Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting our team. We will be in touch shortly.Close

  1. Blog
  2. Article

Lech Sandecki
on 26 October 2023

A few months ago, the OpenSSL Project announced the end of life of OpenSSL 1.1.1. It is used by thousands of software components included in Ubuntu 18.04 LTS and Ubuntu 20.04 LTS, with many organisations relying on version 1.1.1.

Rest assured that the Ubuntu security team will continue to maintain important security fixes in OpenSSL 1.1.1 for as long as the Ubuntu release is supported, meaning 2025 for Ubuntu 20.04 LTS with standard support. For Ubuntu Pro subscribers, Canonical offers Expanded Security Maintenance (ESM). This means getting at least 10 years of security maintenance for all software bundled in the release, including OpenSSL 1.1.1. This translates to being security maintained and supported until at least 2028 for Ubuntu 18.04 LTS and at least 2030 for Ubuntu 20.04 LTS.

You might be surprised, but this security maintenance and support level for an end-of-life OpenSSL version isn’t unprecedented. Since OpenSSL 1.0.1 and OpenSSL 1.0.2 went end of life in 2016 and 2019, respectively, Ubuntu Pro customers on Ubuntu 14.04 LTS and Ubuntu 16.04 LTS have already received many additional CVE fixes, ensuring a secure and stable environment for their production and mission-critical deployments.

Backporting and testing

Maintaining this level of support is no easy feat. As with most of the software bundled with Ubuntu, the Ubuntu security team cannot simply update to the latest release of OpenSSL.

OpenSSL 3.0 is not backwards-compatible with previous releases, and many thousands of packages included with Ubuntu would need to be modified to work with it. Instead, the security team must take each security fix published by the OpenSSL developers and carefully adapt it to work with the older version of OpenSSL.

Sometimes, the effort required for this step is trivial, but more often than not, it requires rework and adaptation. Once that is done, the next step is to extensively test the update to ensure that it fixes the security issue properly and does not cause any regression to our customers and their infrastructure.

Additional security and compliance features 

Ubuntu Pro is much more than OpenSSL security support. This same consistent promise applies to every software package bundled with Ubuntu, many of which are no longer supported by their upstream community. The list includes over 25,000 packages in the Ubuntu Universe repository, including Redis and Python 2.7. 

For customers who need to comply with NIST, HIPAA, PCI-DSS and other compliance regimes, Ubuntu Pro also provides streamlined hardening and audit, FIPS compliance, management at scale, kernel livepatch, and optional 24/7 support.

Stay secure and compliant. Learn more at

Related posts

Aaron Whitehouse
24 November 2023

Ubuntu Explained: How to ensure security and stability in cloud instances—part 3

Cloud and server Article

Applying updates across a fleet of multiple Ubuntu instances is a balance of security and service uptime. We explore best practices to maximise stability. ...

Aaron Whitehouse
21 November 2023

Ubuntu Explained: How to ensure security and stability in cloud instances—part 2

Cloud and server Article

You probably know that it is important to apply security updates. You may not be clear how to do that. We are going to explain best practices for applying Ubuntu updates to single instances and what the built-in unattended-upgrades tool does and does not do. ...

Aaron Whitehouse
5 October 2023

Securing open source software dependencies in the public cloud

Cloud and server Article

Building stable and secure software requires understanding build systems and having a plan for vulnerabilities in your software dependencies. ...