It is commonly known that the heartbleed bug exists in the OpenSSL versions 1.0.1 through 1.0.1f (inclusive).
So why are ssh and sshd compiled with OpenSSL 1.0.1, where the bug exists (12.04 -> OpenSSL 1.0.1, 14.04 -> OpenSSL 1.0.1f)?
The libssl.so is of course up-to-date, but if I run
ldd `which ssh`
# or
ldd `which sshd`
nothing links against the non corrupted versions of OpenSSL. But if I run
sshd -V
# Under Ubuntu 12.04 it says:
OpenSSH_5.9p1 Debian-5ubuntu1.4, OpenSSL 1.0.1 14 Mar 2012
# Under Ubuntu 14.04 it says:
OpenSSH_6.6.1p1 Ubuntu-2ubuntu2, OpenSSL 1.0.1f 6 Jan 2014
They explicitly saying, that they are compiled with a corrupted versions. On https://launchpad.net/ubuntu/+source/openssh nothing is said about any update during the heartbeat bug release.
So how can I be sure, that sshd is not using an affected version of OpenSSL.
If if it does not use it, why do they explicitly saying, that they use an affected version?
Heartbleed only affects SSL/TLS connections, not every crypto function in the OpenSSL library, and sshd doesn't use SSL/TLS at all, so it's not affected by Heartbleed even if it's compiled using affected OpenSSL versions. See this question and answer.