How to fix OpenSSL Padding Oracle vulnerability (CVE-2016-2107) for nginx on debian jessie?

I got it.

I installed certbot from debian unstable, which installed 1.0.2f-2. unstable is pinned to priority "-100" (do not install from unstable unless requested with -t unstable). This means the version is between the jessie version 1.0.0X-Y and the current unstable version 1.0.2.h-1. This prevented an upgrade to the next version in unstable, while the upgrade in stable is an "older" version with respect to the version number.