diff --git a/SOURCES/openssl-1.0.2k-cve-2017-3736.patch b/SOURCES/openssl-1.0.2k-cve-2017-3736.patch
new file mode 100644
index 0000000..6fc0491
--- /dev/null
+++ b/SOURCES/openssl-1.0.2k-cve-2017-3736.patch
@@ -0,0 +1,43 @@
+From 38d600147331d36e74174ebbd4008b63188b321b Mon Sep 17 00:00:00 2001
+From: Andy Polyakov <appro@openssl.org>
+Date: Thu, 17 Aug 2017 21:08:57 +0200
+Subject: [PATCH] bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqrx8x_internal.
+
+Credit to OSS-Fuzz for finding this.
+
+CVE-2017-3736
+
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+---
+ crypto/bn/asm/x86_64-mont5.pl | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/bn/asm/x86_64-mont5.pl b/crypto/bn/asm/x86_64-mont5.pl
+index 3bb0cdf..42178e4 100755
+--- a/crypto/bn/asm/x86_64-mont5.pl
++++ b/crypto/bn/asm/x86_64-mont5.pl
+@@ -3090,11 +3090,19 @@ $code.=<<___;
+
+ .align 32
+ .Lsqrx8x_break:
+- sub 16+8(%rsp),%r8 # consume last carry
++ xor $zero,$zero
++ sub 16+8(%rsp),%rbx # mov 16(%rsp),%cf
++ adcx $zero,%r8
+ mov 24+8(%rsp),$carry # initial $tptr, borrow $carry
++ adcx $zero,%r9
+ mov 0*8($aptr),%rdx # a[8], modulo-scheduled
+- xor %ebp,%ebp # xor $zero,$zero
++ adc \$0,%r10
+ mov %r8,0*8($tptr)
++ adc \$0,%r11
++ adc \$0,%r12
++ adc \$0,%r13
++ adc \$0,%r14
++ adc \$0,%r15
+ cmp $carry,$tptr # cf=0, of=0
+ je .Lsqrx8x_outer_loop
+
+--
+2.9.5
+
diff --git a/SOURCES/openssl-1.0.2k-cve-2017-3737.patch b/SOURCES/openssl-1.0.2k-cve-2017-3737.patch
new file mode 100644
index 0000000..0f6f462
--- /dev/null
+++ b/SOURCES/openssl-1.0.2k-cve-2017-3737.patch
@@ -0,0 +1,232 @@
+diff -up openssl-1.0.2k/ssl/fatalerrtest.c.ssl-err openssl-1.0.2k/ssl/fatalerrtest.c
+--- openssl-1.0.2k/ssl/fatalerrtest.c.ssl-err 2017-12-13 14:17:46.730350538 +0100
++++ openssl-1.0.2k/ssl/fatalerrtest.c 2017-12-13 14:18:54.879940227 +0100
+@@ -0,0 +1,109 @@
++/*
++ * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the OpenSSL license (the "License"). You may not use
++ * this file except in compliance with the License. You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#include <openssl/ssl.h>
++#include <openssl/err.h>
++#include "ssltestlib.h"
++
++int main(int argc, char *argv[])
++{
++ SSL_CTX *sctx = NULL, *cctx = NULL;
++ SSL *sssl = NULL, *cssl = NULL;
++ const char *msg = "Dummy";
++ BIO *err = NULL, *wbio = NULL;
++ int ret = 1, len;
++ char buf[80];
++ unsigned char dummyrec[] = {
++ 0x17, 0x03, 0x03, 0x00, 0x05, 'D', 'u', 'm', 'm', 'y'
++ };
++
++ if (argc != 3) {
++ printf("Incorrect number of parameters\n");
++ return 1;
++ }
++
++ SSL_library_init();
++ SSL_load_error_strings();
++ err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
++ CRYPTO_malloc_debug_init();
++ CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
++ CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
++
++ if (!create_ssl_ctx_pair(SSLv23_method(), SSLv23_method(), &sctx, &cctx,
++ argv[1], argv[2])) {
++ printf("Failed to create SSL_CTX pair\n");
++ goto err;
++ }
++
++ /*
++ * Deliberately set the cipher lists for client and server to be different
++ * to force a handshake failure.
