diff --git a/check-debug-symbols.py b/check-debug-symbols.py
new file mode 100644
index 0000000000000000000000000000000000000000..a4caa57fbafd97c44e18cc86332dd075f9a6c282
--- /dev/null
+++ b/check-debug-symbols.py
@@ -0,0 +1,140 @@
+#!/usr/bin/python3
+
+"""
+Check debug symbols are present in shared object and can identify
+code.
+
+It starts scanning from a directory and recursively scans all ELF
+files found in it for various symbols to ensure all debuginfo is
+present and nothing has been stripped.
+
+Usage:
+
+./check-debug-symbols /path/of/dir/to/scan/
+
+
+Example:
+
+./check-debug-symbols /usr/lib64
+"""
+
+# This technique was explained to me by Mark Wielaard (mjw).
+
+import collections
+import os
+import re
+import subprocess
+import sys
+
+ScanResult = collections.namedtuple('ScanResult',
+ 'file_name debug_info debug_abbrev file_symbols gnu_debuglink')
+
+file_symbol_exclude_list = [
+ 'ilc',
+]
+
+def scan_file(file):
+ "Scan the provided file and return a ScanResult containing results of the scan."
+
+ # Test for .debug_* sections in the shared object. This is the main test.
+ # Stripped objects will not contain these.
+ readelf_S_result = subprocess.run(['eu-readelf', '-S', file],
+ stdout=subprocess.PIPE, encoding='utf-8', check=True)
+ has_debug_info = any(line for line in readelf_S_result.stdout.split('\n') if '] .debug_info' in line)
+
+ has_debug_abbrev = any(line for line in readelf_S_result.stdout.split('\n') if '] .debug_abbrev' in line)
+
+ # Test FILE symbols. These will most likely be removed by anyting that
+ # manipulates symbol tables because it's generally useless. So a nice test
+ # that nothing has messed with symbols.
+ def contains_file_symbols(line):
+ parts = line.split()
+ if len(parts) < 8:
+ return False
+ return \
+ parts[2] == '0' and parts[3] == 'FILE' and parts[4] == 'LOCAL' and parts[5] == 'DEFAULT' and \
+ parts[6] == 'ABS' and re.match(r'((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx))?', parts[7])
+
+ readelf_s_result = subprocess.run(["eu-readelf", '-s', file],
+ stdout=subprocess.PIPE, encoding='utf-8', check=True)
+ has_file_symbols = True
+ if not os.path.basename(file) in file_symbol_exclude_list:
+ has_file_symbols = any(line for line in readelf_s_result.stdout.split('\n') if contains_file_symbols(line))
+
+ # Test that there are no .gnu_debuglink sections pointing to another
+ # debuginfo file. There shouldn't be any debuginfo files, so the link makes
+ # no sense either.
+ has_gnu_debuglink = any(line for line in readelf_s_result.stdout.split('\n') if '] .gnu_debuglink' in line)
+
+ return ScanResult(file, has_debug_info, has_debug_abbrev, has_file_symbols, has_gnu_debuglink)
+
+def is_elf(file):
+ result = subprocess.run(['file', file], stdout=subprocess.PIPE, encoding='utf-8', check=True)
+ return re.search(r'ELF 64-bit [LM]SB (?:pie )?(?:executable|shared object)', result.stdout)
+
+def scan_file_if_sensible(file):
+ if is_elf(file):
+ return scan_file(file)
+ return None
+
+def scan_dir(dir):
+ results = []
+ for root, _, files in os.walk(dir):
+ for name in files:
+ result = scan_file_if_sensible(os.path.join(root, name))
+ if result:
