pward123
By:
pward123

How to patch my DO server to close the Heartbleed hole

April 7, 2014 4.5k views
Steps shown below to fix the openssl heartbleed issue do not appear to be working on my DO 13.10 server. http://askubuntu.com/questions/444702/how-to-patch-cve-2014-0160-in-openssl
18 Answers
If your droplet is using digital ocean's Ubuntu mirror, the problem is their security mirrors do not have libssl 1.0.1-4ubuntu5.12 on them at this time, despite their efforts.

You can work around this by editing /etc/apt/sources.list, comment out the 6 lines for precise-security on mirrors.digitalocean.com, and uncomment the 6 lines below that refer to security.ubuntu.com.

Then follow the instructions in the above post.
The DO mirror is now working for 12.04 LTS, at least on one of my droplets. So, for others:

I suggest trying a standard apt-get update/upgrade (or unattended-upgrade) first, and if you don't see libssl1.0.0 in the upgrade list, then try changing the sources.

Check installed version with: dpkg -l | grep openssl
apt-get update && apt-get upgrade

Thanks for the quick reply. As I mentioned in the post, I'm running 13.10, not 12.04.

I did go into sources.list and the following are *not* commented out:

deb http://security.ubuntu.com/ubuntu saucy-security main restricted
deb-src http://security.ubuntu.com/ubuntu saucy-security main restricted
deb http://security.ubuntu.com/ubuntu saucy-security universe
deb-src http://security.ubuntu.com/ubuntu saucy-security universe
deb http://security.ubuntu.com/ubuntu saucy-security multiverse
deb-src http://security.ubuntu.com/ubuntu saucy-security multiverse

Still no love running update/upgrade

I also tried uncommenting the following with no luck

deb http://archive.canonical.com/ubuntu saucy partner
deb-src http://archive.canonical.com/ubuntu saucy partner
deb http://extras.ubuntu.com/ubuntu saucy main
deb-src http://extras.ubuntu.com/ubuntu saucy main
Try

apt-cache policy openssl

what version does it show?

If it is 1.0.1e-3ubuntu1.2, that mean you have the correct version.

http://www.ubuntu.com/usn/usn-2165-1/
Mine says "openssl 1.0.1-4ubuntu5.10"

Does that mean my droplet is vulnerable?

If i am vulnerable will running "apt-get update && apt-get upgrade" offer a possibility of breaking my current WordPress on LEMP setup?
Just wondering, but is running sudo apt-get update && sudo apt-get upgrade enough to get nginx to use the new version? Or will I have to rebuild nginx or something?

Thank you very much for posting this, I was about to make a question on this myself!
@wzy

Check the link I post, for ubuntu 12.10 LTS the fixed version should be 1.0.1-4ubuntu5.12.

Simply update & upgrade is enough.

I am also using the DO mirrors and upgraded to lastest version with no problem.

Hope this help.
Tony Tsang: Thanks! Ran the update/upgrade again then checked. Indeed, I am now on 1.0.1e-3ubuntu1.2.
Is a reboot required after this?
@Darren: A reboot may be required, and a lot more. See: http://security.stackexchange.com/questions/55075/does-heartbleed-mean-new-certificates-for-every-ssl-server/55087#55087
@ Tony Tsang
Thanks for the confirmation, i did the upgrade and none of my configs seem broken, so i ought to be good now. Running 1.0.1-4ubuntu5.12
In most cases, upgrading will pull in the fix. For a more detailed run down of the situation, see this article:

https://www.digitalocean.com/community/articles/how-to-protect-your-server-against-the-heartbleed-openssl-vulnerability
by Justin Ellingwood
The Heartbleed OpenSSL vulnerability is one of the most massive security bugs to hit the internet in years. It basically renders any communication that was supposed to have been protected by SSL open to anyone exploiting this vulnerability. In this guide, we'll tell you how to update your servers and rekey your certificates.
The best way I've found to make sure you're not compromised on an Ubuntu droplet:

apt-get changelog openssl | grep 2014-0160

If you get a hit, the library you're currently using has updated to address heartbleed specifically. This approach is less error prone than library versions, because sometimes your OS provider will release a fixed version of the old library you were using.

Weirdly, I'm on Ubuntu 13.04, getting my updates directly from Ubuntu (rather than a DOcean mirror), and the apt-get update / apt-get upgrade cycle didn't fix it. I've only been toying with SSL for my site anyhow.
Ah. 13.04 is an EOL distro. Really? Only supporting it for one year? Bollocks.
@darth_schmoo

Right, support for non-LTS versions of Ubuntu has been reduced to 9 months. See:

http://fridge.ubuntu.com/2013/03/19/changes-in-ubuntu-releases-decided-by-the-ubuntu-technical-board/
https://wiki.ubuntu.com/Releases
Hi guys, this quick tutorial helps to apply last update to secure your server: https://www.youtube.com/watch?v=sq7Eib02Rb8

Kind regards,
Valentín
I am getting very frustrated with this. None of the suggestions worked for me on Ubuntu 12.10. Running apt-get did not upgrade OpenSSL to the latest version and this is in spite of etc/apt/source-list file pointing directly to ubuntu.com. (I pasted the file below)

How do I upgrade OpenSSL without using Ubuntu's site? I know it's open source and I could theoretically git-pull the source and compile it myself, but I haven't touched a C compiler since college, so I would rather not do this.


source-list:
deb http://archive.ubuntu.com/ubuntu quantal main
deb http://archive.ubuntu.com/ubuntu quantal-updates main
deb http://security.ubuntu.com/ubuntu quantal-security main
deb http://archive.ubuntu.com/ubuntu quantal universe
deb http://archive.ubuntu.com/ubuntu quantal-updates universe

deb-src http://archive.ubuntu.com/ubuntu precise main
deb-src http://archive.ubuntu.com/ubuntu precise-updates main
deb-src http://security.ubuntu.com/ubuntu precise-security main
deb-src http://archive.ubuntu.com/ubuntu precise universe
deb-src http://archive.ubuntu.com/ubuntu precise-updates universe
Have another answer? Share your knowledge.