<div dir="ltr">The relevant bug is here<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
<a href="https://bugs.gentoo.org/show_bug.cgi?id=576128" rel="noreferrer" target="_blank">https://bugs.gentoo.org/show_bug.cgi?id=576128</a><br>
<br>
If you have sslv2 enabled, your choices are clear:<br>
<br>
1. high likelihood of wholesale breakage, or<br>
2. wait a little longer for a proper fix<br>
<br>
Obviously -r1 is ideal as it disables sslv2. If you have it and it<br>
works, leave it in place.<br>
<br>
Everyone else is going to have to make up their own mind, and there&#39;s no<br>
sane rational advice that can be given for all, considering what the<br>
choices are above.<br></blockquote><div> <br></div></div>Remember that the versions of OpenSSL with SSLv2 can be safe if you disable SSLv2 in the services that use that code, eg, in apache, at a minimum, set;<br><pre><span style="font-family:arial,helvetica,sans-serif">SSLProtocol All -SSLv2 <br><br>To find out what software is using OpenSSL;<br></span></pre><span style="font-family:arial,helvetica,sans-serif"># qdepends -Q openssl</span><br></div><div class="gmail_extra">and then investigate how to disable SSLv2 in each of those with network services. Dont forget to restart!<br></div></div>