OpenSSL release series 0.9.8, 1.0.0 and 1.0.1 are all now unsupported.
OpenSSL 1.0.2 is an LTS release.
The Exim Maintainers are not going to rush out to break support for
older series, but we're also not going to be constrained to keep working
with systems which are unsupported.
For you this means: if you're using OS packages, keep using the OS
packages. An OS which locks OpenSSL to an old version and backports
fixes is also already doing that for Exim. They're unlikely to change
this practice. If you're building Exim from source, then you should be
prepared to also keep your OpenSSL up-to-date too. We'll add something
to the Exim install steps to walk you through the very simple steps.
Second, for those who track certificate authorities with paranoia: the
Exim HTTPS-enabled websites are all now using certificates from Let's
Encrypt. A couple more websites (git.exim.org and ftp.exim.org) are
also now additionally available over HTTPS.