We're currently using Ubuntu 10.04 and based on the PCI Compliance results, we're told to upgrade our OpenSSL.
I attempted to do this using this reference and this.
Unfortunately, they didn't work for me. And when I attempted to remove the old version prior to installation, it looks like it broke a few thins in the system.
The article from Steve Gordon seemed like it would work for me, but when I ran the openssl version command, it still read that it was the old version.
I was wondering if anyone has any suggestions on what I should do.
Fix: After following the steps from Steven Gordon, make sure you restart apache and / or restart your computer (I did both, but I'm sure a simple restart will fix it right up).
Best Answer
upgrading openssl is going to make things worse, not better. You need to get a list of CVEs that are concerning whoever is doing your PCI certification. Then you can, for each of these CVE's show them that Ubuntu is backporting patches to address these CVEs.
Here is Ubuntu's security tracker. You should be able to put a CVE into this site, and find out that Ubuntu has addressed the issue, and when.
For example, the most recent openssl CVE is documented here, and that links to Ubuntu's notice about this vulnerability being fixed.
The company doing your PCI certification SHOULD accept this kind of documentation.