The openssl change was communicated with upstream at the time, but no one from upstream pointed out the issue (not surprisingly, because the change seemed like an innocuous fix to an unassigned variable.)

We (Debian) fix bugs and send upstream the changes all the time, so this kind of thing happens. (Upstreams introduce these kind of bugs too; it’s the nature of software development.)