How to update openSSL from 1.0.1f on ubuntu 14.04 / 14.10 ?
Hi, I’ve a few 14.04 and 14.10 droplets running production apps. I regularly run
sudo apt-get update && sudo apt-get upgrade on the machines whenever I log in if there are security patches and the like listed in the MOTD. Each of these droplets are based on a snapshot of a base droplet (with all my setup ready to go).
Recently there has been chatter about a new openSSL bug, so I went to check which version I’ve got and whether it’s the most up-to-date.
When I run the following I get:
OpenSSL 1.0.1f 6 Jan 2014
and ```sudo apt-cache search libssl | grep SSL libssl-ocaml - OCaml bindings for OpenSSL (runtime) libssl-ocaml-dev - OCaml bindings for OpenSSL libssl0.9.8 - SSL shared libraries libsslcommon2 - enterprise messaging system - common SSL libraries libsslcommon2-dev - enterprise messaging system - common SSL development files
From what I’ve been reading on stackexchange/askubuntu, I should be on the latest openSSL (1.0.1f covers Heartbleed by default on 14.04, 14.10) which seems to be 1.0.1p (per openssl.org), and libssl should be 1.0.0 or greater. I thought that
sudo apt-get update / upgrade would update openssl to the newest, most secure version. Is this not the case?
Ultimately, how do I ensure that my droplets all have the most up-to-date openssl version?
What is the step-by-step process for this?
Does this require downtime of the servers or just a restart of all web services (such as nginx/apache servers and maybe the app servers too)?
Pardon my ignorance as I’m new to sysadmin/devops. Any help is greatly appreciated. Thanks!