++ */
++ if (!SSL_CTX_set_cipher_list(sctx, "AES128-SHA")
++ || !SSL_CTX_set_cipher_list(cctx, "AES256-SHA")) {
++ printf("Failed to set cipher lists\n");
++ goto err;
++ }
++
++ if (!create_ssl_objects(sctx, cctx, &sssl, &cssl, NULL, NULL)) {
++ printf("Failed to create SSL objectx\n");
++ goto err;
++ }
++
++ wbio = SSL_get_wbio(cssl);
++ if (wbio == NULL) {
++ printf("Unexpected NULL bio received\n");
++ goto err;
++ }
++
++ if (create_ssl_connection(sssl, cssl)) {
++ printf("Unexpected success creating a connection\n");
++ goto err;
++ }
++
++ ERR_clear_error();
++
++ /* Inject a plaintext record from client to server */
++ if (BIO_write(wbio, dummyrec, sizeof(dummyrec)) <= 0) {
++ printf("Unexpected failure injecting dummy record\n");
++ goto err;
++ }
++
++ /* SSL_read()/SSL_write should fail because of a previous fatal error */
++ if ((len = SSL_read(sssl, buf, sizeof(buf) - 1)) > 0) {
++ buf[len] = '\0';
++ printf("Unexpected success reading data: %s\n", buf);
++ goto err;
++ }
++ if (SSL_write(sssl, msg, strlen(msg)) > 0) {
++ printf("Unexpected success writing data\n");
++ goto err;
++ }
++
++ ret = 0;
++ err:
++ SSL_free(sssl);
++ SSL_free(cssl);
++ SSL_CTX_free(sctx);
++ SSL_CTX_free(cctx);
++ ERR_print_errors_fp(stderr);
++
++ if (ret) {
++ printf("Fatal err test: FAILED\n");
++ }
++
++ ERR_free_strings();
++ ERR_remove_thread_state(NULL);
++ EVP_cleanup();
++ CRYPTO_cleanup_all_ex_data();
++ CRYPTO_mem_leaks(err);
++ BIO_free(err);
++
++ return ret;
++}
+diff -up openssl-1.0.2k/ssl/Makefile.ssl-err openssl-1.0.2k/ssl/Makefile
+--- openssl-1.0.2k/ssl/Makefile.ssl-err 2017-03-09 17:59:42.832617740 +0100
++++ openssl-1.0.2k/ssl/Makefile 2017-12-13 14:17:46.729350514 +0100
+@@ -15,7 +15,8 @@ KRB5_INCLUDES=
+ CFLAGS= $(INCLUDES) $(CFLAG)
+
+ GENERAL=Makefile README ssl-lib.com install.com
+-TEST=ssltest.c heartbeat_test.c clienthellotest.c sslv2conftest.c dtlstest.c bad_dtls_test.c
++TEST=ssltest.c heartbeat_test.c clienthellotest.c sslv2conftest.c dtlstest.c \
++ bad_dtls_test.c fatalerrtest.c
+ APPS=
+
+ LIB=$(TOP)/libssl.a
+diff -up openssl-1.0.2k/ssl/ssl.h.ssl-err openssl-1.0.2k/ssl/ssl.h
+--- openssl-1.0.2k/ssl/ssl.h.ssl-err 2017-03-09 17:59:26.177229502 +0100
++++ openssl-1.0.2k/ssl/ssl.h 2017-12-13 14:17:07.341431733 +0100
+@@ -1683,7 +1683,7 @@ extern "C" {
+ # define SSL_ST_BEFORE 0x4000
+ # define SSL_ST_OK 0x03
+ # define SSL_ST_RENEGOTIATE (0x04|SSL_ST_INIT)
+-# define SSL_ST_ERR 0x05
++# define SSL_ST_ERR (0x05|SSL_ST_INIT)
+
+ # define SSL_CB_LOOP 0x01
+ # define SSL_CB_EXIT 0x02
+diff -up openssl-1.0.2k/test/Makefile.ssl-err openssl-1.0.2k/test/Makefile
+--- openssl-1.0.2k/test/Makefile.ssl-err 2017-03-09 17:59:45.580681798 +0100
++++ openssl-1.0.2k/test/Makefile 2017-12-13 14:17:46.731350561 +0100
+@@ -73,6 +73,7 @@ CLIENTHELLOTEST= clienthellotest
+ BADDTLSTEST= bad_dtls_test
+ SSLV2CONFTEST = sslv2conftest
+ DTLSTEST = dtlstest
++FATALERRTEST = fatalerrtest
+
+ TESTS= alltests
+
+@@ -87,7 +88,7 @@ EXE= $(BNTEST)$(EXE_EXT) $(ECTEST)$(EXE_
+ $(ASN1TEST)$(EXE_EXT) $(V3NAMETEST)$(EXE_EXT) $(HEARTBEATTEST)$(EXE_EXT) \
+ $(CONSTTIMETEST)$(EXE_EXT) $(VERIFYEXTRATEST)$(EXE_EXT) \
+ $(CLIENTHELLOTEST)$(EXE_EXT) $(SSLV2CONFTEST)$(EXE_EXT) $(DTLSTEST)$(EXE_EXT) \
+- $(BADDTLSTEST)$(EXE_EXT)
++ $(BADDTLSTEST)$(EXE_EXT) $(FATALERRTEST)$(EXE_EXT)
+
+ # $(METHTEST)$(EXE_EXT)
+
+@@ -102,7 +103,7 @@ OBJ= $(BNTEST).o $(ECTEST).o $(ECDSATES
+ $(EVPTEST).o $(EVPEXTRATEST).o $(IGETEST).o $(JPAKETEST).o $(ASN1TEST).o $(V3NAMETEST).o \
+ $(HEARTBEATTEST).o $(CONSTTIMETEST).o $(VERIFYEXTRATEST).o \
+ $(CLIENTHELLOTEST).o $(SSLV2CONFTEST).o $(DTLSTEST).o ssltestlib.o \
+- $(BADDTLSTEST).o
++ $(BADDTLSTEST).o $(FATALERRTEST).o
+
+ SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \
+ $(MD2TEST).c $(MD4TEST).c $(MD5TEST).c \
+@@ -114,7 +115,7 @@ SRC= $(BNTEST).c $(ECTEST).c $(ECDSATES
+ $(EVPTEST).c $(EVPEXTRATEST).c $(IGETEST).c $(JPAKETEST).c $(SRPTEST).c $(ASN1TEST).c \
+ $(V3NAMETEST).c $(HEARTBEATTEST).c $(CONSTTIMETEST).c $(VERIFYEXTRATEST).c \
+ $(CLIENTHELLOTEST).c $(SSLV2CONFTEST).c $(DTLSTEST).c ssltestlib.c \
+- $(BADDTLSTEST).c
++ $(BADDTLSTEST).c $(FATALERRTEST).c
+
+ EXHEADER=
+ HEADER= testutil.h ssltestlib.h $(EXHEADER)
+@@ -159,7 +160,7 @@ alltests: \
+ test_ss test_ca test_engine test_evp test_evp_extra test_ssl test_tsa test_ige \
+ test_jpake test_srp test_cms test_ocsp test_v3name test_heartbeat \
+ test_constant_time test_verify_extra test_clienthello test_sslv2conftest \
+- test_dtls test_bad_dtls
++ test_dtls test_bad_dtls test_fatalerr
+
+ test_evp: $(EVPTEST)$(EXE_EXT) evptests.txt
+ ../util/shlib_wrap.sh ./$(EVPTEST) evptests.txt
+@@ -372,6 +373,10 @@ test_bad_dtls: $(BADDTLSTEST)$(EXE_EXT)
+ @echo $(START) $@
+ ../util/shlib_wrap.sh ./$(BADDTLSTEST)
+
++test_fatalerr: $(FATALERRTEST)$(EXE_EXT)
++ @echo $(START) $@
++ ../util/shlib_wrap.sh ./$(FATALERRTEST) ../apps/server.pem ../apps/server.pem
++
+ test_sslv2conftest: $(SSLV2CONFTEST)$(EXE_EXT)
+ @echo $(START) $@
+ ../util/shlib_wrap.sh ./$(SSLV2CONFTEST)
+@@ -560,6 +565,9 @@ $(CLIENTHELLOTEST)$(EXE_EXT): $(CLIENTHE
+ $(BADDTLSTEST)$(EXE_EXT): $(BADDTLSTEST).o
+ @target=$(BADDTLSTEST) $(BUILD_CMD)
+
++$(FATALERRTEST)$(EXE_EXT): $(FATALERRTEST).o ssltestlib.o $(DLIBSSL) $(DLIBCRYPTO)
++ @target=$(FATALERRTEST); exobj=ssltestlib.o; $(BUILD_CMD)
++
+ $(SSLV2CONFTEST)$(EXE_EXT): $(SSLV2CONFTEST).o
+ @target=$(SSLV2CONFTEST) $(BUILD_CMD)
+
+@@ -779,6 +787,25 @@ exptest.o: ../include/openssl/opensslcon
+ exptest.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
+ exptest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+ exptest.o: ../include/openssl/symhacks.h exptest.c
++fatalerrtest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
++fatalerrtest.o: ../include/openssl/buffer.h ../include/openssl/comp.h
++fatalerrtest.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
++fatalerrtest.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
++fatalerrtest.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
++fatalerrtest.o: ../include/openssl/err.h ../include/openssl/evp.h
++fatalerrtest.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
++fatalerrtest.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
++fatalerrtest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
++fatalerrtest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
++fatalerrtest.o: ../include/openssl/pem.h ../include/openssl/pem2.h
++fatalerrtest.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
++fatalerrtest.o: ../include/openssl/safestack.h ../include/openssl/sha.h
++fatalerrtest.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
++fatalerrtest.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
++fatalerrtest.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
++fatalerrtest.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
++fatalerrtest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
++fatalerrtest.o: fatalerrtest.c ssltestlib.h
+ heartbeat_test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+ heartbeat_test.o: ../include/openssl/buffer.h ../include/openssl/comp.h
+ heartbeat_test.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
diff --git a/SOURCES/openssl-1.0.2k-cve-2017-3738.patch b/SOURCES/openssl-1.0.2k-cve-2017-3738.patch
new file mode 100644
index 0000000..e8b6ba5
--- /dev/null
+++ b/SOURCES/openssl-1.0.2k-cve-2017-3738.patch
@@ -0,0 +1,80 @@
+From ca51bafc1a88d8b8348f5fd97adc5d6ca93f8e76 Mon Sep 17 00:00:00 2001
+From: Andy Polyakov <appro@openssl.org>
+Date: Fri, 24 Nov 2017 11:35:50 +0100
+Subject: [PATCH] bn/asm/rsaz-avx2.pl: fix digit correction bug in
+ rsaz_1024_mul_avx2.
+
+Credit to OSS-Fuzz for finding this.
+
+CVE-2017-3738
+
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+---
+ crypto/bn/asm/rsaz-avx2.pl | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/crypto/bn/asm/rsaz-avx2.pl b/crypto/bn/asm/rsaz-avx2.pl
+index 712a77f..2b3f8b0 100755
+--- a/crypto/bn/asm/rsaz-avx2.pl
++++ b/crypto/bn/asm/rsaz-avx2.pl
+@@ -239,7 +239,7 @@ $code.=<<___;
+ vmovdqu 32*8-128($ap), $ACC8
+
+ lea 192(%rsp), $tp0 # 64+128=192
+- vpbroadcastq .Land_mask(%rip), $AND_MASK
++ vmovdqu .Land_mask(%rip), $AND_MASK
+ jmp .LOOP_GRANDE_SQR_1024
+
+ .align 32
+@@ -1070,10 +1070,10 @@ $code.=<<___;
+ vpmuludq 32*6-128($np),$Yi,$TEMP1
+ vpaddq $TEMP1,$ACC6,$ACC6
+ vpmuludq 32*7-128($np),$Yi,$TEMP2
+- vpblendd \$3, $ZERO, $ACC9, $ACC9 # correct $ACC3
++ vpblendd \$3, $ZERO, $ACC9, $TEMP1 # correct $ACC3
+ vpaddq $TEMP2,$ACC7,$ACC7
+ vpmuludq 32*8-128($np),$Yi,$TEMP0
+- vpaddq $ACC9, $ACC3, $ACC3 # correct $ACC3
++ vpaddq $TEMP1, $ACC3, $ACC3 # correct $ACC3
+ vpaddq $TEMP0,$ACC8,$ACC8
+
+ mov %rbx, %rax
+@@ -1086,7 +1086,9 @@ $code.=<<___;
+ vmovdqu -8+32*2-128($ap),$TEMP2
+
+ mov $r1, %rax
++ vpblendd \$0xfc, $ZERO, $ACC9, $ACC9 # correct $ACC3
+ imull $n0, %eax
++ vpaddq $ACC9,$ACC4,$ACC4 # correct $ACC3
+ and \$0x1fffffff, %eax
+
+ imulq 16-128($ap),%rbx
+@@ -1322,15 +1324,12 @@ ___
+ # But as we underutilize resources, it's possible to correct in
+ # each iteration with marginal performance loss. But then, as
+ # we do it in each iteration, we can correct less digits, and
+-# avoid performance penalties completely. Also note that we
+-# correct only three digits out of four. This works because
+-# most significant digit is subjected to less additions.
