I think my version of SSL isn't vulnerable to Heartbleed, but I want to make sure
 

I recently upgraded to libssl0.9.8 in order to test slimboat.

I think this means my machine won't be vulnerable to Heartbleed.

However, I should probably check and see whether I have any other uses of SSL that need to be fixed.

How do I go about checking this?

Thanks.

Well .. is OpenSSL 1.0.1 installed? Did you compile it yourself and put it anywhere?

I've been looking at:

https://packages.debian.org/squeeze/libssl-dev

and it appears that libssl is part of openssl.

As for figuring out the version numbers, the only version number I know is the version number I installed yesterday.

If OpenSSL 1.0.1 is on my machine, it probably is on there because some other install added it automatically.

Thus I need to find out how to use debian utilities to check for the presence of compromised packages.

However, the output is not informative, e.g.:

# apt-get check libssl
Reading package lists... Done
Building dependency tree
Reading state information... Done

I haven't been compiling utilities on this machine, I've been using apt-get for standard stuff and makefiles for nonstandard stuff.

So one of those makefiles might have installed something.

Or perhaps apt-get might have demanded openssl as a dependency.

apt-cache policy openssl
From the advisory .. 1.0.1e-2+deb7u5 and later are not vulnerable. (0.9.8* and 1.0.0* are also not)



find / -mount -type f -name openssl -print -exec '{}' version -a \;

If you have a 1.0.1 built on April 6 or earlier, you need to update that install.

thanks for the info. I updated openssl on my Debian Wheezy machine yesterday (4/10), now it's openssl (1.0.1e-2+deb7u6).

Thank you.