diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest
index be7cd65f37..dc9571d66d 100644
--- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest
@@ -1,5 +1,5 @@
-DIST openssl-1.0.2-patches-1.6.tar.xz 16004 BLAKE2B 28c7e9a8c8b09a34aa6ed21dec18b04c1d6140276e319cfa99b63db5ae188ca7837c444e8352748ffc86e6df7676534aef2f28788e825ee8207c0f876efb5b7b SHA512 eac9bbbebd8d942707ef385ee466929045bb4698985f7a0fb16f529f2101a246735cc2e654bfbdaa8a178224bb5ac564478a7587e6156cfcbdfe62a719bfb0a3
-DIST openssl-1.0.2p.tar.gz 5338192 BLAKE2B fe4c0e2bf75d47a76e7377c7977be7bcaaa532061ab89ee989786eeb6495295711a29a88bf026c85d9ed55c97e71b0e9c8cf4c29b6e58a3dc56bcff518666823 SHA512 958c5a7c3324bbdc8f07dfb13e11329d9a1b4452c07cf41fbd2d42b5fe29c95679332a3476d24c2dc2b88be16e4a24744aba675a05a388c0905756c77a8a2f16
-DIST openssl-1.0.2p_ec_curve.c 17254 BLAKE2B d40d8d6e770443f07abe70e2c4ddda6aec1cc8e37dc1f226a3fdd9ed5d228f09c6d372e8956b1948b55ee1d57d1429493e7288d0f54d9466a37fec805c85aacb SHA512 8e92fb100bcf4bd918c82b9a6cbd75a55abe1a2c08230a007e441c51577f974f8cc336e9ac8a672b32641480428ca8cead5380da1fe81bacb088145a1b754a15
-DIST openssl-1.0.2p_ectest.c 30735 BLAKE2B 95333a27f1cf0a4305a3cee7f6d46b9d4673582ca9acfcf5ba2a0d9d317ab6219cd0d2ff0ba3a55a317c8f5819342f05cc17ba80ec2c92b2b4cab9a3552382e1 SHA512 f2e4d34327b490bc8371f0845c69df3f9fc51ea16f0ea0de0411a0c1fa9d49bb2b6fafc363eb3b3cd919dc7c24e4a0d075c6ff878c01d70dae918f2540874c19
-DIST openssl-1.0.2p_hobble-openssl 1302 BLAKE2B 647caa6a0f4c53a2e77baa3b8e5961eaef3bb0ff38e7d5475eab8deef3439f7fe49028ec9ed0406f3453870b62cac67c496b3a048ee4c9ff4c6866d520235960 SHA512 3d757a4708e74a03dd5cb9b8114dfe442ed9520739a6eca693be4c4265771696f1449ea06d1c9bcfc6e94fc9b0dd0c10e153f1c3b0334831c0550b36cd63326e
+DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24 SHA512 5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659
+DIST openssl-1.0.2r.tar.gz 5348369 BLAKE2B 9f9c2d2fe6eaf9acacab29b394a318f30c38e831a5f9c193b2da660f9d04acbf407d8b752274783765416c0f5ba557c24ee293ad7fb7d727771db289e6acc901 SHA512 6eb2211f3ad56d7573ac26f388338592c37e5faaf5e2d44c0fa9062c12186e56a324f135d1c956a89b55fcce047e6428bec2756658d103e7275e08b46f741235
+DIST openssl-1.0.2r_ec_curve.c 17254 BLAKE2B d40d8d6e770443f07abe70e2c4ddda6aec1cc8e37dc1f226a3fdd9ed5d228f09c6d372e8956b1948b55ee1d57d1429493e7288d0f54d9466a37fec805c85aacb SHA512 8e92fb100bcf4bd918c82b9a6cbd75a55abe1a2c08230a007e441c51577f974f8cc336e9ac8a672b32641480428ca8cead5380da1fe81bacb088145a1b754a15
+DIST openssl-1.0.2r_ectest.c 30735 BLAKE2B 95333a27f1cf0a4305a3cee7f6d46b9d4673582ca9acfcf5ba2a0d9d317ab6219cd0d2ff0ba3a55a317c8f5819342f05cc17ba80ec2c92b2b4cab9a3552382e1 SHA512 f2e4d34327b490bc8371f0845c69df3f9fc51ea16f0ea0de0411a0c1fa9d49bb2b6fafc363eb3b3cd919dc7c24e4a0d075c6ff878c01d70dae918f2540874c19
+DIST openssl-1.0.2r_hobble-openssl 1302 BLAKE2B 647caa6a0f4c53a2e77baa3b8e5961eaef3bb0ff38e7d5475eab8deef3439f7fe49028ec9ed0406f3453870b62cac67c496b3a048ee4c9ff4c6866d520235960 SHA512 3d757a4708e74a03dd5cb9b8114dfe442ed9520739a6eca693be4c4265771696f1449ea06d1c9bcfc6e94fc9b0dd0c10e153f1c3b0334831c0550b36cd63326e
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2p-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2r.ebuild
similarity index 91%
rename from sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2p-r1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2r.ebuild
index 9def504eec..9b19234d96 100644
--- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2p-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2r.ebuild
@@ -1,11 +1,14 @@
-# Copyright 1999-2018 Gentoo Authors
+# Copyright 1999-2019 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="6"
 
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal systemd
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
 
-PATCH_SET="openssl-1.0.2-patches-1.6"
+# openssl-1.0.2-patches-1.6 contain additional CVE patches
+# which got fixed with this release.
+# Please use 1.7 version number when rolling a new tarball!
+PATCH_SET="openssl-1.0.2-patches-1.5"
 MY_P=${P/_/-}
 DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
 HOMEPAGE="https://www.openssl.org/"
@@ -20,7 +23,8 @@ SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
 LICENSE="openssl"
 SLOT="0"
 KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~x86-fbsd ~x86-linux"
-IUSE="+asm gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
+IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
+RESTRICT="!bindist? ( bindist )"
 
 RDEPEND=">=app-misc/c_rehash-1.7-r1
 	gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
@@ -55,7 +59,7 @@ done
 for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
 	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
 done
-SRC_URI+=" ${FEDORA_SRC_URI[*]} "
+SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
 
 S="${WORKDIR}/${MY_P}"
 
@@ -64,7 +68,7 @@ MULTILIB_WRAPPED_HEADERS=(
 )
 
 src_prepare() {
-	if :; then
+	if use bindist; then
 		# This just removes the prefix, and puts it into WORKDIR like the RPM.
 		for i in "${FEDORA_SOURCE[@]}" ; do
 			cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die
@@ -186,8 +190,8 @@ multilib_src_configure() {
 		$(use cpu_flags_x86_sse2 || echo "no-sse2") \
 		enable-camellia \
 		enable-ec \
-		no-ec2m \
-		no-srp \
+		$(use_ssl !bindist ec2m) \
+		$(use_ssl !bindist srp) \
 		${ec_nistp_64_gcc_128} \
 		enable-idea \
 		enable-mdc2 \
@@ -264,6 +268,11 @@ multilib_src_install_all() {
 	# twice; once with shared lib support enabled and once without.
 	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
 
+	# create the certs directory
+	dodir ${SSL_CNF_DIR}/certs
+	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
+	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
+
 	# Namespace openssl programs to prevent conflicts with other man pages
 	cd "${ED}"/usr/share/man
 	local m d s
@@ -289,15 +298,12 @@ multilib_src_install_all() {
 	dodir /etc/sandbox.d #254521
 	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
 
-	# Don't keep the sample CA files and their ilk in /etc.
-	rm -r "${ED}"${SSL_CNF_DIR}
-
-	# Save the default openssl.cnf in /usr and link it into place.
-	dodir /usr/share/ssl
-	insinto /usr/share/ssl
-	doins "${S}"/apps/openssl.cnf
-	systemd_dotmpfilesd "${FILESDIR}"/openssl.conf
-
-	# Package the tmpfiles.d setup for SDK bootstrapping.
-	systemd-tmpfiles --create --root="${ED}" "${FILESDIR}"/openssl.conf
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_postinst() {
+	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
+	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
+	eend $?
 }
diff --git a/sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/dev-libs/openssl-1.0.2p-r1 b/sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/dev-libs/openssl-1.0.2r
similarity index 64%
rename from sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/dev-libs/openssl-1.0.2p-r1
rename to sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/dev-libs/openssl-1.0.2r
index b743b33acc..d43621efe0 100644
--- a/sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/dev-libs/openssl-1.0.2p-r1
+++ b/sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/dev-libs/openssl-1.0.2r
@@ -1,14 +1,15 @@
-DEFINED_PHASES=compile configure install prepare test
-DEPEND=>=app-misc/c_rehash-1.7-r1 gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?] ) zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?] ) kerberos? ( >=app-crypt/mit-krb5-1.11.4[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?] ) >=dev-lang/perl-5 sctp? ( >=net-misc/lksctp-tools-1.0.12 ) test? ( sys-apps/diffutils sys-devel/bc ) virtual/pkgconfig
+DEFINED_PHASES=compile configure install postinst prepare test
+DEPEND=>=app-misc/c_rehash-1.7-r1 gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?] ) zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?] ) kerberos? ( >=app-crypt/mit-krb5-1.11.4[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?] ) >=dev-lang/perl-5 sctp? ( >=net-misc/lksctp-tools-1.0.12 ) test? ( sys-apps/diffutils sys-devel/bc )
 DESCRIPTION=full-strength general purpose cryptography library (including SSL and TLS)
 EAPI=6
 HOMEPAGE=https://www.openssl.org/
-IUSE=+asm gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib abi_x86_32 abi_x86_64 abi_x86_x32 abi_mips_n32 abi_mips_n64 abi_mips_o32 abi_ppc_32 abi_ppc_64 abi_s390_32 abi_s390_64
+IUSE=+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib abi_x86_32 abi_x86_64 abi_x86_x32 abi_mips_n32 abi_mips_n64 abi_mips_o32 abi_ppc_32 abi_ppc_64 abi_s390_32 abi_s390_64
 KEYWORDS=alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~x86-fbsd ~x86-linux
 LICENSE=openssl
 PDEPEND=app-misc/ca-certificates
 RDEPEND=>=app-misc/c_rehash-1.7-r1 gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?] ) zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?] ) kerberos? ( >=app-crypt/mit-krb5-1.11.4[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?] )
+RESTRICT=!bindist? ( bindist )
 SLOT=0
-SRC_URI=mirror://openssl/source/openssl-1.0.2p.tar.gz !vanilla? ( mirror://gentoo/openssl-1.0.2-patches-1.6.tar.xz https://dev.gentoo.org/~chutzpah/dist/openssl/openssl-1.0.2-patches-1.6.tar.xz https://dev.gentoo.org/~whissi/dist/openssl/openssl-1.0.2-patches-1.6.tar.xz https://dev.gentoo.org/~polynomial-c/dist/openssl-1.0.2-patches-1.6.tar.xz ) https://src.fedoraproject.org/cgit/rpms/openssl.git/plain//hobble-openssl?h=f25 -> openssl-1.0.2p_hobble-openssl https://src.fedoraproject.org/cgit/rpms/openssl.git/plain//ec_curve.c?h=f25 -> openssl-1.0.2p_ec_curve.c https://src.fedoraproject.org/cgit/rpms/openssl.git/plain//ectest.c?h=f25 -> openssl-1.0.2p_ectest.c
-_eclasses_=desktop	b1d22ac8bdd4679ab79c71aca235009d	epatch	a1bf4756dba418a7238f3be0cb010c54	estack	43ddf5aaffa7a8d0482df54d25a66a1f	eutils	6e6c2737b59a4b982de6fb3ecefd87f8	flag-o-matic	55aaa148741116aa54ad0d80e361818e	ltprune	08f9e1d9ee0af8f5d9a7854efbcd8c0e	multibuild	40fe59465edacd730c644ec2bc197809	multilib	b2f01ad412baf81650c23fcf0975fa33	multilib-build	b42436dc1260f475af229754c165cb6b	multilib-minimal	8bddda43703ba94d8341f4e247f97566	preserve-libs	ef207dc62baddfddfd39a164d9797648	systemd	71fd8d2065d102753fb9e4d20eaf3e9f	toolchain-funcs	f164325a2cdb5b3ea39311d483988861	vcs-clean	2a0f74a496fa2b1552c4f3398258b7bf
-_md5_=faa57daab06de770227f724e9aee49bc
+SRC_URI=mirror://openssl/source/openssl-1.0.2r.tar.gz !vanilla? ( mirror://gentoo/openssl-1.0.2-patches-1.5.tar.xz https://dev.gentoo.org/~chutzpah/dist/openssl/openssl-1.0.2-patches-1.5.tar.xz https://dev.gentoo.org/~whissi/dist/openssl/openssl-1.0.2-patches-1.5.tar.xz https://dev.gentoo.org/~polynomial-c/dist/openssl-1.0.2-patches-1.5.tar.xz ) bindist? ( https://src.fedoraproject.org/cgit/rpms/openssl.git/plain//hobble-openssl?h=f25 -> openssl-1.0.2r_hobble-openssl https://src.fedoraproject.org/cgit/rpms/openssl.git/plain//ec_curve.c?h=f25 -> openssl-1.0.2r_ec_curve.c https://src.fedoraproject.org/cgit/rpms/openssl.git/plain//ectest.c?h=f25 -> openssl-1.0.2r_ectest.c )
+_eclasses_=desktop	b1d22ac8bdd4679ab79c71aca235009d	epatch	a1bf4756dba418a7238f3be0cb010c54	estack	43ddf5aaffa7a8d0482df54d25a66a1f	eutils	6e6c2737b59a4b982de6fb3ecefd87f8	flag-o-matic	55aaa148741116aa54ad0d80e361818e	ltprune	08f9e1d9ee0af8f5d9a7854efbcd8c0e	multibuild	40fe59465edacd730c644ec2bc197809	multilib	b2f01ad412baf81650c23fcf0975fa33	multilib-build	b42436dc1260f475af229754c165cb6b	multilib-minimal	8bddda43703ba94d8341f4e247f97566	preserve-libs	ef207dc62baddfddfd39a164d9797648	toolchain-funcs	f164325a2cdb5b3ea39311d483988861	vcs-clean	2a0f74a496fa2b1552c4f3398258b7bf
+_md5_=397a50fc3781b22e8ca02e042baf699c