Ubuntu – How to patch the Vulnerability [CVE-2014-0224] in OpenSSL

opensslSecurity

I've received a warning from the authority that generated my certificate, it says that there is bug in OpenSSL and it has been found affecting versions 1.0.1.

As I understand, I have to upgrade to 1.0.1h to fix this bug.

This is the first time I deal with these stuff and I'm worried about how it will affect my server.

Do I have to restart any services? And what exactly? I have to make sure this is not going to take too long.

Best Answer

The answer given does not answer the question, and as far as the latest package for x86_64 14.04 the latest openssl package info is (if others have dif please let me know):

openssl:
  Installed: 1.0.1f-1ubuntu2.3
  Candidate: 1.0.1f-1ubuntu2.3
  Version table:
 *** 1.0.1f-1ubuntu2.3 0
        500 mirror://mirrors.ubuntu.com/mirrors.txt/ trusty-updates/main amd64 Packages
        500 mirror://mirrors.ubuntu.com/mirrors.txt/ trusty-security/main amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1.0.1f-1ubuntu2 0
        500 mirror://mirrors.ubuntu.com/mirrors.txt/ trusty/main amd64 Packages
        500 http://us.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

I have been messing around with installing/upgrading that to version 1.0.1h from HERE with no luck yet, when I make some headway I will check back in.

*****UPDATE: So I found the solution on another thread that just needed to be updated (source post listed below):**

Below the single command line to compiling and install the last openssl version.

curl https://www.openssl.org/source/openssl-1.0.1h.tar.gz | tar xz && cd openssl-1.0.1h && sudo ./config && sudo make && sudo make install

Replace old openssl binary file by the new one via a symlink. Go to /usr/bin in terminal and run command below 

sudo ln -sf /usr/local/ssl/bin/openssl `which openssl`

Reboot and you are good to go. You may want/need to create new certificates. Here is the original thread/post I updated. SOURCE

My output after running commands and rebooting:

OpenSSL 1.0.1h 5 Jun 2014
built on: Sat Jun 14 22:43:13 EDT 2014
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"
Related Question