I ran apt-get install openssl
and verified that the new version .1g is installed
root@nyc2-04-www:~# apt-cache policy openssl
openssl:
Installed: 1.0.1g-1
Candidate: 1.0.1g-2
Version table:
1.0.1g-2 0
500 http://http.debian.net/debian/ sid/main amd64 Packages
*** 1.0.1g-1 0
100 /var/lib/dpkg/status
1.0.1e-2+deb7u6 0
500 http://security.debian.org/ wheezy/updates/main amd64 Packages
1.0.1e-2+deb7u4 0
500 http://ftp.us.debian.org/debian/ wheezy/main amd64 Packages
500 http://http.debian.net/debian/ wheezy/main amd64 Packages
However, I notice that even though the new openssl is installed, my servers are still vulnerable unless I do a full apt-get upgrade
See here: http://filippo.io/Heartbleed/#www.uat.phantomjscloud.com
How can I avoid doing the full apt-get upgrade, but ensure the new openssl is being used?
FYI I did verify that doing apt-get upgrade will fix heartbleed (i did that in my production server) But I'm currious as to why updating openssl isn't good enough.
FYI I am using nginx. I also did apt-get install nginx afterwards but that didn't resolve the issue either
UPDATE: running openssl version -a shows that 1.0.1f is still active, even after reboot.
apt-get install libssl1.0.0 fixes the problem