Ubuntu 可信赖的 public 存储库是否托管了 heartbleed 易受攻击的 openssl 版本？

Question

看起来 Ubuntutrusty 正在托管 OpenSSL 版本：1.0.1f-1ubuntu2.21

这真的容易流血吗？

http://packages.ubuntu.com/source/trusty/openssl

What versions of the OpenSSL are affected?
Status of different versions:
    OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
    OpenSSL 1.0.1g is NOT vulnerable
    OpenSSL 1.0.0 branch is NOT vulnerable
    OpenSSL 0.9.8 branch is NOT vulnerable
    Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

和

    $ openssl version
    OpenSSL 1.0.1f 6 Jan 2014

Answer 1

不，Ubuntu 包有一个向后移植到 1.0.1.f 的修复。 http://changelogs.ubuntu.com/changelogs/pool/main/o/openssl/openssl_1.0.1f-1ubuntu2.21/changelog 提及 2014 年 4 月 7 日版本 1.0.1f-1ubuntu2 下的 Heartbeat 漏洞修复。

Ubuntu 可信赖的 public 存储库是否托管了 heartbleed 易受攻击的 openssl 版本？

Is the Ubuntu trusty public repo hosting a heartbleed vulnerable openssl version?

openssl

heartbleed-bug

ubuntu-14.04