OpenSSL 1.1.0c was released today. It fixes CVE-2016-{7053,7054,7055}:

https://www.openssl.org/news/secadv/20161110.txt

This version of OpenSSL is *not* currently used by any packages, so it's
not a critical "drop everything and get to work" update, in my opinion.

They changed how library runpaths are recorded at build time, and so our
packaging no longer works:

https://github.com/openssl/openssl/pull/1699

I can tackle it in the next few days if nobody else gets to it first.