diff --git a/debian/changelog b/debian/changelog
index ecfadce2d98ff8943444df72d68c97175bc6b78f..c01894221a2280cde21a3e8509cd80ed2d0a1b5b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+openssl (1.1.1k-1+deb11u2+apertis0) apertis; urgency=medium
+
+ * Sync from debian/bullseye-security.
+
+ -- Apertis CI <devel@lists.apertis.org> Mon, 28 Mar 2022 14:53:52 +0000
+
+openssl (1.1.1k-1+deb11u2) bullseye-security; urgency=medium
+
+ * CVE-2022-0778 (Infinite loop in BN_mod_sqrt() reachable when parsing
+ certificates).
+ * CVE-2021-4160 (Carry propagation bug in the MIPS32 and MIPS64 squaring
+ procedure.)
+
+ -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Mon, 14 Mar 2022 19:51:01 +0100
+
openssl (1.1.1k-1+deb11u1+apertis0) apertis; urgency=medium
* Sync from debian/bullseye-security.
diff --git a/debian/patches/Add-a-negative-testcase-for-BN_mod_sqrt.patch b/debian/patches/Add-a-negative-testcase-for-BN_mod_sqrt.patch
new file mode 100644
index 0000000000000000000000000000000000000000..61d0d33832a7f7c4a4e8d244342ae969f9551705
--- /dev/null
+++ b/debian/patches/Add-a-negative-testcase-for-BN_mod_sqrt.patch
@@ -0,0 +1,52 @@
+From: Tomas Mraz <tomas@openssl.org>
+Date: Mon, 28 Feb 2022 18:26:35 +0100
+Subject: Add a negative testcase for BN_mod_sqrt
+
+---
+ test/bntest.c | 11 ++++++++++-
+ test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/test/bntest.c b/test/bntest.c
+index 97d08ac0be6b..2348d9fb5496 100644
+--- a/test/bntest.c
++++ b/test/bntest.c
+@@ -1614,8 +1614,17 @@ static int file_modsqrt(STANZA *s)
+ || !TEST_ptr(ret2 = BN_new()))
+ goto err;
+
++ if (BN_is_negative(mod_sqrt)) {
++ /* A negative testcase */
++ if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx)))
++ goto err;
++
++ st = 1;
++ goto err;
++ }
++
+ /* There are two possible answers. */
+- if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx))
++ if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx))
+ || !TEST_true(BN_sub(ret2, p, ret)))
+ goto err;
+
+diff --git a/test/recipes/10-test_bn_data/bnmod.txt b/test/recipes/10-test_bn_data/bnmod.txt
+index 5ea4d031f271..e28cc6bfb02e 100644
+--- a/test/recipes/10-test_bn_data/bnmod.txt
++++ b/test/recipes/10-test_bn_data/bnmod.txt
+@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
+ ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186
+ A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81
+ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
++
++# Negative testcases for BN_mod_sqrt()
++
++# This one triggers an infinite loop with unfixed implementation
++# It should just fail.
++ModSqrt = -1
++A = 20a7ee
++P = 460201
++
++ModSqrt = -1
++A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed
++P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
diff --git a/debian/patches/Add-documentation-of-BN_mod_sqrt.patch b/debian/patches/Add-documentation-of-BN_mod_sqrt.patch
new file mode 100644
index 0000000000000000000000000000000000000000..970e7eec57c9fa6688c29fdd06cbcf58582467c9
--- /dev/null
+++ b/debian/patches/Add-documentation-of-BN_mod_sqrt.patch
@@ -0,0 +1,55 @@
+From: Tomas Mraz <tomas@openssl.org>
+Date: Mon, 28 Feb 2022 18:26:30 +0100
+Subject: Add documentation of BN_mod_sqrt()
+
+---
+ doc/man3/BN_add.pod | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/doc/man3/BN_add.pod b/doc/man3/BN_add.pod
+index dccd4790ede7..1f5e37a4d183 100644
+--- a/doc/man3/BN_add.pod
++++ b/doc/man3/BN_add.pod
+@@ -3,7 +3,7 @@
+ =head1 NAME
+
+ BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add,
+-BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd -
++BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_mod_sqrt, BN_exp, BN_mod_exp, BN_gcd -
+ arithmetic operations on BIGNUMs
+
+ =head1 SYNOPSIS
+@@ -36,6 +36,8 @@ arithmetic operations on BIGNUMs
+
+ int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
+
++ BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
++
+ int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
+
+ int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
+@@ -87,6 +89,12 @@ L<BN_mod_mul_reciprocal(3)>.
