what was the first 1.0.1 version of openssl that was not vulnerable to heartbleed?

The first OpenSSL 1.0.1 release that was not vulnerable to Heartbleed (CVE‑2014‑0160) was OpenSSL 1.0.1g.

Direct answer

• Heartbleed affects OpenSSL 1.0.1 through 1.0.1f (inclusive).

• The vulnerability was fixed in OpenSSL 1.0.1g , which is therefore the first 1.0.1x version that is not vulnerable in the upstream project.

In other words:

For the 1.0.1 branch, 1.0.1g is the first non‑vulnerable version.

Note that some Linux distributions (Debian, Ubuntu, etc.) shipped packages labeled 1.0.1e or 1.0.1f with Heartbleed backported fixes , so those specific distro builds can be non‑vulnerable even though the upstream 1.0.1e/1.0.1f releases are listed as vulnerable.

Mini FAQ

1. Which versions are vulnerable?
   • 1.0.1, 1.0.1a, 1.0.1b, 1.0.1c, 1.0.1d, 1.0.1e, 1.0.1f, and 1.0.2‑beta1.

2. Which 1.0.1x versions are safe (upstream)?
   • 1.0.1g and later in the 1.0.1 series.

3. How did some “1.0.1e/1.0.1f” builds avoid Heartbleed?
   • Vendors applied the patch while keeping the same base version string, or compiled with heartbeats disabled, so the package version may look vulnerable but actually includes the fix.

TL;DR: For the exact question “what was the first 1.0.1 version of OpenSSL that was not vulnerable to Heartbleed?” the answer is OpenSSL 1.0.1g.

Information gathered from public forums or data available on the internet and portrayed here.