Patch OpenSSL “heartbleed” vulnerability for Ubuntu
To update and secure Ubuntu against the latest vulnerability effecting OpenSSL (see vulnerable versions below) you can either update the entire OS or do the following (If you have packages you don’t want to update just yet).
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
1 |
sudo apt-get update && sudo apt-get install libssl1.0.0 |
To confirm you have the correct version which for Ubuntu should be 1.0.1e-3ubuntu1.2
1 2 3 4 5 6 7 8 9 |
sudo dpkg -l libssl1.0.0 ~$ sudo dpkg -l libssl1.0.0 Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-================================================-=============================-=============================-====================================================================================================== ii libssl1.0.0:amd64 1.0.1e-3ubuntu1.2 amd64 SSL shared libraries |
Once you have installed that package you need to restart the web server / mail server (etc) that is presenting the SSL certificate otherwise it will use the old library in memory;
1 |
sudo service nginx restart |
Done.
You can confirm your changes here:
http://filippo.io/HeartbleedĀ
References;
- http://www.ubuntu.com/usn/usn-2165-1/
- http://heartbleed.com/