How to update openSSL from 1.0.1f on ubuntu 14.04 / 14.10 ?

Hi, I’ve a few 14.04 and 14.10 droplets running production apps. I regularly run sudo apt-get update && sudo apt-get upgrade on the machines whenever I log in if there are security patches and the like listed in the MOTD. Each of these droplets are based on a snapshot of a base droplet (with all my setup ready to go).

Recently there has been chatter about a new openSSL bug, so I went to check which version I’ve got and whether it’s the most up-to-date.
When I run the following I get:

OpenSSL 1.0.1f 6 Jan 2014


libssl-ocaml - OCaml bindings for OpenSSL (runtime)
libssl-ocaml-dev - OCaml bindings for OpenSSL
libssl0.9.8 - SSL shared libraries
libsslcommon2 - enterprise messaging system - common SSL libraries
libsslcommon2-dev - enterprise messaging system - common SSL development files

From what I’ve been reading on stackexchange/askubuntu, I should be on the latest openSSL (1.0.1f covers Heartbleed by default on 14.04, 14.10) which seems to be 1.0.1p (per, and libssl should be 1.0.0 or greater. I thought that sudo apt-get update / upgrade would update openssl to the newest, most secure version. Is this not the case?

Ultimately, how do I ensure that my droplets all have the most up-to-date openssl version? What is the step-by-step process for this? Does this require downtime of the servers or just a restart of all web services (such as nginx/apache servers and maybe the app servers too)?

Pardon my ignorance as I’m new to sysadmin/devops. Any help is greatly appreciated. Thanks!

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

We were aware that there would be a report today regarding an OpenSSL vulnerability. The details of this are here: This issue does not appear to affect the server side OpenSSL but rather affects the implementation in web browsers. Ubuntu has released security updates for their Firefox package today.

As long as you are running a supported version of Ubuntu (which 14.04 and 14.10 are at this time) performing regular apt-get upgrades will keep your packages up to date.

I should note that using software version alone to determine if you are vulnerable to a particular issue is not effective. Most distributions choose to backport security fixes for current releases rather than to provide a new version of software in order to prevent feature changes in newer versions from breaking things.

For the last 10 days been searching around to fix openssl bug, tried the latest fresh image(s) of 14.04 and 12.04 LTS and it shows openssl version 1.0 for 12.04 and 1.0f for 14.04 and even after performing the latest updates still it remains the same. Folllowed a link found elsewhere and ran the following commands: ~ wget tar -xvzf openssl-1.0.1g.tar.gz cd openssl-1.0.1g ./config --prefix=/usr/ make sudo make install ~ the make install errors out and openssl remains the same version f.

However if we run the same on 12.04 LTS it gets updated to version g but the tls version remains 1.0 apt-cache policy openssl

sudo apt-get install --only-upgrade libssl1.0.0

Neither helps to resolve, can you point us to the right direction. Any help be much appreciated. Thanks