OpenSSL getting rollback automatically to default version in Ubuntu 12.04.4

Question

I have installed Ubuntu 12.04.4 on my machine and it got heartBleed version of OpenSSL 1.0.1. So I uninstalled OpenSSL 1.0.1 and install new 1.0.1h version by refering this link. I have applied patch for 1.0.1h version and this installed OpenSSL successfully.

Now on the second day, I am seeing OpenSSL reverted back to 1.0.1 (default version which comes with Ubuntu 12.04.4).

Is there any setting or configuration that automatically replaces OpenSSL to its default version? How will I stop this automatic rollback of OpenSSL to default version?

Answer 1

If you want to stop a package from beeing automatically updated each time you run the apt-get upgrade or apt-get dist-upgrade command, you have to put then on hold to the package management system.

This can be done by the following command :

echo "openssl hold" | sudo dpkg --set-selections

When you do dpkg --get-selections | grep openssl, you will see the following :

openssl                hold

And then, when you run sudo apt-get upgrade, you will see an output like this one :

sudo apt-get upgrade

Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
   openssl
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.

Attention :

Of course, you will then become the only one responsible to update the version of OpenSSL, you will have to watch the security bulletins, the patches published and so on

Important note :

The Linux distribution (Ubuntu and others) use their own way of versioning and patching cycles, this means that the version N of package XXXX present in the repositories, can already incorporate a security patch that was applied mainstream on the version N+1 but that was ported to version N by the distribution maintainers.

Answer 2

Those instructions are not Ubuntu-specific and are not the recommended way to patch the Heartbleed bug on Ubuntu. In fact, they are intended for people who have compiled OpenSSL themself rather than using a version of it that was supplied with their Linux distribution (eg Ubuntu) - or they want to apply a patch manually before the OS patches their version - neither of which is the case. Ubuntu's version of OpenSSL in Precise has been patched since April (with version 1.0.1-4ubuntu5.12).

In order to patch Heartbleed on Ubuntu:

• Run a version of Ubuntu which is still getting security support (12.04.* is fine)

• Install all automatic updates

That's it. Though, if you had SSL certificates that were in use prior to the heartbleed bug being discovered and fixed, you should re-issue those certificates.