Question

How to patch my DO server to close the Heartbleed hole

Posted April 7, 2014 6.7k views
Steps shown below to fix the openssl heartbleed issue do not appear to be working on my DO 13.10 server. http://askubuntu.com/questions/444702/how-to-patch-cve-2014-0160-in-openssl

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
18 answers
If your droplet is using digital ocean's Ubuntu mirror, the problem is their security mirrors do not have libssl 1.0.1-4ubuntu5.12 on them at this time, despite their efforts.

You can work around this by editing /etc/apt/sources.list, comment out the 6 lines for precise-security on mirrors.digitalocean.com, and uncomment the 6 lines below that refer to security.ubuntu.com.

Then follow the instructions in the above post.
The DO mirror is now working for 12.04 LTS, at least on one of my droplets. So, for others:

I suggest trying a standard apt-get update/upgrade (or unattended-upgrade) first, and if you don't see libssl1.0.0 in the upgrade list, then try changing the sources.

Check installed version with: dpkg -l | grep openssl
apt-get update && apt-get upgrade

Thanks for the quick reply. As I mentioned in the post, I'm running 13.10, not 12.04.

I did go into sources.list and the following are *not* commented out:

deb http://security.ubuntu.com/ubuntu saucy-security main restricted
deb-src http://security.ubuntu.com/ubuntu saucy-security main restricted
deb http://security.ubuntu.com/ubuntu saucy-security universe
deb-src http://security.ubuntu.com/ubuntu saucy-security universe
deb http://security.ubuntu.com/ubuntu saucy-security multiverse
deb-src http://security.ubuntu.com/ubuntu saucy-security multiverse

Still no love running update/upgrade

I also tried uncommenting the following with no luck

deb http://archive.canonical.com/ubuntu saucy partner
deb-src http://archive.canonical.com/ubuntu saucy partner
deb http://extras.ubuntu.com/ubuntu saucy main
deb-src http://extras.ubuntu.com/ubuntu saucy main
Try

apt-cache policy openssl

what version does it show?

If it is 1.0.1e-3ubuntu1.2, that mean you have the correct version.

http://www.ubuntu.com/usn/usn-2165-1/
Mine says "openssl 1.0.1-4ubuntu5.10"

Does that mean my droplet is vulnerable?

If i am vulnerable will running "apt-get update && apt-get upgrade" offer a possibility of breaking my current WordPress on LEMP setup?
Just wondering, but is running sudo apt-get update && sudo apt-get upgrade enough to get nginx to use the new version? Or will I have to rebuild nginx or something?

Thank you very much for posting this, I was about to make a question on this myself!
@wzy

Check the link I post, for ubuntu 12.10 LTS the fixed version should be 1.0.1-4ubuntu5.12.

Simply update & upgrade is enough.

I am also using the DO mirrors and upgraded to lastest version with no problem.

Hope this help.
Tony Tsang: Thanks! Ran the update/upgrade again then checked. Indeed, I am now on 1.0.1e-3ubuntu1.2.
Is a reboot required after this?
Previous 1 2 Next