+ BN_mod_sqr() takes the square of I<a> modulo B<m> and places the
+ result in I<r>.
+
++BN_mod_sqrt() returns the modular square root of I<a> such that
++C<in^2 = a (mod p)>. The modulus I<p> must be a
++prime, otherwise an error or an incorrect "result" will be returned.
++The result is stored into I<in> which can be NULL. The result will be
++newly allocated in that case.
++
+ BN_exp() raises I<a> to the I<p>-th power and places the result in I<r>
+ (C<r=a^p>). This function is faster than repeated applications of
+ BN_mul().
+@@ -108,7 +116,10 @@ the arguments.
+
+ =head1 RETURN VALUES
+
+-For all functions, 1 is returned for success, 0 on error. The return
++The BN_mod_sqrt() returns the result (possibly incorrect if I<p> is
++not a prime), or NULL.
++
++For all remaining functions, 1 is returned for success, 0 on error. The return
+ value should always be checked (e.g., C<if (!BN_add(r,a,b)) goto err;>).
+ The error codes can be obtained by L<ERR_get_error(3)>.
+
diff --git a/debian/patches/Fix-a-carry-overflow-bug-in-bn_sqr_comba4-8-for-mips-32-b.patch b/debian/patches/Fix-a-carry-overflow-bug-in-bn_sqr_comba4-8-for-mips-32-b.patch
new file mode 100644
index 0000000000000000000000000000000000000000..f9d88d0b493f996b6b1214f268dd065478312ecc
--- /dev/null
+++ b/debian/patches/Fix-a-carry-overflow-bug-in-bn_sqr_comba4-8-for-mips-32-b.patch
@@ -0,0 +1,135 @@
+From: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Date: Sat, 11 Dec 2021 20:28:11 +0100
+Subject: Fix a carry overflow bug in bn_sqr_comba4/8 for mips 32-bit targets
+
+bn_sqr_comba8 does for instance compute a wrong result for the value:
+a=0x4aaac919 62056c84 fba7334e 1a6be678 022181ba fd3aa878 899b2346 ee210f45
+
+The correct result is:
+r=0x15c72e32 605a3061 d11b1012 3c187483 6df96999 bd0c22ba d3e7d437 4724a82f
+ 912c5e61 6a187efe 8f7c47fc f6945fe5 75be8e3d 97ed17d4 7950b465 3cb32899
+
+but the actual result was:
+r=0x15c72e32 605a3061 d11b1012 3c187483 6df96999 bd0c22ba d3e7d437 4724a82f
+ 912c5e61 6a187efe 8f7c47fc f6945fe5 75be8e3c 97ed17d4 7950b465 3cb32899
+
+so the forth word of the result was 0x75be8e3c but should have been
+0x75be8e3d instead.
+
+Likewise bn_sqr_comba4 has an identical bug for the same value as well:
+a=0x022181ba fd3aa878 899b2346 ee210f45
+
+correct result:
+r=0x00048a69 9fe82f8b 62bd2ed1 88781335 75be8e3d 97ed17d4 7950b465 3cb32899
+
+wrong result:
+r=0x00048a69 9fe82f8b 62bd2ed1 88781335 75be8e3c 97ed17d4 7950b465 3cb32899
+
+Fortunately the bn_mul_comba4/8 code paths are not affected.
+
+Also the mips64 target does in fact not handle the carry propagation
+correctly.
+
+Example:
+a=0x4aaac91900000000 62056c8400000000 fba7334e00000000 1a6be67800000000
+ 022181ba00000000 fd3aa87800000000 899b234635dad283 ee210f4500000001
+
+correct result:
+r=0x15c72e32272c4471 392debf018c679c8 b85496496bf8254c d0204f36611e2be1
+ 0cdb3db8f3c081d8 c94ba0e1bacc5061 191b83d47ff929f6 5be0aebfc13ae68d
+ 3eea7a7fdf2f5758 42f7ec656cab3cb5 6a28095be34756f2 64f24687bf37de06
+ 2822309cd1d292f9 6fa698c972372f09 771e97d3a868cda0 dc421e8a00000001
+
+wrong result:
+r=0x15c72e32272c4471 392debf018c679c8 b85496496bf8254c d0204f36611e2be1
+ 0cdb3db8f3c081d8 c94ba0e1bacc5061 191b83d47ff929f6 5be0aebfc13ae68d
+ 3eea7a7fdf2f5758 42f7ec656cab3cb5 6a28095be34756f2 64f24687bf37de06
+ 2822309cd1d292f8 6fa698c972372f09 771e97d3a868cda0 dc421e8a00000001
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/17258)
+
+(cherry picked from commit 336923c0c8d705cb8af5216b29a205662db0d590)
+---
+ crypto/bn/asm/mips.pl | 4 ++++
+ test/bntest.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 49 insertions(+)
+
+diff --git a/crypto/bn/asm/mips.pl b/crypto/bn/asm/mips.pl
+index 8ad715bda4d4..74101030f2ee 100644
+--- a/crypto/bn/asm/mips.pl
++++ b/crypto/bn/asm/mips.pl
+@@ -1984,6 +1984,8 @@ $code.=<<___;
+ sltu $at,$c_2,$t_1
+ $ADDU $c_3,$t_2,$at
+ $ST $c_2,$BNSZ($a0)
++ sltu $at,$c_3,$t_2
++ $ADDU $c_1,$at
+ mflo ($t_1,$a_2,$a_0)
+ mfhi ($t_2,$a_2,$a_0)
+ ___
+@@ -2194,6 +2196,8 @@ $code.=<<___;
+ sltu $at,$c_2,$t_1
+ $ADDU $c_3,$t_2,$at
+ $ST $c_2,$BNSZ($a0)
++ sltu $at,$c_3,$t_2
++ $ADDU $c_1,$at
+ mflo ($t_1,$a_2,$a_0)
+ mfhi ($t_2,$a_2,$a_0)
+ ___
+diff --git a/test/bntest.c b/test/bntest.c
+index 2348d9fb5496..174ade6215ce 100644
+--- a/test/bntest.c
++++ b/test/bntest.c
+@@ -557,6 +557,51 @@ static int test_modexp_mont5(void)
+ if (!TEST_BN_eq(c, d))
+ goto err;
+
++ /*
++ * Regression test for overflow bug in bn_sqr_comba4/8 for
++ * mips-linux-gnu and mipsel-linux-gnu 32bit targets.
++ */
++ {
++ static const char *ehex[] = {
++ "95564994a96c45954227b845a1e99cb939d5a1da99ee91acc962396ae999a9ee",
++ "38603790448f2f7694c242a875f0cad0aae658eba085f312d2febbbd128dd2b5",
++ "8f7d1149f03724215d704344d0d62c587ae3c5939cba4b9b5f3dc5e8e911ef9a",
++ "5ce1a5a749a4989d0d8368f6e1f8cdf3a362a6c97fb02047ff152b480a4ad985",
++ "2d45efdf0770542992afca6a0590d52930434bba96017afbc9f99e112950a8b1",
++ "a359473ec376f329bdae6a19f503be6d4be7393c4e43468831234e27e3838680",
++ "b949390d2e416a3f9759e5349ab4c253f6f29f819a6fe4cbfd27ada34903300e",
++ "da021f62839f5878a36f1bc3085375b00fd5fa3e68d316c0fdace87a97558465",
++ NULL};
++ static const char *phex[] = {
++ "f95dc0f980fbd22e90caa5a387cc4a369f3f830d50dd321c40db8c09a7e1a241",
++ "a536e096622d3280c0c1ba849c1f4a79bf490f60006d081e8cf69960189f0d31",
++ "2cd9e17073a3fba7881b21474a13b334116cb2f5dbf3189a6de3515d0840f053",
++ "c776d3982d391b6d04d642dda5cc6d1640174c09875addb70595658f89efb439",
++ "dc6fbd55f903aadd307982d3f659207f265e1ec6271b274521b7a5e28e8fd7a5",
++ "5df089292820477802a43cf5b6b94e999e8c9944ddebb0d0e95a60f88cb7e813",
++ "ba110d20e1024774107dd02949031864923b3cb8c3f7250d6d1287b0a40db6a4",
++ "7bd5a469518eb65aa207ddc47d8c6e5fc8e0c105be8fc1d4b57b2e27540471d5",
++ NULL};
++ static const char *mhex[] = {
++ "fef15d5ce4625f1bccfbba49fc8439c72bf8202af039a2259678941b60bb4a8f",
++ "2987e965d58fd8cf86a856674d519763d0e1211cc9f8596971050d56d9b35db3",
++ "785866cfbca17cfdbed6060be3629d894f924a89fdc1efc624f80d41a22f1900",
