The first of the two explanations is the correct one, Debian maintainers fixed a warning issued by the memory debugger Valgrind by commenting out the code instead of finding the route cause. Needless to say this was incredibly stupid of them. The code concerned allocated memory to the pool used when deriving the random number, commenting it out meant that the number of possible variations was reduced by a significant factor.

According to Ben Laurie of OpenSSL, the Debian maintainers never mentioned what they were doing to anyone at OpenSSL nor did they forward on the "fix". As a result no-one who actually knew the code was able to point out the mistake they were making.

Debian should revoke the permissions of the packager responsible and ensure that only qualified people are given such critical jobs. As Ben Laurie also notes, distributions should not be patching issues in their own copies without also sending patches upstream where they can be reviewed by people who know the code.