diff --git a/SOURCES/openssl-1.0.1e-cve-2016-0799.patch b/SOURCES/openssl-1.0.1e-cve-2016-0799.patch
new file mode 100644
index 0000000..42a3d01
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-cve-2016-0799.patch
@@ -0,0 +1,437 @@
+diff -up openssl-1.0.1e/crypto/bio/b_print.c.bio-printf openssl-1.0.1e/crypto/bio/b_print.c
+--- openssl-1.0.1e/crypto/bio/b_print.c.bio-printf	2013-02-11 16:26:04.000000000 +0100
++++ openssl-1.0.1e/crypto/bio/b_print.c	2016-04-07 14:36:55.538117697 +0200
+@@ -125,14 +125,14 @@
+ #define LLONG long
+ #endif
+ 
+-static void fmtstr     (char **, char **, size_t *, size_t *,
++static int fmtstr(char **, char **, size_t *, size_t *,
+ 			const char *, int, int, int);
+-static void fmtint     (char **, char **, size_t *, size_t *,
++static int fmtint(char **, char **, size_t *, size_t *,
+ 			LLONG, int, int, int, int);
+-static void fmtfp      (char **, char **, size_t *, size_t *,
++static int fmtfp(char **, char **, size_t *, size_t *,
+ 			LDOUBLE, int, int, int);
+-static void doapr_outch (char **, char **, size_t *, size_t *, int);
+-static void _dopr(char **sbuffer, char **buffer,
++static int doapr_outch(char **, char **, size_t *, size_t *, int);
++static int _dopr(char **sbuffer, char **buffer,
+ 		  size_t *maxlen, size_t *retlen, int *truncated,
+ 		  const char *format, va_list args);
+ 
+@@ -165,7 +165,7 @@ static void _dopr(char **sbuffer, char *
+ #define char_to_int(p) (p - '0')
+ #define OSSL_MAX(p,q) ((p >= q) ? p : q)
+ 
+-static void
++static int
+ _dopr(
+     char **sbuffer,
+     char **buffer,
+@@ -200,7 +200,8 @@ _dopr(
+             if (ch == '%')
+                 state = DP_S_FLAGS;
+             else
+-                doapr_outch(sbuffer,buffer, &currlen, maxlen, ch);
++                if (!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch))
++			return 0;
+             ch = *format++;
+             break;
+         case DP_S_FLAGS:
+@@ -306,8 +307,9 @@ _dopr(
+                     value = va_arg(args, int);
+                     break;
+                 }
+-                fmtint(sbuffer, buffer, &currlen, maxlen,
+-                       value, 10, min, max, flags);
++                if (!fmtint(sbuffer, buffer, &currlen, maxlen, value, 10, min,
++                            max, flags))
++                    return 0;
+                 break;
+             case 'X':
+                 flags |= DP_F_UP;
+@@ -332,17 +334,19 @@ _dopr(
+                         unsigned int);
+                     break;
+                 }
+-                fmtint(sbuffer, buffer, &currlen, maxlen, value,
++                if (!fmtint(sbuffer, buffer, &currlen, maxlen, value,
+                        ch == 'o' ? 8 : (ch == 'u' ? 10 : 16),
+-                       min, max, flags);
++                            min, max, flags))
++                    return 0;
+                 break;
+             case 'f':
+                 if (cflags == DP_C_LDOUBLE)
+                     fvalue = va_arg(args, LDOUBLE);
+                 else
+                     fvalue = va_arg(args, double);
+-                fmtfp(sbuffer, buffer, &currlen, maxlen,
+-                      fvalue, min, max, flags);
++                if (!fmtfp(sbuffer, buffer, &currlen, maxlen, fvalue, min, max,
++                           flags))
++                    return 0;
+                 break;
+             case 'E':
+                 flags |= DP_F_UP;
+@@ -361,8 +365,9 @@ _dopr(
+                     fvalue = va_arg(args, double);
+                 break;
+             case 'c':
+-                doapr_outch(sbuffer, buffer, &currlen, maxlen,
+-                    va_arg(args, int));
