OpenSSL now at 1.0.2b
It includes fixes and mitigations for six CVEs, rated from low to moderate. From the security advisory:
- The Logjam man-in-the-middle attack
- Malformed ECParameters causes infinite loop (CVE-2015-1788)
- Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
- PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
- CMS verify infinite loop with unknown hash function (CVE-2015-1792)
- Race condition handling NewSessionTicket (CVE-2015-1791)
- Invalid free in DTLS (CVE-2014-8176)
All are rated moderate or low. Therefore, none worthy of their own website (well, maybe other than Logjam?). As usual, patch and so on.
Or, you could take your chances (as so many have told me to) and use a fork. If this software continues to have issues despite being entrenched and a de facto standard, I'm sure your offshoot with huge swaths of code changes and far less testing will be more secure.
freebsd-update now fetches the newer openssl and libssl packages).