How to patch my DO server to close the Heartbleed hole

April 7, 2014 4.5k views
Steps shown below to fix the openssl heartbleed issue do not appear to be working on my DO 13.10 server.
18 Answers
If your droplet is using digital ocean's Ubuntu mirror, the problem is their security mirrors do not have libssl 1.0.1-4ubuntu5.12 on them at this time, despite their efforts.

You can work around this by editing /etc/apt/sources.list, comment out the 6 lines for precise-security on, and uncomment the 6 lines below that refer to

Then follow the instructions in the above post.
The DO mirror is now working for 12.04 LTS, at least on one of my droplets. So, for others:

I suggest trying a standard apt-get update/upgrade (or unattended-upgrade) first, and if you don't see libssl1.0.0 in the upgrade list, then try changing the sources.

Check installed version with: dpkg -l | grep openssl
apt-get update && apt-get upgrade

Thanks for the quick reply. As I mentioned in the post, I'm running 13.10, not 12.04.

I did go into sources.list and the following are *not* commented out:

deb saucy-security main restricted
deb-src saucy-security main restricted
deb saucy-security universe
deb-src saucy-security universe
deb saucy-security multiverse
deb-src saucy-security multiverse

Still no love running update/upgrade

I also tried uncommenting the following with no luck

deb saucy partner
deb-src saucy partner
deb saucy main
deb-src saucy main

apt-cache policy openssl

what version does it show?

If it is 1.0.1e-3ubuntu1.2, that mean you have the correct version.
Mine says "openssl 1.0.1-4ubuntu5.10"

Does that mean my droplet is vulnerable?

If i am vulnerable will running "apt-get update && apt-get upgrade" offer a possibility of breaking my current WordPress on LEMP setup?
Just wondering, but is running sudo apt-get update && sudo apt-get upgrade enough to get nginx to use the new version? Or will I have to rebuild nginx or something?

Thank you very much for posting this, I was about to make a question on this myself!

Check the link I post, for ubuntu 12.10 LTS the fixed version should be 1.0.1-4ubuntu5.12.

Simply update & upgrade is enough.

I am also using the DO mirrors and upgraded to lastest version with no problem.

Hope this help.
Tony Tsang: Thanks! Ran the update/upgrade again then checked. Indeed, I am now on 1.0.1e-3ubuntu1.2.
Is a reboot required after this?
@Darren: A reboot may be required, and a lot more. See:
@ Tony Tsang
Thanks for the confirmation, i did the upgrade and none of my configs seem broken, so i ought to be good now. Running 1.0.1-4ubuntu5.12
In most cases, upgrading will pull in the fix. For a more detailed run down of the situation, see this article:
by Justin Ellingwood
The Heartbleed OpenSSL vulnerability is one of the most massive security bugs to hit the internet in years. It basically renders any communication that was supposed to have been protected by SSL open to anyone exploiting this vulnerability. In this guide, we'll tell you how to update your servers and rekey your certificates.
The best way I've found to make sure you're not compromised on an Ubuntu droplet:

apt-get changelog openssl | grep 2014-0160

If you get a hit, the library you're currently using has updated to address heartbleed specifically. This approach is less error prone than library versions, because sometimes your OS provider will release a fixed version of the old library you were using.

Weirdly, I'm on Ubuntu 13.04, getting my updates directly from Ubuntu (rather than a DOcean mirror), and the apt-get update / apt-get upgrade cycle didn't fix it. I've only been toying with SSL for my site anyhow.
Ah. 13.04 is an EOL distro. Really? Only supporting it for one year? Bollocks.

Right, support for non-LTS versions of Ubuntu has been reduced to 9 months. See:
Hi guys, this quick tutorial helps to apply last update to secure your server:

Kind regards,
I am getting very frustrated with this. None of the suggestions worked for me on Ubuntu 12.10. Running apt-get did not upgrade OpenSSL to the latest version and this is in spite of etc/apt/source-list file pointing directly to (I pasted the file below)

How do I upgrade OpenSSL without using Ubuntu's site? I know it's open source and I could theoretically git-pull the source and compile it myself, but I haven't touched a C compiler since college, so I would rather not do this.

deb quantal main
deb quantal-updates main
deb quantal-security main
deb quantal universe
deb quantal-updates universe

deb-src precise main
deb-src precise-updates main
deb-src precise-security main
deb-src precise universe
deb-src precise-updates universe
Have another answer? Share your knowledge.