++                if(!doapr_outch(sbuffer, buffer, &currlen, maxlen,
++                            va_arg(args, int)))
++                    return 0;
+                 break;
+             case 's':
+                 strvalue = va_arg(args, char *);
+@@ -372,13 +377,15 @@ _dopr(
+ 		    else
+ 			max = *maxlen;
+ 		}
+-                fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue,
+-                       flags, min, max);
++                if (!fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue,
++                            flags, min, max))
++                    return 0;
+                 break;
+             case 'p':
+                 value = (long)va_arg(args, void *);
+-                fmtint(sbuffer, buffer, &currlen, maxlen,
+-                    value, 16, min, max, flags|DP_F_NUM);
++                if (!fmtint(sbuffer, buffer, &currlen, maxlen,
++                            value, 16, min, max, flags | DP_F_NUM))
++                    return 0;
+                 break;
+             case 'n': /* XXX */
+                 if (cflags == DP_C_SHORT) {
+@@ -400,7 +407,8 @@ _dopr(
+                 }
+                 break;
+             case '%':
+-                doapr_outch(sbuffer, buffer, &currlen, maxlen, ch);
++                if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch))
++                    return 0;
+                 break;
+             case 'w':
+                 /* not supported yet, treat as next char */
+@@ -424,12 +432,13 @@ _dopr(
+     *truncated = (currlen > *maxlen - 1);
+     if (*truncated)
+         currlen = *maxlen - 1;
+-    doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0');
++    if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0'))
++        return 0;
+     *retlen = currlen - 1;
+-    return;
++    return 1;
+ }
+ 
+-static void
++static int
+ fmtstr(
+     char **sbuffer,
+     char **buffer,
+@@ -440,36 +449,44 @@ fmtstr(
+     int min,
+     int max)
+ {
+-    int padlen, strln;
++    int padlen;
++    size_t strln;
+     int cnt = 0;
+ 
+     if (value == 0)
+         value = "<NULL>";
+-    for (strln = 0; value[strln]; ++strln)
+-        ;
++
++    strln = strlen(value);
++    if (strln > INT_MAX)
++        strln = INT_MAX;
++
+     padlen = min - strln;
+-    if (padlen < 0)
++    if (min < 0 || padlen < 0)
+         padlen = 0;
+     if (flags & DP_F_MINUS)
+         padlen = -padlen;
+ 
+     while ((padlen > 0) && (cnt < max)) {
+-        doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
++        if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
++            return 0;
+         --padlen;
+         ++cnt;
+     }
+     while (*value && (cnt < max)) {
+-        doapr_outch(sbuffer, buffer, currlen, maxlen, *value++);
++        if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *value++))
++            return 0;
+         ++cnt;
+     }
+     while ((padlen < 0) && (cnt < max)) {
+-        doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
++        if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
++            return 0;
+         ++padlen;
+         ++cnt;
+     }
++    return 1;
+ }
+ 
+-static void
++static int
+ fmtint(
+     char **sbuffer,
+     char **buffer,
+@@ -533,37 +550,44 @@ fmtint(
+ 
+     /* spaces */
+     while (spadlen > 0) {
+-        doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
++        if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
++            return 0;
+         --spadlen;
+     }
+ 
+     /* sign */
+     if (signvalue)
+-        doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
++        if(!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
++            return 0;
+ 
