How to upgrade OpenSSL on Ubuntu Server 12.04 LTS? (Heartbleed)

Question

How do I upgrade OpenSSL using Ubuntu's repository?

I see the USN at http://www.ubuntu.com/usn/usn-2165-1/

and the package here https://launchpad.net/ubuntu/+source/openssl/1.0.1-4ubuntu5.12

but I can't find instructions on how to use that to upgrade my OpenSSL version.

The standard update commands don't upgrade my version of ssl:

sudo apt-get update
sudo apt-get dist-upgrade

openssl
OpenSSL> version
OpenSSL 1.0.1 14 Mar 2012

How do I get the latest version from the repository?

Edit:

dpkg --list openssl

||/ Name                      Version                   Description
+++-=========================-=========================-==================================================================
ii  openssl                   1.0.1-4ubuntu5.12         Secure Socket Layer (SSL) binary and related cryptographic tools

aptitude show libssl1.0.0

Package: libssl1.0.0              
State: installed
Automatically installed: no
Multi-Arch: same
Version: 1.0.1-4ubuntu5.12
Priority: required
Section: libs
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: amd64
Uncompressed Size: 2,991 k
Depends: libc6 (>= 2.14), zlib1g (>= 1:1.1.4), debconf (>= 0.5) | debconf-2.0
PreDepends: multiarch-support
Breaks: openssh-client (< 1:5.9p1-4), openssh-client (< 1:5.9p1-4), openssh-server (< 1:5.9p1-4), openssh-server (< 1:5.9p1-4),
        libssl1.0.0 (!= 1.0.1-4ubuntu5.12)
Replaces: libssl1.0.0 (< 1.0.1-4ubuntu5.12)
Description: SSL shared libraries
 libssl and libcrypto shared libraries needed by programs like apache-ssl, telnet-ssl and openssh. 

 It is part of the OpenSSL implementation of SSL.

So what is the version of the package that you have installed? — Michael Hampton, Apr 08 '14 at 16:27
I did apt-get update && apt-get dist-upgrade (as I said in my post) on a few of my servers and they're still reporting version 1.0.1 14 Mar 2012. — ameagher, Apr 08 '14 at 16:27
I guess I don't understand your question. How do I determine the version of the package I have installed? — ameagher, Apr 08 '14 at 16:31
Try `dpkg --list libssl1.0.0`, just like you would do with any other package. — Michael Hampton, Apr 08 '14 at 16:32
The ubuntu USN shows you need to upgrade libssl1.0.0 to 1.0.1-4ubuntu5.12 and not openssl. — Jure1873, Apr 08 '14 at 16:34
You've already upgraded. You have nothing further to do but restart your services. — Michael Hampton, Apr 08 '14 at 16:45
I guess I was just expecting the new version of OpenSSL to be installed. I'm still a little concerned but thank you for your help. — ameagher, Apr 08 '14 at 16:54
@ameagher Is it *very common* for security patches to be backported to previous versions of a package, as upgrades include many unrelated changes that may result in breakage. Because security fixes typically need to be rolled out quickly with minimal time for testing, they are handled very conservatively. — Maxx Daymon, Apr 13 '14 at 21:30

score 1 · Accepted Answer · answered Apr 08 '14 at 16:25

1

Can you do aptitude show libssl1.0.0? You probably have the right patched version if you did apt-get dist-upgrade and rebooted, but it doesn't show up in openssh version, because ubuntu packages programs differently. Edit: typo

answered Apr 08 '14 at 16:25

Jure1873

3,702
1
22
28

I edited the output of `aptitude show libssl1.0.0` into my question. I guess I don't get it. Even though version outputs `1.0.1 14 Mar 2012` it's not correct? – ameagher Apr 08 '14 at 16:48
Ubuntu doesn't always provide you with the new upstream versions (that could sometimes break something unexpected), but releases patches that fix the problem, but still output the same version number. That's why you have to check the full version with aptitude (the last number is 5.12) so you can find out if the fix is present on your machine. Also in ubuntu openssl is split into multiple packages (openssl, libssl, ...). – Jure1873 Apr 08 '14 at 17:53

score 0 · Answer 2 · answered Apr 08 '14 at 16:24

0

sudo apt-get update

sudo apt-get upgrade

Also don't forget to restart services using OpenSSL

answered Apr 08 '14 at 16:24

user3227965

98
1
7

This didn't work, as stated in my question. Even after rebooting the server I don't have the correct version installed. – ameagher Apr 08 '14 at 16:28
Worked for me :) – user3227965 Apr 08 '14 at 16:29

How to upgrade OpenSSL on Ubuntu Server 12.04 LTS? (Heartbleed)

Edit:

dpkg --list openssl

aptitude show libssl1.0.0

2 Answers2

Linked