diff --git a/dist b/dist
new file mode 100644
index 0000000000000000000000000000000000000000..ad8eb77ba59be071474988a034571694eaa9db8e
--- /dev/null
+++ b/dist
@@ -0,0 +1 @@
+an7_9
diff --git a/download b/download
new file mode 100644
index 0000000000000000000000000000000000000000..2a807330c915d27e2a593b091700602f63389985
--- /dev/null
+++ b/download
@@ -0,0 +1,2 @@
+b2db2a83caf66a208bb78d6d287cdaa3  openssh-7.4p1.tar.gz
+8dbe90ab3625e545036333e6f51ccf1d  pam_ssh_agent_auth-0.10.3.tar.bz2
diff --git a/openssh-7.4p1.tar.gz b/openssh-7.4p1.tar.gz
deleted file mode 100644
index ef8681d46f768cfb24ea2b869bbadd76018d69b6..0000000000000000000000000000000000000000
Binary files a/openssh-7.4p1.tar.gz and /dev/null differ
diff --git a/openssh-9.3p1-upstream-cve-2023-38408.patch b/openssh-9.3p1-upstream-cve-2023-38408.patch
new file mode 100644
index 0000000000000000000000000000000000000000..62114732ecdce63efac4d4ad00aa778fa78e399c
--- /dev/null
+++ b/openssh-9.3p1-upstream-cve-2023-38408.patch
@@ -0,0 +1,17 @@
+diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
+index 6be647ec..ebddf6c3 100644
+--- a/ssh-pkcs11.c
++++ b/ssh-pkcs11.c
+@@ -1537,10 +1537,8 @@ pkcs11_register_provider(char *provider_id, char *pin,
+ 		error("dlopen %s failed: %s", provider_id, dlerror());
+ 		goto fail;
+ 	}
+-	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {
+-		error("dlsym(C_GetFunctionList) failed: %s", dlerror());
+-		goto fail;
+-	}
++	if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)
++		fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());
+ 	p = xcalloc(1, sizeof(*p));
+ 	p->name = xstrdup(provider_id);
+ 	p->handle = handle;
diff --git a/openssh.spec b/openssh.spec
index cd9c4599269e975abcefc15d18f4949a27383514..8ada9306a8c666e6b9af38e28940a61af8711adb 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -64,7 +64,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 7.4p1
-%define openssh_rel 22
+%define openssh_rel 23
 %define pam_ssh_agent_ver 0.10.3
 %define pam_ssh_agent_rel 2
 
@@ -256,6 +256,9 @@ Patch961: openssh-7.4p1-CVE-2018-15473.patch
 Patch962: openssh-7.4p1-uidswap.patch
 # CVE-2021-41617
 Patch978: openssh-8.7p1-upstream-cve-2021-41617.patch
+# upsream commit
+# b23fe83f06ee7e721033769cfa03ae840476d280
+Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch
 
 License: BSD
 Group: Applications/Internet
@@ -519,6 +522,7 @@ popd
 %patch700 -p1 -b .fips
 
 %patch100 -p1 -b .coverity
+%patch1015 -p1 -b .cve-2023-38408
 
 %if 0
 # Nothing here yet
@@ -838,6 +842,10 @@ getent passwd sshd >/dev/null || \
 %endif
 
 %changelog
+* Thu Jul 20 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 7.4p1-23 + 0.10.3-2
+- Avoid remote code execution in ssh-agent PKCS#11 support
+  Resolves: CVE-2023-38408
+
 * Thu Sep 30 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 7.4p1-22 + 0.10.3-2
 - avoid segfault in Kerberos cache cleanup (#1999263)
 - fix CVE-2021-41617 (#2008884)
diff --git a/pam_ssh_agent_auth-0.10.3.tar.bz2 b/pam_ssh_agent_auth-0.10.3.tar.bz2
deleted file mode 100644
index c41c269ffc7aced58221549472f42df45acea2f9..0000000000000000000000000000000000000000
Binary files a/pam_ssh_agent_auth-0.10.3.tar.bz2 and /dev/null differ