I simply replaced the 4.1.1 libssl.so with a 4.1.2 version.
My phone (tcl 997) is 4.1.1 and strangely not affected, but I tried it on my phone before suggesting it to someone else.
Another person did it with his affected Huawei Y300. Both still work and pass the heartbleed detector:
Download this rom, I used the 3.1 version.
extract /system/lib/libssl.so from the rom's .zip
***do not boot phone between these steps ***
rename the /system/lib/libssl.so on your phone
copy "new" libssl.so to phone and set its file rights to rw- r-- r--
now boot phone
You could be fine now.
BUT your phone might not boot anymore if something goes wrong with the new libssl.so. Mine wouldn't boot without a valid libssl, yes i had to try it out. I have a TWRP recovery with a file manager, so I could rename my old libssl back and then my phone would boot again.
Of course, this is on your own risk. It worked for me, it might fail for you. Don't do it if you don't fully understand.
If you speak german, you might also want to read this: