The relevant bug is here > > https://bugs.gentoo.org/show_bug.cgi?id=576128 > > If you have sslv2 enabled, your choices are clear: > > 1. high likelihood of wholesale breakage, or > 2. wait a little longer for a proper fix > > Obviously -r1 is ideal as it disables sslv2. If you have it and it > works, leave it in place. > > Everyone else is going to have to make up their own mind, and there's no > sane rational advice that can be given for all, considering what the > choices are above. >
Remember that the versions of OpenSSL with SSLv2 can be safe if you disable SSLv2 in the services that use that code, eg, in apache, at a minimum, set; SSLProtocol All -SSLv2 To find out what software is using OpenSSL; # qdepends -Q openssl and then investigate how to disable SSLv2 in each of those with network services. Dont forget to restart!