++# avoid performance penalties completely.
+
+ $TEMP0 = $ACC9;
+ $TEMP3 = $Bi;
+ $TEMP4 = $Yi;
+ $code.=<<___;
+- vpermq \$0, $AND_MASK, $AND_MASK
+ vpaddq (%rsp), $TEMP1, $ACC0
+
+ vpsrlq \$29, $ACC0, $TEMP1
+@@ -1763,7 +1762,7 @@ $code.=<<___;
+
+ .align 64
+ .Land_mask:
+- .quad 0x1fffffff,0x1fffffff,0x1fffffff,-1
++ .quad 0x1fffffff,0x1fffffff,0x1fffffff,0x1fffffff
+ .Lscatter_permd:
+ .long 0,2,4,6,7,7,7,7
+ .Lgather_permd:
+--
+2.9.5
+
diff --git a/SOURCES/openssl-1.0.2k-fips-randlock.patch b/SOURCES/openssl-1.0.2k-fips-randlock.patch
new file mode 100644
index 0000000..8b08ef4
--- /dev/null
+++ b/SOURCES/openssl-1.0.2k-fips-randlock.patch
@@ -0,0 +1,65 @@
+diff -up openssl-1.0.2k/crypto/fips/fips_drbg_lib.c.fips-randlock openssl-1.0.2k/crypto/fips/fips_drbg_lib.c
+--- openssl-1.0.2k/crypto/fips/fips_drbg_lib.c.fips-randlock 2017-03-09 17:59:26.249231181 +0100
++++ openssl-1.0.2k/crypto/fips/fips_drbg_lib.c 2017-11-16 09:16:06.188098078 +0100
+@@ -338,6 +338,12 @@ int FIPS_drbg_reseed(DRBG_CTX *dctx,
+ return drbg_reseed(dctx, adin, adinlen, 1);
+ }
+
++void FIPS_drbg_set_reseed(DRBG_CTX *dctx)
++{
++ if (dctx->status == DRBG_STATUS_READY)
++ dctx->reseed_counter = dctx->reseed_interval;
++}
++
+ static int fips_drbg_check(DRBG_CTX *dctx)
+ {
+ if (dctx->xflags & DRBG_FLAG_TEST)
+diff -up openssl-1.0.2k/crypto/fips/fips_rand.h.fips-randlock openssl-1.0.2k/crypto/fips/fips_rand.h
+--- openssl-1.0.2k/crypto/fips/fips_rand.h.fips-randlock 2017-03-09 17:59:26.252231250 +0100
++++ openssl-1.0.2k/crypto/fips/fips_rand.h 2017-11-07 10:06:40.241450151 +0100
+@@ -86,6 +86,7 @@ extern "C" {
+ const unsigned char *pers, size_t perslen);
+ int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin,
+ size_t adinlen);
++ void FIPS_drbg_set_reseed(DRBG_CTX *dctx);
+ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
+ int prediction_resistance,
+ const unsigned char *adin, size_t adinlen);
+diff -up openssl-1.0.2k/crypto/rand/md_rand.c.fips-randlock openssl-1.0.2k/crypto/rand/md_rand.c
+--- openssl-1.0.2k/crypto/rand/md_rand.c.fips-randlock 2017-03-09 17:59:26.255231320 +0100
++++ openssl-1.0.2k/crypto/rand/md_rand.c 2017-12-06 09:20:23.615879425 +0100
+@@ -391,10 +391,10 @@ int ssleay_rand_bytes(unsigned char *buf
+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
+ crypto_lock_rand = 1;
+
+- /* always poll for external entropy in FIPS mode, drbg provides the
+- * expansion
++ /* always poll for external entropy in FIPS mode, if run as seed
++ * source, drbg provides the expansion
+ */
+- if (!initialized || FIPS_module_mode()) {
++ if (!initialized || (!lock && FIPS_module_mode())) {
+ RAND_poll();
+ initialized = 1;
+ }
+diff -up openssl-1.0.2k/crypto/rand/rand_lib.c.fips-randlock openssl-1.0.2k/crypto/rand/rand_lib.c
+--- openssl-1.0.2k/crypto/rand/rand_lib.c.fips-randlock 2017-03-09 17:59:26.292232183 +0100
