I've tried the following, but I can't get a build date later than:
Tue, Aug 21 05:18:46 UTC 2012
I have done the following:
apt-get dist-upgrade
apt-get update
apt-get upgrade openssl
and
apt-get purge openssl
apt-get install openssl
and
apt-get purge libcrypto1.0.0
apt-get install libcrypto1.0.0
Everything seems to work fine, but the build date remains as above.
And the http://filippo.io/Heartbleed/ test is still failing.
I know I'm not crazy, because I was able to update my identical server Wednesday. (Identical in EVERY way except hardware).
EDIT:
I compared the /etc/apt/sources.list files on both machines and they appear to be identical. How did one server update and the other won't?
EDIT:
Did as suggested:
apt-get purge openssl
reboot
apt-get install openssl
reboot
to no avail.
Tried same commands on libssl1.0.0, still same version as listed above.
This one's got me stumped.
Any suggestions?
EDIT
As soon as I get enough street cred (15), I will +1 the viable workarounds
EDIT
As suggested, I ran apt-get with –reinstall –print-uris and got back:
http://us.archive.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_1.0.1-4ubuntu5.12_amd64.deb
Then rebooted, same version as listed above. Still failing heartbleed.
Best Answer
Forcing a package re-installation
Apt thinks that the packages are installed and upgraded. Manual verification and testing of libssl suggests otherwise, so the package database is inconsistent with the installed files (maybe files were previously upgraded previously without package manager involvement). For whatever reason this happened, the package is not being correctly upgraded or reinstalled. This assumes that it has been established that the system is reporting fixed versions, but is still showing as vulnerable.
First, attempt to forcibly reinstall the affected packages:
apt-get install --reinstall libssl1.0.0If that fails, try forcing the complete removal of the package without involving any of Apt's dependency management and sanity checks:
dpkg --force-all --remove libssl1.0.0At this point, the system is effectively 'broken' because libssl is missing and many packages are still installed that depend on it (this is what Apt tries so hard to prevent, and the reason we are going behind Apt's back), so reinstall libssl1.0.0, re-downloading the latest package from the repository:
apt-get clean && apt-get install libssl1.0.0Alternatively, if you have downloaded the known good deb package, you can use dpkg to install and force overwrite of any existing files:
dpkg --force-overwrite -i libssl1.0.0_1.0.1-4ubuntu5.12_amd64.debRe-test and check (debsums, sha1sum) the installed files against known good configuration.