Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save ArturT/bc8836d3bedff801dc324ac959050d12 to your computer and use it in GitHub Desktop.
Save ArturT/bc8836d3bedff801dc324ac959050d12 to your computer and use it in GitHub Desktop.
Fix OpenSSL Padding Oracle vulnerability (CVE-2016-2107) - Ubuntu 14.04
# Based on
$ sudo apt-get update
$ sudo apt-get dist-upgrade
$ wget
$ tar -xvzf openssl-1.0.2h.tar.gz
$ cd openssl-1.0.2h
$ ./config --prefix=/usr/
$ make depend
$ sudo make install
$ openssl version
# OpenSSL 1.0.2h 3 May 2016
# now restart your nginx or other server
$ sudo service nginx restart
# check your website here
Copy link

So I ran these commands successfully, but when testing on, I still fail for CVE-2016-2107

Any ideas?

Copy link

hello anyone?

Copy link

try sudo apt-get install --only-upgrade libssl1.0.0 openssl

Copy link

abualy commented Aug 12, 2016

thanks @sandstrom, worked for me

Copy link

@sandstrom confirmed. this solves the problem

Copy link

osirisinferi commented Aug 14, 2016

Do _NOT_ use this as a "fix" for CVE-2016-2107!

Just upgrade your OpenSSL to 1.0.2g-1ubuntu4.1 (for Xenia) or 1.0.2d-0ubuntu1.5 (for Wily). These versions, although not the h version, are PATCHED to include (among others) the fix for CVE-2016-2107!

Using an _UNSECURED_ FTP method for downloading the source _WITHOUT VERIFYING_ the SHA256 hash, or PGP signature is stupid enough, manually compiling and installing such system libraries is not a very good way of making sure your system is up-to-date in the future!

Oh and by the way: yes, also for 14.04 (Trusty) OpenSSL version 1.0.1f-1ubuntu2.19 is patched...

Copy link

fndiaz commented Sep 21, 2016

sudo apt-get install --only-upgrade libssl1.0.0 openssl

it's work 👍

Copy link

Hello everyone,

I'm running with SmartOS on Joyent server and still Ssllabs verification fails and persistent.

I have following openSSL version in my server

$ openssl version
# OpenSSL 1.1.0  25 Aug 2016

After upgrading openssl to 1.1.0, I restarted running instance of the server.

I did following steps to update openSSL

$ wget
$ tar -zxf openssl-1.1.0.tar.gz
$ cd openssl-1.1.0
$ ./config
$ make
$ make test
$ sudo make install
$ rm -rf openssl-1.1.0.tar.gz
$ rm -rf openssl-1.1.0

# after these steps are succesfully done, I verified openSSL version and it was updated as per above code block and then I restarted my Joyent instance.

Anybody know what should be problem now?


Copy link

@ankurranpariya4066 in my case after update openssl i had to rebuild my webserver (nginx)

Copy link

For me it was

sudo apt-get install --only-upgrade libssl1.0.0 openssl
sudo service apache2 restart

Copy link

jasontxf commented Feb 2, 2017

openssl-1.0.2h.tar.gz is no longer available.

Change to openssl-1.0.2k.tar.gz and follow the above instructions.

All will be good.

Copy link

Im trying to update a server and I still am getting a failure for the vulnerability.
Any ideas? I have installed 1.0.2k

OpenSSL 1.0.2k  26 Jan 2017
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
OPENSSLDIR: "/usr/local/ssl"

Copy link

On CentOS and Red Hat Enterprise Linux :

Run below code:

yum clean all
yum update openssl

On Ubuntu and Debian

Run below code:

sudo apt-get update
sudo apt-get install openssl

It work for me and get A+, Hope it'll help you.

Copy link

liuliqiang commented Jun 5, 2017

in line6, it should be wget

openssl1.0.2h is already not exists.

Copy link

Copy link

rashmimhatre100 commented Mar 26, 2018

Hi All,
Followed link to upgrade openSSL.
openssl version is,
OpenSSL 1.0.2n 7 Dec 2017

apt-cache policy openssl:
Installed: 1.0.2g-1ubuntu4.10
Candidate: 1.0.2g-1ubuntu4.10

sudo apt-get install --only-upgrade libssl1.0.0 openssl
Reading package lists... Done
Building dependency tree
Reading state information... Done
libssl1.0.0 is already the newest version (1.0.2g-1ubuntu4.10).
openssl is already the newest version (1.0.2g-1ubuntu4.10).
The following packages were automatically installed and are no longer required:
bridge-utils containerd linux-aws-headers-4.4.0-1048
linux-headers-4.4.0-1048-aws linux-image-4.4.0-1048-aws runc ubuntu-fan
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.4 LTS
Release: 16.04
Codename: xenial

Still getting F in

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment