Hi, I’ve a few 14.04 and 14.10 droplets running production apps. I regularly run
sudo apt-get update && sudo apt-get upgrade on the machines whenever I log in if there are security patches and the like listed in the MOTD. Each of these droplets are based on a snapshot of a base droplet (with all my setup ready to go).
Recently there has been chatter about a new openSSL bug, so I went to check which version I’ve got and whether it’s the most up-to-date.
When I run the following I get:
OpenSSL 1.0.1f 6 Jan 2014
libssl-ocaml - OCaml bindings for OpenSSL (runtime) libssl-ocaml-dev - OCaml bindings for OpenSSL libssl0.9.8 - SSL shared libraries libsslcommon2 - enterprise messaging system - common SSL libraries libsslcommon2-dev - enterprise messaging system - common SSL development files
From what I’ve been reading on stackexchange/askubuntu, I should be on the latest openSSL (1.0.1f covers Heartbleed by default on 14.04, 14.10) which seems to be 1.0.1p (per openssl.org), and libssl should be 1.0.0 or greater. I thought that
sudo apt-get update / upgrade would update openssl to the newest, most secure version. Is this not the case?
Ultimately, how do I ensure that my droplets all have the most up-to-date openssl version? What is the step-by-step process for this? Does this require downtime of the servers or just a restart of all web services (such as nginx/apache servers and maybe the app servers too)?
Pardon my ignorance as I’m new to sysadmin/devops. Any help is greatly appreciated. Thanks!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.