How to upgrade OpenSSL 1.0.1f on Ubuntu Server 14.04?

Question

It looks like Ubuntu Server 14.04 just released today includes OpenSSL v1.0.1f which is vulnerable to the heartbleed bug.

I've updated my packages (apt-get update) but that's the latest version available.

How to do I upgrade to 1.0.1g so I'm not vulnerable?

Please read the security notice. It does NOT list 14.04 – Rinzwind Apr 17 '14 at 19:05 — Rinzwind, Apr 17 '14 at 19:05

score 10 · Answer 1 · answered Apr 17 '14 at 19:04

The package in Ubuntu 14.04 is not vulnerable. It includes the patch to fix the issue, rather than a newer version. See from the changelog:

openssl (1.0.1f-1ubuntu2) trusty; urgency=medium

  * SECURITY UPDATE: side-channel attack on Montgomery ladder implementation
    - debian/patches/CVE-2014-0076.patch: add and use constant time swap in
      crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c,
      util/libeay.num.
    - CVE-2014-0076
  * SECURITY UPDATE: memory disclosure in TLS heartbeat extension
    - debian/patches/CVE-2014-0160.patch: use correct lengths in
      ssl/d1_both.c, ssl/t1_lib.c.
    - CVE-2014-0160

How to upgrade OpenSSL 1.0.1f on Ubuntu Server 14.04?

1 Answers1