As usual, Debian is too slow releasing updates, let alone backports to older OS versions, like debian 6 (squeeze) or older.
So with them old OS-es you’re stuck with old openssl crap through apt-get update, and standard install from source will *not* update a previous apt-get installed openssl!
Still want to update to 1.0.1g or later? Here’s how it *does* work:
Check the link for the version that says [LATEST] over here. Currently that means you need to do
# wget https://www.openssl.org/source/openssl-1.0.1g.tar.gz
# tar xfz openssl-*.tar.gz
# cd openssl-*
# ./config --prefix=/usr zlib-dynamic --openssldir=/etc/ssl shared enable-ec_nistp_64_gcc_128
It then asks you to do make depend, which you should, and you follow with the usual:
# make depend
# make
# make install
and then you can check the version that’s running on your server with openssl version
and if it says: OpenSSL 1.0.1g 7 Apr 2014
you’re safe and sound in Snowden-land. This also works for Ubuntu 8 (hardy) by the way.
Be sure to reboot your server after that, renew your server certificates, ask (or better yet FORCE) your users to change their passwords.
Of course, you’ve now gone to source for this package. And trying apt-get remove openssl
will result in sheer dependency hell. Forget about letting apt manage openssl in any way or manner. dovecot, nginx, postfix etc. should all still work fine through apt with backports and such. They’ll use the right openssl libraries now.