heartbleed in wheezy

[Luca <l.cappe@gmail.com>]

Ciao a tutti,

su un server wheezy aggiornato:

ii  libssl1.0.0:amd64                   1.0.1e-2+deb7u7                    amd64        SSL shared libraries

ii  openssl                             1.0.1e-2+deb7u7                    amd64        Secure Socket Layer (SSL) binary and

ii  apache2                             2.2.22-13+deb7u1                   amd64        Apache HTTP Server metapackage

root@miohost:~/script# openssl version -a

OpenSSL 1.0.1e 11 Feb 2013

built on: Mon Jan  6 19:32:28 UTC 2014

platform: debian-amd64

options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 

compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM

OPENSSLDIR: "/usr/lib/ssl"

eseguendo i test dal sito https://filippo.io/Heartbleed/ e https://gist.github.com/harlo/10199638 in entrambi i casi ottengo che il server è vulnerabile. Dai changelog il bug sembra risolto, ma invece i test verificano il contrario. Dov'è il problema?

Grazie,

Luca.