It was a bit difficult to find any real information on fixing the latest openSSL CVE-2016-0800 (DROWN attack) so I decided to write this quick post on how to update your Ubuntu Server 12.04/14.04 OpenSSL (or any debian-based distro with apache2) to the latest 1.0.2g build to avoid the DROWN/Heartbleed attacks. I’m not going to go into the details of how the exploit works and how it’s exploited as there are many blogs/sites that already go over this. Instead I will only focus on the fix, I have provided 2 methods, a method using cURL or wget.
*** UPDATED 7/4/2017 ***
Because this is a popular post, I’ve gone ahead and updated it to reflect latest SSL binaries, it’s good practice to check what the latest binaries are regardless of this post.
cURL Method
- sudo apt-get install php5-curl (Install cURL library)
- sudo apt-get install make (Install compiling library Make)
- curl https://www.openssl.org/source/openssl-1.0.2l.tar.gz | tar xz && cd openssl-1.0.2l && sudo ./config && sudo make && sudo make install (single command that will download latest binaries, extract them, cd into the directory, compile configuration and then install the files)
- sudo ln -sf /usr/local/ssl/bin/openssl ‘which openssl’ (This will create a sym link to the new binaries)
- openssl version -v (Used to check the version of the Current OpenSSL binaries)
wget method
- sudo apt-get install make (Install compiling library Make)
- wget https://www.openssl.org/source/openssl-1.0.2l.tar.gz (Download the latest OpenSSL 1.0.2g binaries)
- tar -xzvf openssl-1.0.2l.tar.gz (Extract the tar ball to the local directory)
- cd openssl-1.0.2l (Enter extracted OpenSSL directory)
- sudo ./config (Configure binaries for compiling)
- sudo make install (install configured binaries)
- sudo ln -sf /usr/local/ssl/bin/openssl `which openssl` (This will create a sym link to the new binaries)
- openssl version -v (Used to check the version of the Current OpenSSL binaries)
This was tested on both Ubuntu Server 12.04 & 14.04 LTS versions. Questions? Comments?