Upgrade to secure openssl fails

Question

Upgrade to secure openssl fails

Method:

have in /etc/apt/sources.list:

deb http://security.debian.org/ wheezy/updates main contrib non-free

Then do:

apt-get update
apt-cache policy openssl
apt-get install openssl
apt-cache policy openssl will show you candidate updates

apt-get install openssl will upgrade to last openssl version

Actual:

# uname -a
Linux XXX 3.10-3-amd64 #1 SMP Debian 3.10.11-1 (2013-09-10) x86_64 GNU/Linux

# cat /etc/apt/sources.list | sed '/^#/d' | sed '/^$/d'
deb http://security.debian.org/ wheezy/updates main contrib non-free

# apt-cache policy openssl
openssl:
  Installed: 1.0.1e-3
  Candidate: 1.0.1e-3
  Version table:
 *** 1.0.1e-3 0
        100 /var/lib/dpkg/status
     1.0.1e-2+deb7u6 0
        500 ... <cannot post more than 2 "links"> wheezy/updates/main amd64 Packages
        500 ... <cannot post more than 2 "links"> wheezy/updates/main amd64 Packages
     1.0.1e-2+deb7u4 0
        500 ... <cannot post more than 2 "links"> wheezy/main amd64 Packages
        500 ... <cannot post more than 2 "links"> wheezy/main amd64 Packages

# apt-get install openssl
Reading package lists... Done
Building dependency tree
Reading state information... Done
openssl is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

What gives?

Answer 1

If I remember right Wheezy has a backported 1.0.1e version of OpenSSL. It's still secure against heartbleed.

Running openssl version -a should give an output similar to:

~# openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Mon Apr  7 20:32:27 UTC 2014
platform: debian-amd64

If it's built in the last couple days you're fine.

Answer 2

I don't know where you got openssl 1.0.1e-3. But since it has a release number higher than the versions actually available in the repositories, they are not considered upgrade candidates.

Install the update by selecting its version explicitly:

apt-get install openssl=1.0.1e-2+deb7u6