nodejs · Nov 24, 2018
diff --git a/‎deps/openssl/openssl.gypi
+1 b/‎deps/openssl/openssl.gypi
+1
diff --git a/‎deps/openssl/openssl/CHANGES
+30 b/‎deps/openssl/openssl/CHANGES
+30
@@ -407,6 +407,7 @@
       'openssl/crypto/evp/pmeth_lib.c',
       'openssl/crypto/ex_data.c',
       'openssl/crypto/fips_ers.c',
+      'openssl/crypto/getenv.c',
       'openssl/crypto/hmac/hm_ameth.c',
       'openssl/crypto/hmac/hm_pmeth.c',
       'openssl/crypto/hmac/hmac.c',
 
@@ -7,6 +7,36 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+ Changes between 1.0.2p and 1.0.2q [20 Nov 2018]
+
+  *) Microarchitecture timing vulnerability in ECC scalar multiplication
+
+     OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been
+     shown to be vulnerable to a microarchitecture timing side channel attack.
+     An attacker with sufficient access to mount local timing attacks during
+     ECDSA signature generation could recover the private key.
+
+     This issue was reported to OpenSSL on 26th October 2018 by Alejandro
+     Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and
+     Nicola Tuveri.
+     (CVE-2018-5407)
+     [Billy Brumley]
+
+  *) Timing vulnerability in DSA signature generation
+
+     The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
+     timing side channel attack. An attacker could use variations in the signing
+     algorithm to recover the private key.
+
+     This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
+     (CVE-2018-0734)
+     [Paul Dale]
+
+  *) Resolve a compatibility issue in EC_GROUP handling with the FIPS Object
+     Module, accidentally introduced while backporting security fixes from the
+     development branch and hindering the use of ECC in FIPS mode.
+     [Nicola Tuveri]
+
  Changes between 1.0.2o and 1.0.2p [14 Aug 2018]
 
   *) Client DoS due to large DH parameter