What was the first 1.0.1 version of openssl that was not vulnerable to heartbleed?

 I recently ran into a requirement that needed a web server set up with SSL, to show that it's possible to extract the private key from a server with a vulnerable version of OpenSSL (Heartbleed). Hence, I downloaded a version of Debian I knew that shipped with the vulnerable version of OpenSSL from here.

However after configuring it, it wasn't leaking anything (as reported by Metasploit).

Below is the output from openssl version -a:

OpenSSL 1.0.1e 11 Feb 2013

built on: Sat Jun 13 10:26:40 UTC 2015

platform: debian-amd64

options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)

compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"

From what I know, versions between 1.0.1 through to 1.0.1f are vulnerable. I can see that it was built on a later date. My questions are:

Which compile option made it safe against Heartbleed? I don't see the DOPENSSL_NO_HEARTBEATS flag option in the output above.

Where can I get a Debian version (7 or later) which actually ships with the vulnerable version of OpenSSL needed to demo Heartbleed.