++++ openssl-1.0.2k/crypto/rand/rand_lib.c 2017-11-07 10:20:08.050403861 +0100
+@@ -238,7 +238,7 @@ static int drbg_rand_add(DRBG_CTX *ctx,
+ RAND_SSLeay()->add(in, inlen, entropy);
+ if (FIPS_rand_status()) {
+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+- FIPS_drbg_reseed(ctx, NULL, 0);
++ FIPS_drbg_set_reseed(ctx);
+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+ }
+ return 1;
+@@ -249,7 +249,7 @@ static int drbg_rand_seed(DRBG_CTX *ctx,
+ RAND_SSLeay()->seed(in, inlen);
+ if (FIPS_rand_status()) {
+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+- FIPS_drbg_reseed(ctx, NULL, 0);
++ FIPS_drbg_set_reseed(ctx);
+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+ }
+ return 1;
diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec
index b86a4e9..f65ee91 100644
--- a/SPECS/openssl.spec
+++ b/SPECS/openssl.spec
@@ -23,7 +23,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.0.2k
-Release: 8%{?dist}
+Release: 12%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -86,6 +86,7 @@ Patch95: openssl-1.0.2e-remove-nistp224.patch
Patch96: openssl-1.0.2e-speed-doc.patch
Patch97: openssl-1.0.2k-no-ssl2.patch
Patch98: openssl-1.0.2k-long-hello.patch
+Patch99: openssl-1.0.2k-fips-randlock.patch
# Backported fixes including security fixes
Patch80: openssl-1.0.2e-wrap-pad.patch
Patch81: openssl-1.0.2a-padlock64.patch
@@ -93,6 +94,9 @@ Patch82: openssl-1.0.2i-trusted-first-doc.patch
Patch83: openssl-1.0.2k-backports.patch
Patch84: openssl-1.0.2k-ppc-update.patch
Patch85: openssl-1.0.2k-req-x509.patch
+Patch86: openssl-1.0.2k-cve-2017-3736.patch
+Patch87: openssl-1.0.2k-cve-2017-3737.patch
+Patch88: openssl-1.0.2k-cve-2017-3738.patch
License: OpenSSL
Group: System Environment/Libraries
@@ -211,6 +215,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch96 -p1 -b .speed-doc
%patch97 -p1 -b .no-ssl2
%patch98 -p1 -b .long-hello
+%patch99 -p1 -b .randlock
%patch80 -p1 -b .wrap
%patch81 -p1 -b .padlock64
@@ -218,6 +223,9 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch83 -p1 -b .backports
%patch84 -p1 -b .ppc-update
%patch85 -p1 -b .req-x509
+%patch86 -p1 -b .mont5-carry
+%patch87 -p1 -b .ssl-err
+%patch88 -p1 -b .rsaz-overflow
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
@@ -517,6 +525,16 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig
%changelog
+* Wed Dec 13 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-12
+- fix CVE-2017-3737 - incorrect handling of fatal error state
+- fix CVE-2017-3738 - AVX2 Montgomery multiplication bug with 1024 bit modulus
+
+* Wed Dec 6 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-11
+- fix deadlock in RNG in the FIPS mode in mariadb
+
+* Tue Nov 7 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-9
+- fix CVE-2017-3736 - carry propagation bug in Montgomery multiplication
+
* Wed May 17 2017 Tomáš Mráz <tmraz@redhat.com> 1.0.2k-8
- fix regression in openssl req -x509 command (#1450015)