diff --git a/openssh-9.1p1-sshbanner.patch b/openssh-9.1p1-sshbanner.patch
new file mode 100644
index 0000000..57112be
--- /dev/null
+++ b/openssh-9.1p1-sshbanner.patch
@@ -0,0 +1,57 @@
+diff --git a/ssh-keyscan.c b/ssh-keyscan.c
+index d29a03b4..d7283136 100644
+--- a/ssh-keyscan.c
++++ b/ssh-keyscan.c
+@@ -490,6 +490,15 @@ congreet(int s)
+ 		return;
+ 	}
+ 
++	/*
++	 * Read the server banner as per RFC4253 section 4.2.  The "SSH-"
++	 * protocol identification string may be preceeded by an arbitarily
++	 * large banner which we must read and ignore.  Loop while reading
++	 * newline-terminated lines until we have one starting with "SSH-".
++	 * The ID string cannot be longer than 255 characters although the
++	 * preceeding banner lines may (in which case they'll be discarded
++	 * in multiple iterations of the outer loop).
++	 */
+ 	for (;;) {
+ 		memset(buf, '\0', sizeof(buf));
+ 		bufsiz = sizeof(buf);
+@@ -517,6 +526,11 @@ congreet(int s)
+ 		conrecycle(s);
+ 		return;
+ 	}
++	if (cp >= buf + sizeof(buf)) {
++		error("%s: greeting exceeds allowable length", c->c_name);
++		confree(s);
++		return;
++	}
+ 	if (*cp != '\n' && *cp != '\r') {
+ 		error("%s: bad greeting", c->c_name);
+ 		confree(s);
+diff --git a/sshsig.c b/sshsig.c
+index 1e3b6398..eb2a931e 100644
+--- a/sshsig.c
++++ b/sshsig.c
+@@ -491,7 +491,7 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
+ {
+ 	char *hex, rbuf[8192], hash[SSH_DIGEST_MAX_LENGTH];
+ 	ssize_t n, total = 0;
+-	struct ssh_digest_ctx *ctx;
++	struct ssh_digest_ctx *ctx = NULL;
+ 	int alg, oerrno, r = SSH_ERR_INTERNAL_ERROR;
+ 	struct sshbuf *b = NULL;
+ 
+@@ -549,9 +548,11 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
+ 	/* success */
+ 	r = 0;
+  out:
++	oerrno = errno;
+ 	sshbuf_free(b);
+ 	ssh_digest_free(ctx);
+ 	explicit_bzero(hash, sizeof(hash));
++	errno = oerrno;
+ 	return r;
+ }
+ 
diff --git a/openssh.spec b/openssh.spec
index 0baac59..8271a20 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -51,7 +51,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.7p1
-%global openssh_rel 25
+%global openssh_rel 26
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 5
 
@@ -221,6 +221,8 @@ Patch983: openssh-8.7p1-evpgenkey.patch
 # downstream only, IBMCA tentative fix
 # From https://bugzilla.redhat.com/show_bug.cgi?id=1976202#c14
 Patch984: openssh-8.7p1-ibmca.patch
+# Upstream ff89b1bed80721295555bd083b173247a9c0484e, 5062ad48814b06162511c4f5924a33d97b6b2566
+Patch986: openssh-9.1p1-sshbanner.patch
 
 # Minimize the use of SHA1 as a proof of possession for RSA key (#2031868)
 # upstream commits:
@@ -442,6 +444,7 @@ popd
 %patch982 -p1 -b .minrsabits
 %patch983 -p1 -b .evpgenrsa
 %patch984 -p1 -b .ibmca
+%patch986 -p1 -b .91cleanup
 
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race
@@ -734,6 +737,12 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Fri Jan 06 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-26
+- Fix one-byte overflow in SSH banner processing
+  Resolves: rhbz#2138345
+- Fix double free() in error path
+  Resolves: rhbz#2138347
+
 * Fri Dec 16 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-25
 - Build fix after OpenSSL rebase
   Resolves: rhbz#2153626