How to fix OpenSSL Padding Oracle vulnerability (CVE-2016-2107) for nginx on debian jessie?
I got it.
certbot from debian unstable, which installed
1.0.2f-2. unstable is pinned to priority "-100" (do not install from unstable unless requested with
-t unstable). This means the version is between the jessie version
1.0.0X-Y and the current unstable version
1.0.2.h-1. This prevented an upgrade to the next version in unstable, while the upgrade in stable is an "older" version with respect to the version number.