Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save ArturT/bc8836d3bedff801dc324ac959050d12 to your computer and use it in GitHub Desktop.
Save ArturT/bc8836d3bedff801dc324ac959050d12 to your computer and use it in GitHub Desktop.
Fix OpenSSL Padding Oracle vulnerability (CVE-2016-2107) - Ubuntu 14.04
# Based on http://fearby.com/article/update-openssl-on-a-digital-ocean-vm/
$ sudo apt-get update
$ sudo apt-get dist-upgrade
$ wget ftp://ftp.openssl.org/source/openssl-1.0.2h.tar.gz
$ tar -xvzf openssl-1.0.2h.tar.gz
$ cd openssl-1.0.2h
$ ./config --prefix=/usr/
$ make depend
$ sudo make install
$ openssl version
# OpenSSL 1.0.2h 3 May 2016
# now restart your nginx or other server
$ sudo service nginx restart
# check your website here https://www.ssllabs.com/ssltest/
@fabiodbr
Copy link

@sandstrom confirmed. this solves the problem

@osirisinferi
Copy link

osirisinferi commented Aug 14, 2016

Do _NOT_ use this as a "fix" for CVE-2016-2107!

Just upgrade your OpenSSL to 1.0.2g-1ubuntu4.1 (for Xenia) or 1.0.2d-0ubuntu1.5 (for Wily). These versions, although not the h version, are PATCHED to include (among others) the fix for CVE-2016-2107!

Using an _UNSECURED_ FTP method for downloading the source _WITHOUT VERIFYING_ the SHA256 hash, or PGP signature is stupid enough, manually compiling and installing such system libraries is not a very good way of making sure your system is up-to-date in the future!

Oh and by the way: yes, also for 14.04 (Trusty) OpenSSL version 1.0.1f-1ubuntu2.19 is patched...

@fndiaz
Copy link

fndiaz commented Sep 21, 2016

sudo apt-get install --only-upgrade libssl1.0.0 openssl

it's work 👍

@ankurranpariya4066
Copy link

Hello everyone,

I'm running with SmartOS on Joyent server and still Ssllabs verification fails and persistent.

I have following openSSL version in my server

$ openssl version
# OpenSSL 1.1.0  25 Aug 2016

After upgrading openssl to 1.1.0, I restarted running instance of the server.

I did following steps to update openSSL

$ wget http://www.openssl.org/source/openssl-1.1.0.tar.gz
$ tar -zxf openssl-1.1.0.tar.gz
$ cd openssl-1.1.0
$ ./config
$ make
$ make test
$ sudo make install
$ rm -rf openssl-1.1.0.tar.gz
$ rm -rf openssl-1.1.0

# after these steps are succesfully done, I verified openSSL version and it was updated as per above code block and then I restarted my Joyent instance.

Anybody know what should be problem now?

Thanks

@vitaoloureiro
Copy link

@ankurranpariya4066 in my case after update openssl i had to rebuild my webserver (nginx)

@abrambailey
Copy link

For me it was

sudo apt-get install --only-upgrade libssl1.0.0 openssl
sudo service apache2 restart

@jasontxf
Copy link

jasontxf commented Feb 2, 2017

openssl-1.0.2h.tar.gz is no longer available.

Change to openssl-1.0.2k.tar.gz and follow the above instructions.

All will be good.

@mrgarymartin
Copy link

Im trying to update a server and I still am getting a failure for the vulnerability.
Any ideas? I have installed 1.0.2k

OpenSSL 1.0.2k  26 Jan 2017
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: gcc -I. -I.. -I../include  -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/local/ssl"

@princebhalani143
Copy link

Solution:
On CentOS and Red Hat Enterprise Linux :

Run below code:

yum clean all
yum update openssl
reboot

On Ubuntu and Debian

Run below code:

sudo apt-get update
sudo apt-get install openssl
reboot

It work for me and get A+, Hope it'll help you.

@liuliqiang
Copy link

liuliqiang commented Jun 5, 2017

in line6, it should be wget ftp://ftp.openssl.org/source/openssl-1.0.2l.tar.gz

openssl1.0.2h is already not exists.

@ZeroHackeR
Copy link

@rashmimhatre100
Copy link

rashmimhatre100 commented Mar 26, 2018

Hi All,
Followed https://www.linuxhelp.com/how-to-install-and-update-openssl-on-ubuntu-16-04/ link to upgrade openSSL.
openssl version is,
OpenSSL 1.0.2n 7 Dec 2017

apt-cache policy openssl:
openssl:
Installed: 1.0.2g-1ubuntu4.10
Candidate: 1.0.2g-1ubuntu4.10

sudo apt-get install --only-upgrade libssl1.0.0 openssl
Reading package lists... Done
Building dependency tree
Reading state information... Done
libssl1.0.0 is already the newest version (1.0.2g-1ubuntu4.10).
openssl is already the newest version (1.0.2g-1ubuntu4.10).
The following packages were automatically installed and are no longer required:
bridge-utils containerd linux-aws-headers-4.4.0-1048
linux-headers-4.4.0-1048-aws linux-image-4.4.0-1048-aws runc ubuntu-fan
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.4 LTS
Release: 16.04
Codename: xenial

Still getting F in https://www.ssllabs.com/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment