diff --git a/SOURCES/openssh-9.3p1-upstream-cve-2023-38408.patch b/SOURCES/openssh-9.3p1-upstream-cve-2023-38408.patch
new file mode 100644
index 0000000..6211473
--- /dev/null
+++ b/SOURCES/openssh-9.3p1-upstream-cve-2023-38408.patch
@@ -0,0 +1,17 @@
+diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
+index 6be647ec..ebddf6c3 100644
+--- a/ssh-pkcs11.c
++++ b/ssh-pkcs11.c
+@@ -1537,10 +1537,8 @@ pkcs11_register_provider(char *provider_id, char *pin,
+ 		error("dlopen %s failed: %s", provider_id, dlerror());
+ 		goto fail;
+ 	}
+-	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
+-		error("dlsym(C_GetFunctionList) failed: %s", dlerror());
+-		goto fail;
+-	}
++	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
++		fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
+ 	p = xcalloc(1, sizeof(*p));
+ 	p->name = xstrdup(provider_id);
+ 	p->handle = handle;
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
index cd9c459..8ada930 100644
--- a/SPECS/openssh.spec
+++ b/SPECS/openssh.spec
@@ -64,7 +64,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 7.4p1
-%define openssh_rel 22
+%define openssh_rel 23
 %define pam_ssh_agent_ver 0.10.3
 %define pam_ssh_agent_rel 2
 
@@ -256,6 +256,9 @@ Patch961: openssh-7.4p1-CVE-2018-15473.patch
 Patch962: openssh-7.4p1-uidswap.patch
 # CVE-2021-41617
 Patch978: openssh-8.7p1-upstream-cve-2021-41617.patch
+# upsream commit
+# b23fe83f06ee7e721033769cfa03ae840476d280
+Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch
 
 License: BSD
 Group: Applications/Internet
@@ -519,6 +522,7 @@ popd
 %patch700 -p1 -b .fips
 
 %patch100 -p1 -b .coverity
+%patch1015 -p1 -b .cve-2023-38408
 
 %if 0
 # Nothing here yet
@@ -838,6 +842,10 @@ getent passwd sshd >/dev/null || \
 %endif
 
 %changelog
+* Thu Jul 20 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 7.4p1-23 + 0.10.3-2
+- Avoid remote code execution in ssh-agent PKCS#11 support
+  Resolves: CVE-2023-38408
+
 * Thu Sep 30 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 7.4p1-22 + 0.10.3-2
 - avoid segfault in Kerberos cache cleanup (#1999263)
 - fix CVE-2021-41617 (#2008884)