0

It looks like Ubuntu trusty is hosting OpenSSL Version: 1.0.1f-1ubuntu2.21

Is this actually vulnerable to heartbleed?

  • http://packages.ubuntu.com/source/trusty/openssl
  • http://heartbleed.com/

    What versions of the OpenSSL are affected?
    Status of different versions:
        OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
        OpenSSL 1.0.1g is NOT vulnerable
        OpenSSL 1.0.0 branch is NOT vulnerable
        OpenSSL 0.9.8 branch is NOT vulnerable
        Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
    

and

    $ openssl version
    OpenSSL 1.0.1f 6 Jan 2014
verdverm
  • 329
  • 4
  • 11
  • I don't know if it is vulnerable (probably not), but OpenSSL 1.0.1 support officially ended December 2016. Its now EOL. See [OpenSSL Release Strategy](https://www.openssl.org/policies/releasestrat.html) – jww Jan 26 '17 at 07:25
  • 1
    Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) or [Information Security Stack Exchange](http://security.stackexchange.com/) would be a better place to ask. – jww Jan 26 '17 at 07:26

1 Answers1

1

No, the Ubuntu package has a fix backported to 1.0.1.f. http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.0.1f-1ubuntu2.21/changelog mentions a fix for Heartbeat vulnerability under version 1.0.1f-1ubuntu2 dated 7 Apr 2014.

Daniel Schepler
  • 3,043
  • 14
  • 20