diff --git a/SOURCES/openssl-1.0.1e-cve-2015-7575.patch b/SOURCES/openssl-1.0.1e-cve-2015-7575.patch
new file mode 100644
index 0000000..dc86361
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-cve-2015-7575.patch
@@ -0,0 +1,38 @@
+diff -up openssl-1.0.1e/ssl/t1_lib.c.no-md5-tls openssl-1.0.1e/ssl/t1_lib.c
+--- openssl-1.0.1e/ssl/t1_lib.c.no-md5-tls	2015-12-04 09:51:39.000000000 +0100
++++ openssl-1.0.1e/ssl/t1_lib.c	2015-12-21 14:09:35.239084727 +0100
+@@ -390,19 +390,11 @@ static unsigned char tls12_sigalgs[] = {
+ #ifndef OPENSSL_NO_SHA
+ 	tlsext_sigalg(TLSEXT_hash_sha1)
+ #endif
+-#ifndef OPENSSL_NO_MD5
+-	tlsext_sigalg_rsa(TLSEXT_hash_md5)
+-#endif
+ };
+ 
+ int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
+ 	{
+ 	size_t slen = sizeof(tls12_sigalgs);
+-#ifdef OPENSSL_FIPS
+-	/* If FIPS mode don't include MD5 which is last */
+-	if (FIPS_mode())
+-		slen -= 2;
+-#endif
+ 	if (p)
+ 		memcpy(p, tls12_sigalgs, slen);
+ 	return (int)slen;
+@@ -2413,14 +2405,6 @@ const EVP_MD *tls12_get_hash(unsigned ch
+ 	{
+ 	switch(hash_alg)
+ 		{
+-#ifndef OPENSSL_NO_MD5
+-		case TLSEXT_hash_md5:
+-#ifdef OPENSSL_FIPS
+-		if (FIPS_mode())
+-			return NULL;
+-#endif
+-		return EVP_md5();
+-#endif
+ #ifndef OPENSSL_NO_SHA
+ 		case TLSEXT_hash_sha1:
+ 		return EVP_sha1();
diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec
index 47dd240..3dbd5c5 100644
--- a/SPECS/openssl.spec
+++ b/SPECS/openssl.spec
@@ -23,7 +23,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.1e
-Release: 51%{?dist}.1
+Release: 51%{?dist}.2
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -143,6 +143,7 @@ Patch134: openssl-1.0.1e-cve-2015-1792.patch
 Patch135: openssl-1.0.1e-cve-2015-3194.patch
 Patch136: openssl-1.0.1e-cve-2015-3195.patch
 Patch137: openssl-1.0.1e-cve-2015-3196.patch
+Patch138: openssl-1.0.1e-cve-2015-7575.patch
 
 License: OpenSSL
 Group: System Environment/Libraries
@@ -316,6 +317,7 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
 %patch135 -p1 -b .pss-check
 %patch136 -p1 -b .combine-leak
 %patch137 -p1 -b .psk-identity
+%patch138 -p1 -b .no-md5-tls
 
 sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
 
@@ -582,6 +584,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Mon Dec 21 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.2
+- fix CVE-2015-7575 - disallow use of MD5 in TLS1.2
+
 * Fri Dec  4 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.1
 - fix CVE-2015-3194 - certificate verify crash with missing PSS parameter
 - fix CVE-2015-3195 - X509_ATTRIBUTE memory leak