Comment 1 for bug 484417

While OpenSSL does need to be updated, it requires a protocol change to fix properly. At this time, Ubuntu is waiting on the protocol changes discussed by the IETF to be formalized before patching OpenSSL. In the meantime, since there are known attacks against the HTTPS protocol, Apache was updated to disallow client initiated TLS renegotiations in http://www.ubuntu.com/usn/USN-860-1.