[nayuki]

What popular software contain these vulnerable versions of the OpenSSL library?

[erichdongubler]

This is a good question. Also important to remember is that for many Linux distributions dynamically linked OpenSSL artifacts are what end up getting used by the vast majority of binaries.

[jolmg]

Yeah, I was thinking by all of the binaries. I had forgotten that there's software that bundle it independently of the distro's library. Another comment mentioned docker images, and I've remembered that ruby also bundles it for its own use.

[AngeloR]

I have no idea what a full list looks like.. but the nginx:1.17.10-alpine docker image contains the following:

    / # nginx -V                              
    nginx version: nginx/1.17.10
    built by gcc 9.2.0 (Alpine 9.2.0)
    built with OpenSSL 1.1.1d  10 Sep 2019

[ajp]

Mine has a "running with..." part after that.

    built with OpenSSL 1.1.1d  10 Sep 2019 (running with OpenSSL 1.1.1g  21 Apr 2020)

[sigotirandolas]

If it doesn't print the "running with" line, it's running with the same version it was built with:

https://hg.nginx.org/nginx/file/stable-1.18/src/core/nginx.c...

[pmorici]

Any embedded system that uses a recent version of buildroot and includes openssl. Starting with at least version 2019.02.9

[Shorel]

MySQL