1

I have installed Ubuntu 12.04.4 on my machine and it got heartBleed version of OpenSSL 1.0.1. So I uninstalled OpenSSL 1.0.1 and install new 1.0.1h version by refering this link. I have applied patch for 1.0.1h version and this installed OpenSSL successfully.

Now on the second day, I am seeing OpenSSL reverted back to 1.0.1 (default version which comes with Ubuntu 12.04.4).

Is there any setting or configuration that automatically replaces OpenSSL to its default version? How will I stop this automatic rollback of OpenSSL to default version?

Bhushan Kawadkar
  • 275

2 Answers2

1

If you want to stop a package from beeing automatically updated each time you run the apt-get upgrade or apt-get dist-upgrade command, you have to put then on hold to the package management system.

This can be done by the following command :

echo "openssl hold" | sudo dpkg --set-selections

When you do dpkg --get-selections | grep openssl, you will see the following :

openssl                hold

And then, when you run sudo apt-get upgrade, you will see an output like this one :

sudo apt-get upgrade

Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
   openssl
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.

Attention :

Of course, you will then become the only one responsible to update the version of OpenSSL, you will have to watch the security bulletins, the patches published and so on

Important note :

The Linux distribution (Ubuntu and others) use their own way of versioning and patching cycles, this means that the version N of package XXXX present in the repositories, can already incorporate a security patch that was applied mainstream on the version N+1 but that was ported to version N by the distribution maintainers.

Benoit
  • 7,567
  • 1
  • 25
  • 34
0

Those instructions are not Ubuntu-specific and are not the recommended way to patch the Heartbleed bug on Ubuntu. In fact, they are intended for people who have compiled OpenSSL themself rather than using a version of it that was supplied with their Linux distribution (eg Ubuntu) - or they want to apply a patch manually before the OS patches their version - neither of which is the case. Ubuntu's version of OpenSSL in Precise has been patched since April (with version 1.0.1-4ubuntu5.12).

In order to patch Heartbleed on Ubuntu:

  • Run a version of Ubuntu which is still getting security support (12.04.* is fine)

  • Install all automatic updates

That's it. Though, if you had SSL certificates that were in use prior to the heartbleed bug being discovered and fixed, you should re-issue those certificates.

thomasrutter
  • 36,774
  • thanks for the reply. But my question is not how to upgrade openssl. I am asking that upgraded version getting rollback atumatically, how to stop that? – Bhushan Kawadkar Aug 06 '14 at 07:19
  • You're making false assumptions by wording it like that. Nothing is being rolled back. Ubuntu is applying updates as it is supposed to do. You cannot modify files outside of Ubuntu's packaging system and complain when Ubuntu overwrites them as it receives updates to those packages. Do you have any particular reason that you cannot use the version of OpenSSL that Ubuntu provides, given that we have already established it has been patched against the Heartbleed bug since April? – thomasrutter Aug 06 '14 at 12:08