This affects almost all services (especially Apache-based) in a system which depend on OpenSSL and those systems created using one of the following distributions:
Debian Wheezy (stable) (vulnerable OpenSSL 1.0.1e-2+deb7u4, fixed in OpenSSL 1.0.1e-2+deb7u5)
Ubuntu 13.10 (vulnerable OpenSSL 1.0.1e-3ubuntu1.1, fixed in OpenSSL 1.0.1e-3ubuntu1.2)
Ubuntu 12.10 (vulnerable OpenSSL 1.0.1c-3ubuntu2.6, fixed in OpenSSL 1.0.1c-3ubuntu2.7)
- Ubuntu 12.04.4 LTS (vulnerable OpenSSL 1.0.1-4ubuntu5.11, fixed in OpenSSL 1.0.1-4ubuntu5.12)
The package version for Debian/Ubuntu can be checked using the command:
~# dpkg -l openssl
RedHat, CentOS, CloudLinux 6.5 (vulnerable OpenSSL 1.0.1e-16.el6_5.4, fixed in OpenSSL 1.0.1e-16.el6_5.7)
Fedora 18 (OpenSSL 1.0.1e-4 without update: Fedora 18 is no longer supported)
Fedora 19 (fixed in OpenSSL 1.0.1e-37.fc19.1)
Fedora 20 (fixed in OpenSSL 1.0.1e-37.fc20.1)
OpenSUSE 12.2 (vulnerable OpenSSL 1.0.1c, fixed in OpenSSL 1.0.1e-1.44.1)
- OpenSUSE 13.1 (fixed in OpenSSL 1.0.1e-11.32.1)
The package version for Redhat/CentOS and OpenSUSE can be checked using the command:
~# rpm -q openssl
The following OSes are not vulnerable:
OpenSSL 0.97a and 0.98e (in RedHat/CentOS 5) are not vulnerable. According to RHSA-2014-0376, only Redhat 6.5 has a vulnerable version of OpenSSL.
Debian Squeeze it not vulnerable, as stated in Debian Security Advisory DSA-2896.
Other supported Ubuntu releases are not vulnerable, as per Ubuntu Security Notice USN-2165-1.
Fedora is changing rapidly, and the status of the issue is available in the Fedora Magazine article.
- Fixes for OpenSUSE provided in OpenSUSE Security Announcement openSUSE-SU-2014:0492-1.
Parallels products may be affected by this vulnerability. Here is the list of articles which you may refer to: