risa
By:
risa

How to update openSSL from 1.0.1f on ubuntu 14.04 / 14.10 ?

July 8, 2015 50.8k views
Server Optimization Security Linux Basics Linux Commands Ubuntu

Hi, I've a few 14.04 and 14.10 droplets running production apps. I regularly run sudo apt-get update && sudo apt-get upgrade on the machines whenever I log in if there are security patches and the like listed in the MOTD. Each of these droplets are based on a snapshot of a base droplet (with all my setup ready to go).

Recently there has been chatter about a new openSSL bug, so I went to check which version I've got and whether it's the most up-to-date.

When I run the following I get:
```openssl version
OpenSSL 1.0.1f 6 Jan 2014

and
```sudo apt-cache search libssl | grep SSL
libssl-ocaml - OCaml bindings for OpenSSL (runtime)
libssl-ocaml-dev - OCaml bindings for OpenSSL
libssl0.9.8 - SSL shared libraries
libsslcommon2 - enterprise messaging system - common SSL libraries
libsslcommon2-dev - enterprise messaging system - common SSL development files

From what I've been reading on stackexchange/askubuntu, I should be on the latest openSSL (1.0.1f covers Heartbleed by default on 14.04, 14.10) which seems to be 1.0.1p (per openssl.org), and libssl should be 1.0.0 or greater. I thought that sudo apt-get update / upgrade would update openssl to the newest, most secure version. Is this not the case?

Ultimately, how do I ensure that my droplets all have the most up-to-date openssl version?
What is the step-by-step process for this?
Does this require downtime of the servers or just a restart of all web services (such as nginx/apache servers and maybe the app servers too)?

Pardon my ignorance as I'm new to sysadmin/devops. Any help is greatly appreciated. Thanks!

2 Answers

We were aware that there would be a report today regarding an OpenSSL vulnerability. The details of this are here: https://openssl.org/news/secadv_20150709.txt. This issue does not appear to affect the server side OpenSSL but rather affects the implementation in web browsers. Ubuntu has released security updates for their Firefox package today.

As long as you are running a supported version of Ubuntu (which 14.04 and 14.10 are at this time) performing regular apt-get upgrades will keep your packages up to date.

I should note that using software version alone to determine if you are vulnerable to a particular issue is not effective. Most distributions choose to backport security fixes for current releases rather than to provide a new version of software in order to prevent feature changes in newer versions from breaking things.

For the last 10 days been searching around to fix openssl bug, tried the latest fresh image(s) of 14.04 and 12.04 LTS and it shows openssl version 1.0 for 12.04 and 1.0f for 14.04 and even after performing the latest updates still it remains the same. Folllowed a link found elsewhere and ran the following commands:
~
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar -xvzf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
./config --prefix=/usr/
make
sudo make install
~
the make install errors out and openssl remains the same version f.

However if we run the same on 12.04 LTS it gets updated to version g but the tls version remains 1.0
apt-cache policy openssl

sudo apt-get install --only-upgrade libssl1.0.0

Neither helps to resolve, can you point us to the right direction. Any help be much appreciated.
Thanks

Have another answer? Share your knowledge.