current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Unix & Linux Stack Exchange is a question and answer site for users of Linux, FreeBSD and other Un*x-like operating systems.. It's 100% free, no registration required.
up vote 0 down vote favorite

re heartbleed, I'm trying to upgrade openssl, WITHOUT upgrading all packages on my system

so I am running apt-get install openssl as shown here, it's implied that doing this should upgrade openssl: How to upgrade a single package using apt-get?

I verify via apt-cache that it's installed:

root@nyc2-04-www:~# apt-cache policy openssl
    openssl:
      Installed: 1.0.1g-1
      Candidate: 1.0.1g-2
      Version table:
         1.0.1g-2 0
            500 http://http.debian.net/debian/ sid/main amd64 Packages
     *** 1.0.1g-1 0
            100 /var/lib/dpkg/status
         1.0.1e-2+deb7u6 0
            500 http://security.debian.org/ wheezy/updates/main amd64 Packages
         1.0.1e-2+deb7u4 0
            500 http://ftp.us.debian.org/debian/ wheezy/main amd64 Packages
            500 http://http.debian.net/debian/ wheezy/main amd64 Packages

however after rebooting, i see that the old vunerable openssl is still active. running openssl version -a shows that 1.0.1f is still active.

also confirmed that my server is still vunerable to heartbleed via http://filippo.io/Heartbleed/#www.uat.phantomjscloud.com EDIT: fyi i took down nginx so I'm not leaving a vunerable server on the internet.

That's my uat server. I already did a full apt-get upgrade on my production server and that succsesfully updates openssl.

but back to my question: how can I upgrade openssl without upgrading all packages?

share

migration rejected from askubuntu.com Apr 12 at 12:31

This question came from our site for Ubuntu users and developers. Votes, comments, and answers are locked due to the question being closed here, but it may be eligible for editing and reopening on the site where it originated.

closed as off-topic by Braiam, devnull, Anthon, jasonwryan, slm Apr 12 at 12:31

This question appears to be off-topic. The users who voted to close gave this specific reason:

  • "Questions describing a problem that can't be reproduced and seemingly went away on its own (or went away when a typo was fixed) are off-topic as they are unlikely to help future readers." – Braiam, devnull, Anthon, jasonwryan, slm
If this question can be reworded to fit the rules in the help center, please edit the question.
    
apt-get install libssl1.0.0 fixes the problem. –  JasonS Apr 10 at 1:55
    
then post your answer if you find it so people will know there a solution –  Kiwy Apr 10 at 6:10
    
OP had to take into account the time that openssl package needs to pass from sid to testing. I was myself unpatched for several days. –  Braiam Apr 12 at 2:33
comments disabled on deleted / locked posts

2 Answers

up vote 1 down vote

You've upgraded the package containing the openssl frontend command, but not the package containing the OpenSSL library. That package is called libssl1.0.0, and you can upgrade it with apt-get install libssl1.0.0.

Debian provides libraries in separate packages so that you can install multiple versions with incompatible binary interfaces simultaneously. For example, Ubuntu 12.04 has both libssl0.9.8 with version 0.9.8k and libssl1.0.0 with version 1.0.1.

However, upgrading a single package is not the right thing. You should do all the upgrades, with apt-get upgrade. The principle of stable distributions is that updates only provide security or grave bug fixes. You want them all, even the ones that got less media attention.

share
add comment
up vote 0 down vote

On Debian-based distros, you can upgrade the single offending OpenSSL package without a full apt-get upgrade:

apt-get install libssl1.0.0

share
add comment