Assuming, as it should be the case since the protocol is
deprecated as from 2011, that SSLv2 is not allowed in your
server, apply all OpenSSL patches up to and including that
of March 1st.

BTW, this is an excellent example of why state-sponsored
backdoors should _never_ be introduced in sofware or protocols,
whatever the excuse. Please note also that the flawed (NSA
infected?)[1] PKCS#1v1.5 standard is at the very core of DNSSEC,[2]
the politicaly heavy-loadel protocol that's being used to turn Internet
into a hierarchical network.

Regards from the Far South,

Enrique

[1] Considering Dual_EC_DRBG and the whole Juniper affair,
this is completely possible.
[2] See RFC 5702, section 3. Bleichenbacher's attack against
PKCS#1v1.5 is known since 1998