Guix,

1 CVE patch since 1.0.2p seems suspiciously low to me.  I hope I'm 
wrong.  In any case, there are new ones[0].

Me on IRC:

  “I'd like to fix some CVEs in openssl, but it's not clear to me 
  whether ‘letter releases’ are supposed to be ABI-compatible or 
  not.  It would be a big jump (1.0.2p → 1.0.2t), and our current 
  openssl/fixed is just 1.0.2p + 1 patch, so I doubt it.  But 
  cherry-picking patches is proving too painful [for me].”

…mainly because I'm not that familiar with OpenSSLs release/git 
habits.

Kind regards,

T G-R

[0]: https://www.openssl.org/news/cl102.txt