Yes, the fix for the truncation attack was originally rolled into 1.1.1e (March 2020) and then withdrawn in 1.1.1f because the new errors were too disruptive; IIRC the fix was already in the 3.x prereleases by that stage. So effectively if you stuck on 1.1.1, you've been living with this risk for 3 years.
The truncation attack is one where the client thinks their ssl session has ended but a malicious actor prevents the session from ending correctly; the threat is something like, after doing this your gmail can be messed with even tho you think you've logged out. From the descriptions it seems like you'd need to layer it with another attack or two to do anything useful with it. It's not something that keeps me awake at night.
When I dug into the python code we had hitting this a few months back (python 3.7 on recent ubuntu) it appeared that the error would not only trip up a client expecting to use 1.1.1 but could mean the last buffer read from the socket was not flushed (so, you can't just catch the error in python and assume it's ok because the other end had closed the connection anyway - you're missing some of the response). I wasn't certain but that possibility was a big bucket of NOPE for me, far easier to tell people to get the upgrade done and stop using software that had been built against 1.1.1.
The truncation attack is one where the client thinks their ssl session has ended but a malicious actor prevents the session from ending correctly; the threat is something like, after doing this your gmail can be messed with even tho you think you've logged out. From the descriptions it seems like you'd need to layer it with another attack or two to do anything useful with it. It's not something that keeps me awake at night.
When I dug into the python code we had hitting this a few months back (python 3.7 on recent ubuntu) it appeared that the error would not only trip up a client expecting to use 1.1.1 but could mean the last buffer read from the socket was not flushed (so, you can't just catch the error in python and assume it's ok because the other end had closed the connection anyway - you're missing some of the response). I wasn't certain but that possibility was a big bucket of NOPE for me, far easier to tell people to get the upgrade done and stop using software that had been built against 1.1.1.