++ "9503fcc3824ef62ccb9208430c26f2d8ceb2c63488ec4c07437aa4c96c43dd8b",
++ "9289ed00a712ff66ee195dc71f5e4ead02172b63c543d69baf495f5fd63ba7bc",
++ "c633bd309c016e37736da92129d0b053d4ab28d21ad7d8b6fab2a8bbdc8ee647",
++ "d2fbcf2cf426cf892e6f5639e0252993965dfb73ccd277407014ea784aaa280c",
++ "b7b03972bc8b0baa72360bdb44b82415b86b2f260f877791cd33ba8f2d65229b",
++ NULL};
++
++ if (!TEST_true(parse_bigBN(&e, ehex))
++ || !TEST_true(parse_bigBN(&p, phex))
++ || !TEST_true(parse_bigBN(&m, mhex))
++ || !TEST_true(BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL))
++ || !TEST_true(BN_mod_exp_simple(a, e, p, m, ctx))
++ || !TEST_BN_eq(a, d))
++ goto err;
++ }
++
+ /* Zero input */
+ if (!TEST_true(BN_bntest_rand(p, 1024, 0, 0)))
+ goto err;
diff --git a/debian/patches/Fix-possible-infinite-loop-in-BN_mod_sqrt.patch b/debian/patches/Fix-possible-infinite-loop-in-BN_mod_sqrt.patch
new file mode 100644
index 0000000000000000000000000000000000000000..0b2d85452c35599a55398ad3812439fdb4e70205
--- /dev/null
+++ b/debian/patches/Fix-possible-infinite-loop-in-BN_mod_sqrt.patch
@@ -0,0 +1,62 @@
+From: Tomas Mraz <tomas@openssl.org>
+Date: Mon, 28 Feb 2022 18:26:21 +0100
+Subject: Fix possible infinite loop in BN_mod_sqrt()
+
+The calculation in some cases does not finish for non-prime p.
+
+This fixes CVE-2022-0778.
+
+Based on patch by David Benjamin <davidben@google.com>.
+---
+ crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------
+ 1 file changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c
+index 1723d5ded5a8..53b0f559855c 100644
+--- a/crypto/bn/bn_sqrt.c
++++ b/crypto/bn/bn_sqrt.c
+@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
+ /*
+ * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
+ * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
+- * Theory", algorithm 1.5.1). 'p' must be prime!
++ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
++ * an incorrect "result" will be returned.
+ */
+ {
+ BIGNUM *ret = in;
+@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
+ goto vrfy;
+ }
+
+- /* find smallest i such that b^(2^i) = 1 */
+- i = 1;
+- if (!BN_mod_sqr(t, b, p, ctx))
+- goto end;
+- while (!BN_is_one(t)) {
+- i++;
+- if (i == e) {
+- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
+- goto end;
++ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
++ for (i = 1; i < e; i++) {
++ if (i == 1) {
++ if (!BN_mod_sqr(t, b, p, ctx))
++ goto end;
++
++ } else {
++ if (!BN_mod_mul(t, t, t, p, ctx))
++ goto end;
+ }
+- if (!BN_mod_mul(t, t, t, p, ctx))
+- goto end;
++ if (BN_is_one(t))
++ break;
++ }
++ /* If not found, a is not a square or p is not prime. */
++ if (i >= e) {
++ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
++ goto end;
+ }
+
+ /* t := y^2^(e - i - 1) */
diff --git a/debian/patches/series b/debian/patches/series
index c26b04960ade0b1d4d384c86046aebb32ec196a4..9779497952bad2b7429f5efcb8775f0eb4de93c0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -21,3 +21,7 @@ Fix-the-error-handling-in-i2v_AUTHORITY_KEYID.patch
fixup-Allow-fuzz-builds-to-detect-string-overruns.patch
fixup-Fix-the-name-constraints-code-to-not-assume-NUL-ter.patch
fixup-Fix-i2v_GENERAL_NAME-to-not-assume-NUL-terminated-s.patch
+Fix-possible-infinite-loop-in-BN_mod_sqrt.patch
+Add-documentation-of-BN_mod_sqrt.patch
+Add-a-negative-testcase-for-BN_mod_sqrt.patch
+Fix-a-carry-overflow-bug-in-bn_sqr_comba4-8-for-mips-32-b.patch