same OS, my version is:
OpenSSL 1.0.1f 6 Jan 2014
I understand that this version is fine and I only don't need to upgrade to version 1.0.1k, but wait for the following one.
Did I understand that correctly?
well, apparently not.
Version 1.0.1f (6 Jan 2014) seems to be affected, too.
Running reindexing now.
I can confirm that Version 1.0.1f (6 Jan 2014) caused 4 test failures here as well.
The problem is that distributions tend to backport updates that are marked as security updates (as this one).
Here you go for Ubuntu: this is the security update that backports this patch to Ubuntu 14.10, Ubuntu 14.04 LTS,
Ubuntu 12.04 LTS, and Ubuntu 10.04 LTS:
http://www.ubuntu.com/usn/usn-2459-1/That means: if you are running any of the Ubuntu (server) versions above, you are very likely affected. If you are running Ubuntu LTS, you are for sure affected. In these cases, don't upgrade your OpenSSL installation.
Here's the list of package versions that you should NOT install (that is, the package versions with the backported patch):
Ubuntu 14.10: libssl1.0.0 1.0.1f-1ubuntu9.1
Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.8
Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.21
Ubuntu 10.04 LTS: libssl0.9.8 0.9.8k-7ubuntu8.23
How to avoid upgrading accidentally? Simply execute:
sudo apt-mark hold openssl
PS: don't trust the version reported by
openssl version
as it does not cover the backports. Execute
dpkg -s openssl | grep Version
to see which version you have.