Updating To OpenSSL 1.0.2g On Ubuntu Server 12.04 & 14.04 LTS To Stop CVE-2016-0800 (DROWN attack)

It was a bit difficult to find any real information on fixing the latest openSSL CVE-2016-0800 (DROWN attack) so I decided to write this quick post on how to update your Ubuntu Server 12.04/14.04 OpenSSL (or any debian-based distro with apache2) to the latest 1.0.2g build to avoid the DROWN/Heartbleed attacks. I’m not going to go into the details of how the exploit works and how it’s exploited as there are many blogs/sites that already go over this. Instead I will only focus on the fix, I have provided 2 methods, a method using cURL or wget.

cURL Method

  1. sudo apt-get install php5-curl (Install cURL library)
  2. sudo apt-get install make (Install compiling library Make)
  3. curl https://www.openssl.org/source/openssl-1.0.2g.tar.gz | tar xz && cd openssl-1.0.2g && sudo ./config && sudo make && sudo make install (single command that will download latest binaries, extract them, cd into the directory, compile configuration and then install the files)
  4. sudo ln -sf /usr/local/ssl/bin/openssl ‘which openssl’ (This will create a sym link to the new binaries)
  5. openssl version -v (Used to check the version of the Current OpenSSL binaries)

wget method

  1. sudo apt-get install make (Install compiling library Make)
  2. wget https://www.openssl.org/source/openssl-1.0.2g.tar.gz (Download the latest OpenSSL 1.0.2g binaries)
  3. tar -xzvf openssl-1.0.2g.tar.gz (Extract the tar ball to the local directory)
  4. cd openssl-1.0.2g (Enter extracted OpenSSL directory)
  5. sudo ./config (Configure binaries for compiling)
  6. sudo make install (install configured binaries)
  7. sudo ln -sf /usr/local/ssl/bin/openssl `which openssl` (This will create a sym link to the new binaries)
  8. openssl version -v (Used to check the version of the Current OpenSSL binaries)

This was tested on both Ubuntu Server 12.04 & 14.04 LTS versions. Questions? Comments?

Comments

comments

Published by

Miguel

Hi, My name is Miguel Vallejo and I'm the Founder & CEO of Web Semantics (www.websemantics.com). As A Child of the internet I'm a self-taught Web Developer & Network Engineer with over 15 Years of Professional Experience, Specializing in Linux/Unix Systems (Debian, Redhat & CentOS Distributions), Virtualization (KVM & VMware). I have a passion for Network Security, Information Technology, Cloud Infrastructures(Open Stack) , open source Web Development and anything that involves technology. I speak English and Spanish fluently and have worked on and with Bilingual Infrastructures (English & Spanish). I Like challenges and hate anything mundane, I am a bit anti-social (naturally lol...). I dislike those who are dishonest and who like to take advantage of others, like Julian Assange I enjoy crushing bastards.

Leave a Reply