After that CVE was disclosed in 2014, I decided to ditch all Apple hardware forever. There is absolutely no security on any Apple device. The bug meant that there was not a single working SSL encryption from Apple's first OS up until (and including) OSX 10.9.2 and iOS 7.0.6 ... which kinda speaks volumes on Q&A or security audits.
Yes, all previous OSX version up until 2014 were affected, too. The doubled `goto fail;` line was included since the first public revision of libsecurity_ssl, and the (c) of that file is 1999-2001,2005-2012 Apple Inc. [1]
Nowadays, due to Apple never using any git or any other version control software for opensourced codes, I could trace it down to Mac OSX 10.4 which was released in 2005. [2]
With 10.1, there's no libsecurity open sourced, I don't know why, but I'm pretty damn sure that at least 10.2 included the library back then. I don't have my old Powerbook G4 anymore, but I swear I could verify this bug on 10.2 (Jaguar) that was running on it at the time.
Other versions of (maybe patched?) versions of libsecurity-ssl are located on the same server, with a global directory for everything so it's not actually versioned!? [3]
At least the version of the file that has copyright 2000-2001 still has the same bug in it, so that is very likely the one that was used in the 10.1 public release [4]
Maybe the domain still uses the gotofail [1] prone implementation of Apple's SSL library?
[1] https://nvd.nist.gov/vuln/detail/CVE-2014-1266
Personal note:
After that CVE was disclosed in 2014, I decided to ditch all Apple hardware forever. There is absolutely no security on any Apple device. The bug meant that there was not a single working SSL encryption from Apple's first OS up until (and including) OSX 10.9.2 and iOS 7.0.6 ... which kinda speaks volumes on Q&A or security audits.