Our servers are not vulnerable to the “Heartbleed” SSL security bug
Yesterday, Internet security researchers announced discovery of the Heartbleed SSL security bug. This bug allows attackers to bypass SSL encryption on servers that use certain versions of software called “OpenSSL”.
Our servers are not, and never have been, vulnerable to this bug, because we’ve never used the affected versions of the OpenSSL software. Our customers are not affected by it in any way.
At the time the bug was disclosed, we were using Debian Linux openssl version “0.9.8o-4squeeze14”, which was not vulnerable.
After the bug was disclosed, we upgraded to a newer version of the openssl library for unrelated reasons and began using version “1.0.1e-2+deb7u7”, which is also not vulnerable according to the Debian page about this bug: “For the stable distribution (wheezy), this problem has been fixed in version 1.0.1e-2+deb7u5 [and later]”.
Note that the fix is in the form of a Debian security backport. This leaves the base version number as “1.0.1e”, with the extra “-2+deb7u7” indicating the patched version. This can be confusing if you simply check the base version (one of our customers saw “1.0.1e” in the output of the “ssh -v” command, for example, and thought this meant it was vulnerable).