> Could please anyone explain to me why some packages now require the
> openssl package instead of using the in-tree version?  This leads
> to two different versions of the same piece of software to be
> maintained. I searched the archives but have not found any
> explanation for that.

	what version of openssl do you have in-tree? (check
	/usr/include/openssl/opensslv.h)  pkgsrc/security/openssl/buildlink.mk
	detects if in-tree version is vulnerable or not, so it seems to me
	that you have a vulnerable version in-tree.

itojun