My read of the impact to us:

• CVE-2023-0286 requires users to enable CRL checking, as it appears that we don't do anything besides provide the constants. Also, from the advisory: "In most cases, the attack requires the attacker to provide both the certificate chain and CRL", which suggests a more appropriate mitigation (don't use an attacker's revocation list :) )
• CVE-2022-4304 is a timing oracle requiring a very large number of requests. I suspect natural variation would make this infeasible over an actual network, but if it can be demoed, this seems like the biggest issue for us.
• CVE-2022-4203 requires a CA-signed certificate, and at worst may cause a crash. In any case, doesn't impact OpenSSL 1.1
• CVE-2023-0215 and CVE-2023-4450 impact BIO_new_NDEF and PEM_read_bio_ex which we neither use nor expose
• Remaining issues don't affect 1.1

So I think the only concerning one is the timing oracle, and it doesn't concern me enough to trigger a new round of releases.

However, I'm also concerned by the near certainty that we'll be criticised (again) for not immediately reacting, so if we'd rather not keep patiently explaining to nervous people that we aren't impacted, we could schedule new releases.

Thanks for the analysis Steve!

I agree, this doesn't currently sound like an urgent priority to release. (ie: apparently not a "Critical - everyone is screwed" flaw). It's good to have the commits/PRs ready place so that we can; thanks everyone for jumping on those.

I expect some people will want it sooner than our next planned releases in April because noteworthy CVEs do tend to trigger non-technical requirements for people to upgrade their software. At least it doesn't feel like we need to rush to cut new releases this week. 😅