Question

How to patch my DO server to close the Heartbleed hole

Posted April 7, 2014 6.7k views
Steps shown below to fix the openssl heartbleed issue do not appear to be working on my DO 13.10 server. http://askubuntu.com/questions/444702/how-to-patch-cve-2014-0160-in-openssl
Add a comment
pward123
By:
pward123

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
18 answers
atowers April 8, 2014
If your droplet is using digital ocean's Ubuntu mirror, the problem is their security mirrors do not have libssl 1.0.1-4ubuntu5.12 on them at this time, despite their efforts.

You can work around this by editing /etc/apt/sources.list, comment out the 6 lines for precise-security on mirrors.digitalocean.com, and uncomment the 6 lines below that refer to security.ubuntu.com.

Then follow the instructions in the above post.
Reply Report
atowers April 8, 2014
The DO mirror is now working for 12.04 LTS, at least on one of my droplets. So, for others:

I suggest trying a standard apt-get update/upgrade (or unattended-upgrade) first, and if you don't see libssl1.0.0 in the upgrade list, then try changing the sources.

Check installed version with: dpkg -l | grep openssl
Reply Report
jprice April 8, 2014
apt-get update && apt-get upgrade

Reply Report
pward123 April 8, 2014
Thanks for the quick reply. As I mentioned in the post, I'm running 13.10, not 12.04.

I did go into sources.list and the following are *not* commented out:

deb http://security.ubuntu.com/ubuntu saucy-security main restricted
deb-src http://security.ubuntu.com/ubuntu saucy-security main restricted
deb http://security.ubuntu.com/ubuntu saucy-security universe
deb-src http://security.ubuntu.com/ubuntu saucy-security universe
deb http://security.ubuntu.com/ubuntu saucy-security multiverse
deb-src http://security.ubuntu.com/ubuntu saucy-security multiverse

Still no love running update/upgrade

I also tried uncommenting the following with no luck

deb http://archive.canonical.com/ubuntu saucy partner
deb-src http://archive.canonical.com/ubuntu saucy partner
deb http://extras.ubuntu.com/ubuntu saucy main
deb-src http://extras.ubuntu.com/ubuntu saucy main
Reply Report
TonyTsang April 8, 2014
Try

apt-cache policy openssl

what version does it show?

If it is 1.0.1e-3ubuntu1.2, that mean you have the correct version.

http://www.ubuntu.com/usn/usn-2165-1/
Reply Report
wzy April 8, 2014
Mine says "openssl 1.0.1-4ubuntu5.10"

Does that mean my droplet is vulnerable?

If i am vulnerable will running "apt-get update && apt-get upgrade" offer a possibility of breaking my current WordPress on LEMP setup?
Reply Report
hung.raymond April 8, 2014
Just wondering, but is running sudo apt-get update && sudo apt-get upgrade enough to get nginx to use the new version? Or will I have to rebuild nginx or something?

Thank you very much for posting this, I was about to make a question on this myself!
Reply Report
TonyTsang April 8, 2014
@wzy

Check the link I post, for ubuntu 12.10 LTS the fixed version should be 1.0.1-4ubuntu5.12.

Simply update & upgrade is enough.

I am also using the DO mirrors and upgraded to lastest version with no problem.

Hope this help.
Reply Report
pward123 April 8, 2014
Tony Tsang: Thanks! Ran the update/upgrade again then checked. Indeed, I am now on 1.0.1e-3ubuntu1.2.
Reply Report
darren209637 April 8, 2014
Is a reboot required after this?
Reply Report
Previous 1 2 Next
Load More Answers

Looking for something else?

Ask a new question Search for more help