The openssl 1.0.2 beta1 currently is vulnerable to the heartbleed bug. Gentoo has a masked ebuild for it and it seems the vulnerability is not patched. I'm aware that this is a masked package, that masked packages are unsupported and everyone using them should know what they're doing. However, I think in this extreme situation we shouldn't deliver any vulnerable packages. Some options I think we could handle this: 1. Add a patch to the ebuild 2. Add a BIG FAT WARNING to the ebuild that this should never ever be used for any real world use 3. Remove the beta ebuild until upstream makes a new beta (I'll ask upstream about it)
I have a set of patches at hand, adressing the heartbleed and some more bugs in openssl-1.0.2_beta1. Gimme some time to prepare them for inclusion into portage.
+*openssl-1.0.2_beta1-r1 (19 Apr 2014) + + 19 Apr 2014; Lars Wendler <polynomial-c@gentoo.org> + -openssl-1.0.2_beta1.ebuild, +openssl-1.0.2_beta1-r1.ebuild: + Added a bunch of upstream patches to openssl-1.0.2_beta1 (bug #508068). +