deps: update openssl to 1.0.1h

deps/openssl/openssl/ACKNOWLEDGMENTS

@@ -10,13 +10,18 @@ OpenSSL project.
 We would like to identify and thank the following such sponsors for their past
 or current significant support of the OpenSSL project:
 
+Major support:
+
+	Qualys		http://www.qualys.com/
+
 Very significant support:
 
-	OpenGear: www.opengear.com
+	OpenGear:	http://www.opengear.com/
 
 Significant support:
 
-	PSW Group: www.psw.net
+	PSW Group:	http://www.psw.net/
+	Acano Ltd.	http://acano.com/
 
 Please note that we ask permission to identify sponsors and that some sponsors
 we consider eligible for inclusion here have requested to remain anonymous.

deps/openssl/openssl/CHANGES

@@ -2,6 +2,50 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 1.0.1g and 1.0.1h [5 Jun 2014]
+
+  *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
+     handshake can force the use of weak keying material in OpenSSL
+     SSL/TLS clients and servers.
+
+     Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
+     researching this issue. (CVE-2014-0224)
+     [KIKUCHI Masashi, Steve Henson]
+
+  *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
+     OpenSSL DTLS client the code can be made to recurse eventually crashing
+     in a DoS attack.
+
+     Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
+     (CVE-2014-0221)
+     [Imre Rad, Steve Henson]
+
+  *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
+     be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
+     client or server. This is potentially exploitable to run arbitrary
+     code on a vulnerable client or server.
+
+     Thanks to J�ri Aedla for reporting this issue. (CVE-2014-0195)
+     [J�ri Aedla, Steve Henson]
+
+  *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
+     are subject to a denial of service attack.
+
+     Thanks to Felix Gr�bert and Ivan Fratric at Google for discovering
+     this issue. (CVE-2014-3470)
+     [Felix Gr�bert, Ivan Fratric, Steve Henson]
+
+  *) Harmonize version and its documentation. -f flag is used to display
+     compilation flags.
+     [mancha <[email protected]>]
+
+  *) Fix eckey_priv_encode so it immediately returns an error upon a failure
+     in i2d_ECPrivateKey.
+     [mancha <[email protected]>]
+
+  *) Fix some double frees. These are not thought to be exploitable.
+     [mancha <[email protected]>]
+
  Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
 
   *) A missing bounds check in the handling of the TLS heartbeat extension

deps/openssl/openssl/Makefile

@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=1.0.1g
+VERSION=1.0.1h
 MAJOR=1
 MINOR=0.1
 SHLIB_VERSION_NUMBER=1.0.0

deps/openssl/openssl/Makefile.bak

@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=1.0.1g-dev
+VERSION=1.0.1h-dev
 MAJOR=1
 MINOR=0.1
 SHLIB_VERSION_NUMBER=1.0.0

deps/openssl/openssl/NEWS

@@ -5,6 +5,14 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014]
+
+      o Fix for CVE-2014-0224
+      o Fix for CVE-2014-0221
+      o Fix for CVE-2014-0195
+      o Fix for CVE-2014-3470
+      o Fix for CVE-2010-5298
+
   Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]
 
       o Fix for CVE-2014-0160

deps/openssl/openssl/README

@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.1g 7 Apr 2014
+ OpenSSL 1.0.1h 5 Jun 2014
 
  Copyright (c) 1998-2011 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson