diff --git a/SOURCES/openssl-1.0.1e-cve-2015-3194.patch b/SOURCES/openssl-1.0.1e-cve-2015-3194.patch
new file mode 100644
index 0000000..58b52f2
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-cve-2015-3194.patch
@@ -0,0 +1,12 @@
+diff -up openssl-1.0.1e/crypto/rsa/rsa_ameth.c.pss-check openssl-1.0.1e/crypto/rsa/rsa_ameth.c
+--- openssl-1.0.1e/crypto/rsa/rsa_ameth.c.pss-check	2013-02-11 16:26:04.000000000 +0100
++++ openssl-1.0.1e/crypto/rsa/rsa_ameth.c	2015-12-04 09:03:18.300660817 +0100
+@@ -287,7 +287,7 @@ static RSA_PSS_PARAMS *rsa_pss_decode(co
+ 		{
+ 		ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
+ 		if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1
+-			&& param->type == V_ASN1_SEQUENCE)
++			&& param && param->type == V_ASN1_SEQUENCE)
+ 			{
+ 			p = param->value.sequence->data;
+ 			plen = param->value.sequence->length;
diff --git a/SOURCES/openssl-1.0.1e-cve-2015-3195.patch b/SOURCES/openssl-1.0.1e-cve-2015-3195.patch
new file mode 100644
index 0000000..80f196f
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-cve-2015-3195.patch
@@ -0,0 +1,31 @@
+diff -up openssl-1.0.1e/crypto/asn1/tasn_dec.c.combine-leak openssl-1.0.1e/crypto/asn1/tasn_dec.c
+--- openssl-1.0.1e/crypto/asn1/tasn_dec.c.combine-leak	2015-12-04 09:01:53.000000000 +0100
++++ openssl-1.0.1e/crypto/asn1/tasn_dec.c	2015-12-04 09:09:30.629793475 +0100
+@@ -169,6 +169,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
+ 	int otag;
+ 	int ret = 0;
+ 	ASN1_VALUE **pchptr, *ptmpval;
++	int combine = aclass & ASN1_TFLG_COMBINE;
++	aclass &= ~ASN1_TFLG_COMBINE;
+ 	if (!pval)
+ 		return 0;
+ 	if (aux && aux->asn1_cb)
+@@ -539,7 +541,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
+ 	auxerr:
+ 	ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
+ 	err:
+-	ASN1_item_ex_free(pval, it);
++	if (combine == 0)
++		ASN1_item_ex_free(pval, it);
+ 	if (errtt)
+ 		ERR_add_error_data(4, "Field=", errtt->field_name,
+ 					", Type=", it->sname);
+@@ -767,7 +770,7 @@ static int asn1_template_noexp_d2i(ASN1_
+ 		{
+ 		/* Nothing special */
+ 		ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
+-							-1, 0, opt, ctx);
++							-1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
+ 		if (!ret)
+ 			{
+ 			ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
diff --git a/SOURCES/openssl-1.0.1e-cve-2015-3196.patch b/SOURCES/openssl-1.0.1e-cve-2015-3196.patch
new file mode 100644
index 0000000..19dc323
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-cve-2015-3196.patch
@@ -0,0 +1,52 @@
+diff -up openssl-1.0.1e/ssl/s3_clnt.c.psk-identity openssl-1.0.1e/ssl/s3_clnt.c
+--- openssl-1.0.1e/ssl/s3_clnt.c.psk-identity	2015-12-04 09:01:53.000000000 +0100
++++ openssl-1.0.1e/ssl/s3_clnt.c	2015-12-04 09:36:24.182010426 +0100
+@@ -1367,8 +1367,6 @@ int ssl3_get_key_exchange(SSL *s)
+ #ifndef OPENSSL_NO_PSK
+ 	if (alg_k & SSL_kPSK)
+ 		{
+-		char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1];
+-
+ 		al=SSL_AD_HANDSHAKE_FAILURE;
+ 		n2s(p,i);
+ 		param_len=i+2;
+@@ -1389,16 +1387,8 @@ int ssl3_get_key_exchange(SSL *s)
+ 				SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH);
+ 			goto f_err;
+ 			}
+-		/* If received PSK identity hint contains NULL
+-		 * characters, the hint is truncated from the first
+-		 * NULL. p may not be ending with NULL, so create a
+-		 * NULL-terminated string. */
+-		memcpy(tmp_id_hint, p, i);
+-		memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i);
+-		if (s->ctx->psk_identity_hint != NULL)
+-			OPENSSL_free(s->ctx->psk_identity_hint);
+-		s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
+-		if (s->ctx->psk_identity_hint == NULL)
++		s->session->psk_identity_hint = BUF_strndup((char *)p, i);
++		if (s->session->psk_identity_hint == NULL)
+ 			{
+ 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
+ 			goto f_err;
+@@ -2904,7 +2894,7 @@ int ssl3_send_client_key_exchange(SSL *s
+ 				goto err;
+ 				}
+ 
+-			psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint,
++			psk_len = s->psk_client_callback(s, s->session->psk_identity_hint,
+ 				identity, PSK_MAX_IDENTITY_LEN,
+ 				psk_or_pre_ms, sizeof(psk_or_pre_ms));
+ 			if (psk_len > PSK_MAX_PSK_LEN)
+diff -up openssl-1.0.1e/ssl/s3_srvr.c.psk-identity openssl-1.0.1e/ssl/s3_srvr.c
+--- openssl-1.0.1e/ssl/s3_srvr.c.psk-identity	2015-12-04 09:01:53.000000000 +0100
++++ openssl-1.0.1e/ssl/s3_srvr.c	2015-12-04 09:43:45.144086868 +0100
+@@ -2751,7 +2751,7 @@ int ssl3_get_client_key_exchange(SSL *s)
+ 
+ 			if (s->session->psk_identity != NULL)
+ 				OPENSSL_free(s->session->psk_identity);
+-			s->session->psk_identity = BUF_strdup((char *)p);
++			s->session->psk_identity = BUF_strndup((char *)p, i);
+ 			if (s->session->psk_identity == NULL)
+ 				{
+ 				SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec
index d5ca112..47dd240 100644
--- a/SPECS/openssl.spec
+++ b/SPECS/openssl.spec
@@ -23,7 +23,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.1e
-Release: 42%{?dist}.9
+Release: 51%{?dist}.1
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -140,6 +140,9 @@ Patch131: openssl-1.0.1e-cve-2015-1789.patch
 Patch132: openssl-1.0.1e-cve-2015-1790.patch
 Patch133: openssl-1.0.1e-cve-2015-1791.patch
 Patch134: openssl-1.0.1e-cve-2015-1792.patch
+Patch135: openssl-1.0.1e-cve-2015-3194.patch
+Patch136: openssl-1.0.1e-cve-2015-3195.patch
+Patch137: openssl-1.0.1e-cve-2015-3196.patch
 
 License: OpenSSL
 Group: System Environment/Libraries
@@ -310,6 +313,9 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
 %patch132 -p1 -b .missing-content
 %patch133 -p1 -b .ticket-race
 %patch134 -p1 -b .unknown-hash
+%patch135 -p1 -b .pss-check
+%patch136 -p1 -b .combine-leak
+%patch137 -p1 -b .psk-identity
 
 sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
 
@@ -576,34 +582,41 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 
 %changelog
-* Tue Jun 23 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.9
+* Fri Dec  4 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.1
+- fix CVE-2015-3194 - certificate verify crash with missing PSS parameter
+- fix CVE-2015-3195 - X509_ATTRIBUTE memory leak
+- fix CVE-2015-3196 - race condition when handling PSK identity hint
+
+* Tue Jun 23 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51
 - fix the CVE-2015-1791 fix (broken server side renegotiation)
 
-* Thu Jun 11 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.8
+* Thu Jun 11 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-50
 - improved fix for CVE-2015-1791
 - add missing parts of CVE-2015-0209 fix for corectness although unexploitable
 
-* Tue Jun  9 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.7
+* Tue Jun  9 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-49
 - fix CVE-2014-8176 - invalid free in DTLS buffering code
 - fix CVE-2015-1789 - out-of-bounds read in X509_cmp_time
 - fix CVE-2015-1790 - PKCS7 crash with missing EncryptedContent
 - fix CVE-2015-1791 - race condition handling NewSessionTicket
 - fix CVE-2015-1792 - CMS verify infinite loop with unknown hash function
+
+* Wed Jun  3 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-48
 - fix CVE-2015-3216 - regression in RAND locking that can cause segfaults on
   read in multithreaded applications
 
-* Mon May 25 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.6
+* Mon May 25 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-47
 - fix CVE-2015-4000 - prevent the logjam attack on client - restrict
   the DH key size to at least 768 bits (limit will be increased in future)
 
-* Thu Mar 26 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.5
+* Wed Mar 25 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-46
 - drop the AES-GCM restriction of 2^32 operations because the IV is
   always 96 bits (32 bit fixed field + 64 bit invocation field)
 
-* Thu Mar 19 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.4
+* Thu Mar 19 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-45
 - update fix for CVE-2015-0287 to what was released upstream
 
-* Wed Mar 18 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.3
+* Wed Mar 18 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-44
 - fix CVE-2015-0209 - potential use after free in d2i_ECPrivateKey()
 - fix CVE-2015-0286 - improper handling of ASN.1 boolean comparison
 - fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption
@@ -612,7 +625,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 - fix CVE-2015-0292 - integer underflow in base64 decoder
 - fix CVE-2015-0293 - triggerable assert in SSLv2 server
 
-* Mon Mar 16 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.2
+* Mon Mar 16 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-43
 - fix broken error detection when unwrapping unpadded key
 
 * Mon Mar  2 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42.1