+     /* prefix */
+     while (*prefix) {
+-	doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix);
++        if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix))
++            return 0;
+ 	prefix++;
+     }
+ 
+     /* zeros */
+     if (zpadlen > 0) {
+         while (zpadlen > 0) {
+-            doapr_outch(sbuffer, buffer, currlen, maxlen, '0');
++            if(!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
++                return 0;
+             --zpadlen;
+         }
+     }
+     /* digits */
+-    while (place > 0)
+-        doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place]);
++    while (place > 0) {
++        if (!doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place]))
++            return 0;
++    }
+ 
+     /* left justified spaces */
+     while (spadlen < 0) {
+-        doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
++        if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
++            return 0;
+         ++spadlen;
+     }
+-    return;
++    return 1;
+ }
+ 
+ static LDOUBLE
+@@ -597,7 +621,7 @@ roundv(LDOUBLE value)
+     return intpart;
+ }
+ 
+-static void
++static int
+ fmtfp(
+     char **sbuffer,
+     char **buffer,
+@@ -616,7 +640,6 @@ fmtfp(
+     int fplace = 0;
+     int padlen = 0;
+     int zpadlen = 0;
+-    int caps = 0;
+     long intpart;
+     long fracpart;
+     long max10;
+@@ -650,9 +673,7 @@ fmtfp(
+ 
+     /* convert integer part */
+     do {
+-        iconvert[iplace++] =
+-            (caps ? "0123456789ABCDEF"
+-              : "0123456789abcdef")[intpart % 10];
++        iconvert[iplace++] = "0123456789"[intpart % 10];
+         intpart = (intpart / 10);
+     } while (intpart && (iplace < (int)sizeof(iconvert)));
+     if (iplace == sizeof iconvert)
+@@ -661,9 +682,7 @@ fmtfp(
+ 
+     /* convert fractional part */
+     do {
+-        fconvert[fplace++] =
+-            (caps ? "0123456789ABCDEF"
+-              : "0123456789abcdef")[fracpart % 10];
++        fconvert[fplace++] = "0123456789"[fracpart % 10];
+         fracpart = (fracpart / 10);
+     } while (fplace < max);
+     if (fplace == sizeof fconvert)
+@@ -682,47 +701,61 @@ fmtfp(
+ 
+     if ((flags & DP_F_ZERO) && (padlen > 0)) {
+         if (signvalue) {
+-            doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
++            if (!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
++                return 0;
+             --padlen;
+             signvalue = 0;
+         }
+         while (padlen > 0) {
+-            doapr_outch(sbuffer, buffer, currlen, maxlen, '0');
++            if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
++                return 0;
+             --padlen;
+         }
+     }
+     while (padlen > 0) {
+-        doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
++        if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
++            return 0;
+         --padlen;
+     }
+-    if (signvalue)
+-        doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
++    if (signvalue && !doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
++        return 0;
+ 
+-    while (iplace > 0)
+-        doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace]);
++    while (iplace > 0) {
++        if (!doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace]))
++            return 0;
++    }
+ 
+     /*
+      * Decimal point. This should probably use locale to find the correct
+      * char to print out.
+      */
+     if (max > 0 || (flags & DP_F_NUM)) {
+-        doapr_outch(sbuffer, buffer, currlen, maxlen, '.');
++        if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '.'))
++            return 0;
+ 
+-        while (fplace > 0)
+-            doapr_outch(sbuffer, buffer, currlen, maxlen, fconvert[--fplace]);
++        while (fplace > 0) {
++            if(!doapr_outch(sbuffer, buffer, currlen, maxlen,
++                            fconvert[--fplace]))
++                return 0;
++        }
+     }
+     while (zpadlen > 0) {
+-        doapr_outch(sbuffer, buffer, currlen, maxlen, '0');
++        if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
++            return 0;
+         --zpadlen;
+     }
+ 
+     while (padlen < 0) {
+-        doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
++        if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
++            return 0;
+         ++padlen;
+     }
++    return 1;
+ }
+ 
+-static void
++#define BUFFER_INC  1024
++
++static int
+ doapr_outch(
+     char **sbuffer,
+     char **buffer,
+@@ -733,24 +766,30 @@ doapr_outch(
+     /* If we haven't at least one buffer, someone has doe a big booboo */
+     assert(*sbuffer != NULL || buffer != NULL);
+ 
+-    if (buffer) {
+-	while (*currlen >= *maxlen) {
+-	    if (*buffer == NULL) {
+-		if (*maxlen == 0)
+-		    *maxlen = 1024;
++    /* |currlen| must always be <= |*maxlen| */
++    assert(*currlen <= *maxlen);
++
++    if (buffer && *currlen == *maxlen) {
++        if (*maxlen > INT_MAX - BUFFER_INC)
++            return 0;
++
++        *maxlen += BUFFER_INC;
++	if (*buffer == NULL) {
+ 		*buffer = OPENSSL_malloc(*maxlen);
++		if (*buffer == NULL)
++	        	return 0;
+ 		if (*currlen > 0) {
+ 		    assert(*sbuffer != NULL);
+ 		    memcpy(*buffer, *sbuffer, *currlen);
+ 		}
+ 		*sbuffer = NULL;
+-	    } else {
+-		*maxlen += 1024;
+-		*buffer = OPENSSL_realloc(*buffer, *maxlen);
+-	    }
++	} else {
++            char *tmpbuf;
++            tmpbuf = OPENSSL_realloc(*buffer, *maxlen);
++            if (tmpbuf == NULL)
++                return 0;
++            *buffer = tmpbuf;
+ 	}
+-	/* What to do if *buffer is NULL? */
+-	assert(*sbuffer != NULL || *buffer != NULL);
+     }
+ 
+     if (*currlen < *maxlen) {
+@@ -760,7 +799,7 @@ doapr_outch(
+ 	    (*buffer)[(*currlen)++] = (char)c;
+     }
+ 
+-    return;
++    return 1;
+ }
+ 
+ /***************************************************************************/
+@@ -792,11 +831,15 @@ int BIO_vprintf (BIO *bio, const char *f
+ 
+ 	dynbuf = NULL;
+ 	CRYPTO_push_info("doapr()");
+-	_dopr(&hugebufp, &dynbuf, &hugebufsize,
+-		&retlen, &ignored, format, args);
++	if (!_dopr(&hugebufp, &dynbuf, &hugebufsize, &retlen, &ignored, format,
++                args))
++		{
++		OPENSSL_free(dynbuf);
++        	return -1;
++		}
+ 	if (dynbuf)
+ 		{
+-		ret=BIO_write(bio, dynbuf, (int)retlen);
++		ret = BIO_write(bio, dynbuf, (int)retlen);
+ 		OPENSSL_free(dynbuf);
+ 		}
+ 	else
+@@ -829,7 +872,8 @@ int BIO_vsnprintf(char *buf, size_t n, c
+ 	size_t retlen;
+ 	int truncated;
+ 
+-	_dopr(&buf, NULL, &n, &retlen, &truncated, format, args);
++	if(!_dopr(&buf, NULL, &n, &retlen, &truncated, format, args))
++		return -1;
+ 
+ 	if (truncated)
+ 		/* In case of truncation, return -1 like traditional snprintf.
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-2105.patch b/SOURCES/openssl-1.0.1e-cve-2016-2105.patch
new file mode 100644
index 0000000..b6351a0
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-cve-2016-2105.patch
@@ -0,0 +1,40 @@
+diff -up openssl-1.0.1e/crypto/evp/encode.c.b64-overflow openssl-1.0.1e/crypto/evp/encode.c
+--- openssl-1.0.1e/crypto/evp/encode.c.b64-overflow	2016-04-07 15:45:20.000000000 +0200
++++ openssl-1.0.1e/crypto/evp/encode.c	2016-04-29 12:46:34.232656522 +0200
+@@ -132,12 +132,12 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
+ 	     const unsigned char *in, int inl)
+ 	{
+ 	int i,j;
+-	unsigned int total=0;
++	size_t total=0;
+ 
+ 	*outl=0;
+ 	if (inl == 0) return;
+ 	OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data));
+-	if ((ctx->num+inl) < ctx->length)
++	if (ctx->length - ctx->num > inl)
+ 		{
+ 		memcpy(&(ctx->enc_data[ctx->num]),in,inl);
+ 		ctx->num+=inl;
+@@ -156,7 +156,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
+ 		*out='\0';
+ 		total=j+1;
+ 		}
+-	while (inl >= ctx->length)
++	while (inl >= ctx->length && total <= INT_MAX)
+ 		{
+ 		j=EVP_EncodeBlock(out,in,ctx->length);
+ 		in+=ctx->length;
+@@ -166,6 +166,12 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
+ 		*out='\0';
+ 		total+=j+1;
+ 		}
++	if (total > INT_MAX)
++		{
++		/* Too much output data! */
++		*outl = 0;
++		return;
++		}
+ 	if (inl != 0)
+ 		memcpy(&(ctx->enc_data[0]),in,inl);
+ 	ctx->num=inl;
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-2106.patch b/SOURCES/openssl-1.0.1e-cve-2016-2106.patch
new file mode 100644
index 0000000..ada5f75
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-cve-2016-2106.patch
@@ -0,0 +1,12 @@
+diff -up openssl-1.0.1e/crypto/evp/evp_enc.c.enc-overflow openssl-1.0.1e/crypto/evp/evp_enc.c
+--- openssl-1.0.1e/crypto/evp/evp_enc.c.enc-overflow	2016-04-29 12:42:43.000000000 +0200
++++ openssl-1.0.1e/crypto/evp/evp_enc.c	2016-04-29 12:56:50.253736555 +0200
+@@ -408,7 +408,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ct
+ 	OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
+ 	if (i != 0)
+ 		{
+-		if (i+inl < bl)
++		if (bl - i > inl)
+ 			{
+ 			memcpy(&(ctx->buf[i]),in,inl);
+ 			ctx->buf_len+=inl;
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-2107.patch b/SOURCES/openssl-1.0.1e-cve-2016-2107.patch
new file mode 100644
index 0000000..340267e
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-cve-2016-2107.patch
@@ -0,0 +1,20 @@
+diff -up openssl-1.0.1e/crypto/evp/e_aes_cbc_hmac_sha1.c.padding-check openssl-1.0.1e/crypto/evp/e_aes_cbc_hmac_sha1.c
+--- openssl-1.0.1e/crypto/evp/e_aes_cbc_hmac_sha1.c.padding-check	2016-04-29 12:42:43.000000000 +0200
++++ openssl-1.0.1e/crypto/evp/e_aes_cbc_hmac_sha1.c	2016-04-29 13:10:13.441125487 +0200
+@@ -59,6 +59,7 @@
+ #include <openssl/aes.h>
+ #include <openssl/sha.h>
+ #include "evp_locl.h"
++#include "constant_time_locl.h"
+ 
+ #ifndef EVP_CIPH_FLAG_AEAD_CIPHER
+ #define EVP_CIPH_FLAG_AEAD_CIPHER	0x200000
+@@ -278,6 +279,8 @@ static int aesni_cbc_hmac_sha1_cipher(EV
+ 			maxpad |= (255-maxpad)>>(sizeof(maxpad)*8-8);
+ 			maxpad &= 255;
+ 
++			ret &= constant_time_ge(maxpad, pad);
++
+ 			inp_len = len - (SHA_DIGEST_LENGTH+pad+1);
+ 			mask = (0-((inp_len-len)>>(sizeof(inp_len)*8-1)));
+ 			inp_len &= mask;
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-2108.patch b/SOURCES/openssl-1.0.1e-cve-2016-2108.patch
new file mode 100644
index 0000000..9520ed6
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-cve-2016-2108.patch
@@ -0,0 +1,69 @@
+diff -up openssl-1.0.1e/crypto/asn1/a_int.c.asn1-negative openssl-1.0.1e/crypto/asn1/a_int.c
+--- openssl-1.0.1e/crypto/asn1/a_int.c.asn1-negative	2016-04-29 13:23:05.221797998 +0200
++++ openssl-1.0.1e/crypto/asn1/a_int.c	2016-04-29 13:26:51.030957218 +0200
+@@ -124,6 +124,8 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, un
+ 		{
+ 		ret=a->length;
+ 		i=a->data[0];
++		if (ret == 1 && i == 0)
++			neg = 0;
+ 		if (!neg && (i > 127)) {
+ 			pad=1;
+ 			pb=0;
+@@ -157,7 +159,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, un
+ 		p += a->length - 1;
+ 		i = a->length;
+ 		/* Copy zeros to destination as long as source is zero */
+-		while(!*n) {
++		while(!*n && i > 1) {
+ 			*(p--) = 0;
+ 			n--;
+ 			i--;
+@@ -415,7 +417,7 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(const B
+ 		ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_NESTED_ASN1_ERROR);
+ 		goto err;
+ 		}
+-	if (BN_is_negative(bn))
++	if (BN_is_negative(bn) && !BN_is_zero(bn))
+ 		ret->type = V_ASN1_NEG_INTEGER;
+ 	else ret->type=V_ASN1_INTEGER;
+ 	j=BN_num_bits(bn);
+diff -up openssl-1.0.1e/crypto/asn1/a_type.c.asn1-negative openssl-1.0.1e/crypto/asn1/a_type.c
+--- openssl-1.0.1e/crypto/asn1/a_type.c.asn1-negative	2016-04-29 12:42:43.000000000 +0200
++++ openssl-1.0.1e/crypto/asn1/a_type.c	2016-04-29 13:28:40.202443787 +0200
+@@ -131,9 +131,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co
+ 		result = 0;	/* They do not have content. */
+ 		break;
+ 	case V_ASN1_INTEGER:
+-	case V_ASN1_NEG_INTEGER:
+ 	case V_ASN1_ENUMERATED:
+-	case V_ASN1_NEG_ENUMERATED:
+ 	case V_ASN1_BIT_STRING:
+ 	case V_ASN1_OCTET_STRING:
+ 	case V_ASN1_SEQUENCE:
+diff -up openssl-1.0.1e/crypto/asn1/tasn_dec.c.asn1-negative openssl-1.0.1e/crypto/asn1/tasn_dec.c
+--- openssl-1.0.1e/crypto/asn1/tasn_dec.c.asn1-negative	2016-04-29 12:42:43.000000000 +0200
++++ openssl-1.0.1e/crypto/asn1/tasn_dec.c	2016-04-29 13:30:08.560456293 +0200
+@@ -1011,9 +1011,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const
+ 		break;
+ 
+ 		case V_ASN1_INTEGER:
+-		case V_ASN1_NEG_INTEGER:
+ 		case V_ASN1_ENUMERATED:
+-		case V_ASN1_NEG_ENUMERATED:
+ 		tint = (ASN1_INTEGER **)pval;
+ 		if (!c2i_ASN1_INTEGER(tint, &cont, len))
+ 			goto err;
+diff -up openssl-1.0.1e/crypto/asn1/tasn_enc.c.asn1-negative openssl-1.0.1e/crypto/asn1/tasn_enc.c
+--- openssl-1.0.1e/crypto/asn1/tasn_enc.c.asn1-negative	2013-02-11 16:26:04.000000000 +0100
++++ openssl-1.0.1e/crypto/asn1/tasn_enc.c	2016-04-29 13:30:34.688051394 +0200
+@@ -638,9 +638,7 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsig
+ 		break;
+ 
+ 		case V_ASN1_INTEGER:
+-		case V_ASN1_NEG_INTEGER:
+ 		case V_ASN1_ENUMERATED:
+-		case V_ASN1_NEG_ENUMERATED:
+ 		/* These are all have the same content format
+ 		 * as ASN1_INTEGER
+ 		 */
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-2109.patch b/SOURCES/openssl-1.0.1e-cve-2016-2109.patch
new file mode 100644
index 0000000..dd7de61
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-cve-2016-2109.patch
@@ -0,0 +1,72 @@
+diff -up openssl-1.0.1e/crypto/asn1/a_d2i_fp.c.asn1-bio-dos openssl-1.0.1e/crypto/asn1/a_d2i_fp.c
+--- openssl-1.0.1e/crypto/asn1/a_d2i_fp.c.asn1-bio-dos	2013-02-11 16:02:47.000000000 +0100
++++ openssl-1.0.1e/crypto/asn1/a_d2i_fp.c	2016-04-29 13:44:52.205538739 +0200
+@@ -139,6 +139,7 @@ void *ASN1_item_d2i_fp(const ASN1_ITEM *
+ #endif
+ 
+ #define HEADER_SIZE   8
++#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
+ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
+ 	{
+ 	BUF_MEM *b;
+@@ -230,6 +231,8 @@ static int asn1_d2i_read_bio(BIO *in, BU
+ 			want=c.slen;
+ 			if (want > (len-off))
+ 				{
++				size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE;
++
+ 				want-=(len-off);
+ 				if (want > INT_MAX /* BIO_read takes an int length */ ||
+ 					len+want < len)
+@@ -237,24 +240,38 @@ static int asn1_d2i_read_bio(BIO *in, BU
+ 						ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG);
+ 						goto err;
+ 						}
+-				if (!BUF_MEM_grow_clean(b,len+want))
+-					{
+-					ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE);
+-					goto err;
+-					}
+ 				while (want > 0)
+ 					{
+-					i=BIO_read(in,&(b->data[len]),want);
+-					if (i <= 0)
++					/*
++					 * Read content in chunks of increasing size
++					 * so we can return an error for EOF without
++					 * having to allocate the entire content length
++					 * in one go.
