I feel like there is a (potentially bad) typo in the second paragraph of this advisory.
Servers
are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.
It seems to me that users on versions earlier then 1.0.1 would be advised not to upgrade since they stated in the sentence before that 1.0.1 is vulnerable.
------
edit: Oops, I feel kind of dumb. Literally the next line is describing the recommended upgrade for 0.9.8 users:
OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
"Upgrade" doesn't necessarily mean "upgrade to 1.0.1". Older versions are still getting updates. Unfortunately, this might not be clear to some readers because OpenSSL uses a weird versioning scheme. The three numbers stay the same, but the alphabetical part at the end gets incremented each time there's an update.
> OpenSSL 0.9.8 SSL/TLS users should upgrade to 0.9.8za.
> OpenSSL 1.0.0 SSL/TLS users should upgrade to 1.0.0m.
> OpenSSL 1.0.1 SSL/TLS users should upgrade to 1.0.1h.
Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.
It seems to me that users on versions earlier then 1.0.1 would be advised not to upgrade since they stated in the sentence before that 1.0.1 is vulnerable.
------
edit: Oops, I feel kind of dumb. Literally the next line is describing the recommended upgrade for 0.9.8 users:
OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.