diff --git a/SOURCES/openssl-1.0.2k-cve-2021-23840.patch b/SOURCES/openssl-1.0.2k-cve-2021-23840.patch
new file mode 100644
index 0000000..f3d0b75
--- /dev/null
+++ b/SOURCES/openssl-1.0.2k-cve-2021-23840.patch
@@ -0,0 +1,106 @@
+diff -up openssl-1.0.2k/crypto/evp/evp_enc.c.int-overflow openssl-1.0.2k/crypto/evp/evp_enc.c
+--- openssl-1.0.2k/crypto/evp/evp_enc.c.int-overflow	2021-09-01 14:17:32.813927827 +0200
++++ openssl-1.0.2k/crypto/evp/evp_enc.c	2021-09-01 14:17:32.909929103 +0200
+@@ -57,6 +57,7 @@
+  */
+ 
+ #include <stdio.h>
++#include <limits.h>
+ #include "cryptlib.h"
+ #include <openssl/evp.h>
+ #include <openssl/err.h>
+@@ -417,6 +418,18 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ct
+             return 1;
+         } else {
+             j = bl - i;
++            /*
++             * Once we've processed the first j bytes from in, the amount of
++             * data left that is a multiple of the block length is:
++             * (inl - j) & ~(bl - 1)
++             * We must ensure that this amount of data, plus the one block that
++             * we process from ctx->buf does not exceed INT_MAX
++             */
++            if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) {
++                EVPerr(EVP_F_EVP_ENCRYPTUPDATE,
++                       EVP_R_OUTPUT_WOULD_OVERFLOW);
++                return 0;
++            } 
+             memcpy(&(ctx->buf[i]), in, j);
+             if (!M_do_cipher(ctx, out, ctx->buf, bl))
+                 return 0;
+@@ -518,6 +531,19 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct
+     OPENSSL_assert(b <= sizeof ctx->final);
+ 
+     if (ctx->final_used) {
++        /*
++         * final_used is only ever set if buf_len is 0. Therefore the maximum
++         * length output we will ever see from evp_EncryptDecryptUpdate is
++         * the maximum multiple of the block length that is <= inl, or just:
++         * inl & ~(b - 1)
++         * Since final_used has been set then the final output length is:
++         * (inl & ~(b - 1)) + b
++         * This must never exceed INT_MAX
++         */
++        if ((inl & ~(b - 1)) > INT_MAX - b) {
++            EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_OUTPUT_WOULD_OVERFLOW);
++            return 0;
++        }
+         memcpy(out, ctx->final, b);
+         out += b;
+         fix_len = 1;
+diff -up openssl-1.0.2k/crypto/evp/evp_err.c.int-overflow openssl-1.0.2k/crypto/evp/evp_err.c
+--- openssl-1.0.2k/crypto/evp/evp_err.c.int-overflow	2017-01-26 14:22:03.000000000 +0100
++++ openssl-1.0.2k/crypto/evp/evp_err.c	2021-09-01 14:17:32.909929103 +0200
+@@ -1,6 +1,6 @@
+ /* crypto/evp/evp_err.c */
+ /* ====================================================================
+- * Copyright (c) 1999-2016 The OpenSSL Project.  All rights reserved.
++ * Copyright (c) 1999-2021 The OpenSSL Project.  All rights reserved.
+  *
+  * Redistribution and use in source and binary forms, with or without
+  * modification, are permitted provided that the following conditions
+@@ -93,6 +93,8 @@ static ERR_STRING_DATA EVP_str_functs[]
+      "EVP_CIPHER_CTX_set_key_length"},
+     {ERR_FUNC(EVP_F_EVP_DECRYPTFINAL_EX), "EVP_DecryptFinal_ex"},
+     {ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"},
++    {ERR_FUNC(EVP_F_EVP_DECRYPTUPDATE), "EVP_DecryptUpdate"},
++    {ERR_FUNC(EVP_F_EVP_ENCRYPTUPDATE), "EVP_EncryptUpdate"},
+     {ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"},
+     {ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"},
+     {ERR_FUNC(EVP_F_EVP_MD_SIZE), "EVP_MD_size"},
+@@ -213,6 +215,8 @@ static ERR_STRING_DATA EVP_str_reasons[]
+     {ERR_REASON(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),
+      "operation not supported for this keytype"},
+     {ERR_REASON(EVP_R_OPERATON_NOT_INITIALIZED), "operaton not initialized"},
++    {ERR_REASON(EVP_R_OUTPUT_WOULD_OVERFLOW),
++    "output would overflow"},
+     {ERR_REASON(EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE),
+      "pkcs8 unknown broken type"},
+     {ERR_REASON(EVP_R_PRIVATE_KEY_DECODE_ERROR), "private key decode error"},
+diff -up openssl-1.0.2k/crypto/evp/evp.h.int-overflow openssl-1.0.2k/crypto/evp/evp.h
+--- openssl-1.0.2k/crypto/evp/evp.h.int-overflow	2021-09-01 14:17:32.871928598 +0200
++++ openssl-1.0.2k/crypto/evp/evp.h	2021-09-01 14:24:37.803577096 +0200
+@@ -1,5 +1,5 @@
+ /* crypto/evp/evp.h */
+-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
++/* Copyright (C) 1995-2021 Eric Young (eay@cryptsoft.com)
+  * All rights reserved.
+  *
+  * This package is an SSL implementation written
+@@ -1404,6 +1404,8 @@ void ERR_load_EVP_strings(void);
+ # define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH              122
+ # define EVP_F_EVP_DECRYPTFINAL_EX                        101
+ # define EVP_F_EVP_DIGESTINIT_EX                          128
++# define EVP_F_EVP_DECRYPTUPDATE                          180
++# define EVP_F_EVP_ENCRYPTUPDATE                          181
+ # define EVP_F_EVP_ENCRYPTFINAL_EX                        127
+ # define EVP_F_EVP_MD_CTX_COPY_EX                         110
+ # define EVP_F_EVP_MD_SIZE                                162
+@@ -1514,6 +1516,7 @@ void ERR_load_EVP_strings(void);
+ # define EVP_R_NO_VERIFY_FUNCTION_CONFIGURED              105
+ # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE   150
+ # define EVP_R_OPERATON_NOT_INITIALIZED                   151
++# define EVP_R_OUTPUT_WOULD_OVERFLOW                      184
+ # define EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE                  117
+ # define EVP_R_PRIVATE_KEY_DECODE_ERROR                   145
+ # define EVP_R_PRIVATE_KEY_ENCODE_ERROR                   146
diff --git a/SOURCES/openssl-1.0.2k-cve-2021-23841.patch b/SOURCES/openssl-1.0.2k-cve-2021-23841.patch
new file mode 100644
index 0000000..236b563
--- /dev/null
+++ b/SOURCES/openssl-1.0.2k-cve-2021-23841.patch
@@ -0,0 +1,12 @@
+diff -up openssl-1.0.2k/crypto/x509/x509_cmp.c.null-hash-deref openssl-1.0.2k/crypto/x509/x509_cmp.c
+--- openssl-1.0.2k/crypto/x509/x509_cmp.c.null-hash-deref	2021-09-01 14:13:51.247986607 +0200
++++ openssl-1.0.2k/crypto/x509/x509_cmp.c	2021-09-01 14:15:13.542078900 +0200
+@@ -88,6 +88,8 @@ unsigned long X509_issuer_and_serial_has
+     EVP_MD_CTX_init(&ctx);
+     EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+     f = X509_NAME_oneline(a->cert_info->issuer, NULL, 0);
++    if (f == NULL)
++        goto err;
+     if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
+         goto err;
+     if (!EVP_DigestUpdate(&ctx, (unsigned char *)f, strlen(f)))
diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec
index bcf1f7c..9168bfc 100644
--- a/SPECS/openssl.spec
+++ b/SPECS/openssl.spec
@@ -23,7 +23,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.2k
-Release: 21%{?dist}
+Release: 22%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -111,6 +111,8 @@ Patch109: openssl-1.0.2k-cve-2019-1559.patch
 Patch110: openssl-1.0.2k-fix-one-and-done.patch
 Patch111: openssl-1.0.2k-fix-9-lives.patch
 Patch112: openssl-1.0.2k-cve-2020-1971.patch
+Patch113: openssl-1.0.2k-cve-2021-23840.patch
+Patch114: openssl-1.0.2k-cve-2021-23841.patch
 
 License: OpenSSL
 Group: System Environment/Libraries
@@ -254,6 +256,8 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
 %patch110 -p1 -b .one-and-done
 %patch111 -p1 -b .9-lives
 %patch112 -p1 -b .null-dereference
+%patch113 -p1 -b .int-overflow
+%patch114 -p1 -b .null-hash-deref
 
 sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
 
@@ -553,6 +557,12 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Wed Sep  1 2021 Sahana Prasad <sahana@redhat.com> 1.0.2k-22
+- fix CVE-2021-23841 openssl: NULL pointer dereference
+  in X509_issuer_and_serial_hash()
+- fix CVE-2021-23840 openssl: integer overflow in CipherUpdate
+- Resolves: rhbz#1932132, rhbz#1932126
+
 * Fri Dec  4 2020 Sahana Prasad <sahana@redhat.com> 1.0.2k-21
 - remove ASN1_F_ASN1_ITEM_EMBED_D2I from openssl-1.0.2k-cve-2020-1971.patch