It looks like Ubuntu trusty is hosting OpenSSL Version: 1.0.1f-1ubuntu2.21
Is this actually vulnerable to heartbleed?
- http://packages.ubuntu.com/source/trusty/openssl
-
What versions of the OpenSSL are affected? Status of different versions: OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
and
$ openssl version
OpenSSL 1.0.1f 6 Jan 2014
No, the Ubuntu package has a fix backported to 1.0.1.f. http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.0.1f-1ubuntu2.21/changelog mentions a fix for Heartbeat vulnerability under version 1.0.1f-1ubuntu2 dated 7 Apr 2014.