"For FIPS 140-2 validated software no changes are permitted without prior CMVP approval so neither of these patches can be applied to the v1.1.1 distribution for the purposes of producing a validated module," Steve Marquess of OSSI said in the announcement of the patches.
That means that for the time being federal users must continue using the flawed software or patch it and go out of compliance.
The link for this article located at Government Computer News is no longer available.