++					 */
++					size_t chunk = want > chunk_max ? chunk_max : want;
++
++					if (!BUF_MEM_grow_clean(b, len + chunk))
+ 						{
+-						ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
+-						    ASN1_R_NOT_ENOUGH_DATA);
++						ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE);
+ 						goto err;
+ 						}
+-					/* This can't overflow because
+-					 * |len+want| didn't overflow. */
+-					len+=i;
+-					want-=i;
++					want -= chunk;
++					while (chunk > 0)
++						{
++						i = BIO_read(in, &(b->data[len]), chunk);
++						if (i <= 0)
++							{
++							ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
++								ASN1_R_NOT_ENOUGH_DATA);
++							goto err;
++							}
++						/* This can't overflow because
++						 * |len+want| didn't overflow. */
++						len += i;
++						chunk -= i;
++						}
++					if (chunk_max < INT_MAX/2)
++						chunk_max *= 2;
+ 					}
+ 				}
+ 			if (off + c.slen < off)
diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec
index 05a7319..519977a 100644
--- a/SPECS/openssl.spec
+++ b/SPECS/openssl.spec
@@ -23,7 +23,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.1e
-Release: 51%{?dist}.4
+Release: 51%{?dist}.5
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -149,6 +149,12 @@ Patch143: openssl-1.0.1e-disable-sslv2.patch
 Patch144: openssl-1.0.1e-cve-2016-0702.patch
 Patch145: openssl-1.0.1e-cve-2016-0705.patch
 Patch146: openssl-1.0.1e-cve-2016-0797.patch
+Patch147: openssl-1.0.1e-cve-2016-0799.patch
+Patch150: openssl-1.0.1e-cve-2016-2105.patch
+Patch151: openssl-1.0.1e-cve-2016-2106.patch
+Patch152: openssl-1.0.1e-cve-2016-2107.patch
+Patch153: openssl-1.0.1e-cve-2016-2108.patch
+Patch154: openssl-1.0.1e-cve-2016-2109.patch
 
 License: OpenSSL
 Group: System Environment/Libraries
@@ -328,6 +334,12 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
 %patch144 -p1 -b .rsa-const
 %patch145 -p1 -b .dsa-doublefree
 %patch146 -p1 -b .bn-hex
+%patch147 -p1 -b .bio-printf
+%patch150 -p1 -b .b64-overflow
+%patch151 -p1 -b .enc-overflow
+%patch152 -p1 -b .padding-check
+%patch153 -p1 -b .asn1-negative
+%patch154 -p1 -b .asn1-bio-dos
 
 sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
 
@@ -594,6 +606,14 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Fri Apr 29 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.5
+- fix CVE-2016-2105 - possible overflow in base64 encoding
+- fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()
+- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
+- fix CVE-2016-2108 - memory corruption in ASN.1 encoder
+- fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO
+- fix CVE-2016-0799 - memory issues in BIO_printf
+
 * Wed Feb 24 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.4
 - fix CVE-2016-0702 - side channel attack on modular exponentiation
 - fix CVE-2016-0705 - double-free in DSA private key parsing