schedule update to security release

Author: rvagg

locale/en/blog/vulnerability/openssl-and-low-severity-fixes-jan-2016.md

@@ -7,7 +7,7 @@ layout: blog-post.hbs
 author: Rod Vagg
 ---
 
-***(An update to this post is included below)***
+***(Updates to this post, including a schedule change are included below)***
 
 ### Summary
 
@@ -97,3 +97,14 @@ Node.js v4 and v5 do not support SSLv2.
 Previous releases of OpenSSL (since Node.js v0.10.39, v0.12.5, v4.0.0 and v5.0.0) mitigated against [Logjam](https://en.wikipedia.org/wiki/Logjam_%28computer_security%29) for TLS _clients_ by rejecting connections from servers where Diffie-Hellman parameters were shorter than 768-bits.
 
 The new OpenSSL release, for all Node.js lines, increases this to 1024-bits. The change only impacts TLS clients connecting to servers with weak DH parameter lengths.
+
+## _(Update 30-Jan-3016)_ Release postponement
+
+The announced security releases will not go ahead for the 1st of February as previously announced. Instead, our new target for release will be on or shortly after **Tuesday, the 9th of February, 11pm UTC** _(Tuesday, the 9th of February, 3pm Pacific Time)_.
+
+The planned fixes include a backward-incompatible change that, under normal circumstances, would be deferred until the next major-version of Node.js, v6. However, because the fix addresses a security concern that exists across all release lines (including our LTS lines: v4, v0.12 and v0.10) we require the additional time to further review the changes and consider how best to achieve minimal impact to users.
+
+We apologise for any inconvenience this schedule change may cause.
+
+Please tune in to **nodejs-sec** (https://groups.google.com/forum/#!topic/nodejs-sec) to be notified of any further updates.
+