 1.0.1 | changelog |
If you receive a PCI compliance warning telling you to update to the most recent version of OpenSSL, your PCI scanner is most likely showing a false positive.
You do not and should not take any action to change your server.
Instead, let the company performing the PCI scan know the version of Ubuntu the server is running and the version of the OpenSSL package installed on the server. You can get this information using the following commands:
lsb_release -r dpkg --list openssl
You may also want to provide the company performing the scan with a link to the OpenSSL changelog for your server's Ubuntu version (see the table above).