Vulnerability to OpenSSL "Heartbleed" bug (CVE-2014-0160)

Summary

The bug affects OpenSSL versions from 1.0.1a through to 1.0.1.g (and is fixed in 1.0.1g) (1.0.2-beta is also affected). Older versions are not vulnerable.

Below we list what we believe to be the status of various systems but please check with the appropriate software vendor to confirm and bear in mind that particular software packages might include their own version of the OpenSSL library.

Potentially Vulnerable Systems

• Red Hat Enterprise Linux (& derivatives such as CentOS/ Oracle Linux) version 6.5
• Debian Wheezy (before OpenSSL 1.0.1e-2+deb7u5)
• Ubuntu 12.04 LTS, 13.04, 13.10
• F5 running LTM V11.5 (if using non-native ciphers)
• Fedora 18, 19 & 20
• OpenBSD 5.3  and 5.4
• FreeBSD 8.4 and 9.1 
• NetBSD 5.0.2
• OpenSUSE 12.2
• Barracuda Web Application Firewall V7.8 (pre 7.8.1.016)

Not Vulnerable

• Red Hat Enterprise Linux (& derivatives such as CentOS/ Oracle Linux) prior to version 6.5
• F5 other than LTM V11.5
• Debian Squeeze (oldstable)

Links to Vendor Advisories

• OpenSSL
• Red Hat
• Ubuntu
• CentOS
• Fedora
• Cisco
• Checkpoint
• Barracuda

Other Useful Links

• CVE-2014-0160
• Codenomicon
• CERT Vulnerability Note VU#720951

• Heartbleed Online Testing Tools:-
  1st Ltd Testing Tool
  Filippo Valsorda's Tool
  Qualys SSL Server Test Tool
  COMODO SSL Analyzer