Fixing OpenSSL Padding Oracle vulnerability (CVE-2016-2107)

By:
On:
In: Linux
With: 0 Comments

This works well on my Ubuntu 14.04

Based on http://fearby.com/article/update-openssl-on-a-digital-ocean-vm/

Method1: $ sudo apt-get update $sudo apt-get install –only-upgrade libssl1.0.0 openssl #check if it patches successfully.

$ zgrep -ie “(CVE-2016-2108|CVE-2016-2107)” /usr/share/doc/libssl1.0.0/changelog.Debian.gz

Output should be like this:

  • debian/patches/CVE-2016-2107.patch: check that there are enough
    • CVE-2016-2107
    • debian/patches/CVE-2016-2108-1.patch: don’t mishandle zero if it is
    • debian/patches/CVE-2016-2108-2.patch: fix ASN1_INTEGER handling in
    • CVE-2016-2108

Method2: $ sudo apt-get dist-upgrade

$ wget ftp://ftp.openssl.org/source/openssl-1.0.2h.tar.gz $ tar -xvzf openssl-1.0.2h.tar.gz $ cd openssl-1.0.2h $ ./config –prefix=/usr/ $ make depend $ sudo make install $ openssl version

OpenSSL 1.0.2h 3 May 2016

now restart your nginx or other server

$ sudo service nginx restart

check your website here https://www.ssllabs.com/ssltest/

Leave a Reply

Your email address will not be published. Required fields are marked *