+ results.append(result)
+ return results
+
+def scan(file):
+ file = os.path.abspath(file)
+ if os.path.isdir(file):
+ return scan_dir(file)
+ elif os.path.isfile(file):
+ return [scan_file_if_sensible(file)]
+
+def is_bad_result(result):
+ return not result.debug_info or not result.debug_abbrev or not result.file_symbols or result.gnu_debuglink
+
+def print_scan_results(results, verbose):
+ # print(results)
+ for result in results:
+ file_name = result.file_name
+ found_issue = False
+ if not result.debug_info:
+ found_issue = True
+ print('error: missing .debug_info section in', file_name)
+ if not result.debug_abbrev:
+ found_issue = True
+ print('error: missing .debug_abbrev section in', file_name)
+ if not result.file_symbols:
+ found_issue = True
+ print('error: missing FILE symbols in', file_name)
+ if result.gnu_debuglink:
+ found_issue = True
+ print('error: unexpected .gnu_debuglink section in', file_name)
+ if verbose and not found_issue:
+ print('OK: ', file_name)
+
+def main(args):
+ verbose = False
+ files = []
+ for arg in args:
+ if arg == '--verbose' or arg == '-v':
+ verbose = True
+ else:
+ files.append(arg)
+
+ results = []
+ for file in files:
+ results.extend(scan(file))
+
+ print_scan_results(results, verbose)
+
+ if any(is_bad_result(result) for result in results):
+ return 1
+ return 0
+
+
+if __name__ == '__main__':
+ sys.exit(main(sys.argv[1:]))
diff --git a/dotnet-9.0.109.tar.gz.sig b/dotnet-9.0.109.tar.gz.sig
new file mode 100644
index 0000000000000000000000000000000000000000..74f2f6c971491160637fb26bd65cccc8459a9160
--- /dev/null
+++ b/dotnet-9.0.109.tar.gz.sig
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: BSN Pgp v1.0.0.0
+
+iQIcBAABCAAGBQJoiUE2AAoJEP2/U8JNtIcuIjkQAJvFD1WwftRIn/Ll5PUw6YD8
+edNoU2z7dfogRJ+N3Wy/yxUeYCmYUGY82/afVYqanW0Uao7GHeqBJhjTdIf6lmiS
+ny0DU6J0oBCYaJk/dxCCtjCPNz26AGo3oEIWTSlR1EOO/G3v6S6y8PI13YF13fxp
+G4QRRiD+3MCuzZ7O3/otNZ1NWZ7rb9Fpbg0FcwhQrFUbVTtAAEFx3CEqXV0JQaJq
+EnmzAGeiDa6by4QfdgYhkvuQko2lsBmZOa4Ung9r/DzhuIGA6wKlq+Nv70Y+rpkG
+4/f2diGq7N6uER6mxoBvgVKrVECDdLf/atM/pyebFG5ccTGdj3KZGAG1uO95WlAH
+SnCXsRfisERhmw8FXzrsJQ5awU3aMnqMalVF/zcVcqL/N+N56K7jQfOyzNStLa0C
+zVA9vx8KyPpJk0Ua643Cih4XR7kKKnZNZ+JfzPxkCF3fXqx8qIhB8GqAGxBwKBG9
+bQk81WAXKx7KjeyDJLOIKff7O1GEK883PqSPbTzWm6Ip4mbpgtbnFUW6lm0AjAiy
+/KaJ+z9NdkhXw46zTODcvdTa69RXQ54bGKPHnHezHUmYoLZ/h2AYIj37JSxG611N
+0NJDqxP6JQVIsy6t7BUosTFo8YTO4bBHjINDZlpdOaNz6G0Jqj+GYkLbXL5l5VCT
+SpD3zMussN+T0giRHHoW
+=bbNN
+-----END PGP SIGNATURE-----
diff --git a/dotnet.sh.in b/dotnet.sh.in
new file mode 100644
index 0000000000000000000000000000000000000000..65b92a014e0b395c500e3c3e31612c10577a3c7f
--- /dev/null
+++ b/dotnet.sh.in
@@ -0,0 +1,14 @@
+
+# Set location for AppHost lookup
+[ -z "$DOTNET_ROOT" ] && export DOTNET_ROOT=@LIBDIR@/dotnet
+
+# Add dotnet tools directory to PATH
+DOTNET_TOOLS_PATH="$HOME/.dotnet/tools"
+case "$PATH" in
+ *"$DOTNET_TOOLS_PATH"* ) true ;;
+ * ) PATH="$PATH:$DOTNET_TOOLS_PATH" ;;
+esac
+
+# Extract self-contained executables under HOME
+# to avoid multi-user issues from using the default '/var/tmp'.
+[ -z "$DOTNET_BUNDLE_EXTRACT_BASE_DIR" ] && export DOTNET_BUNDLE_EXTRACT_BASE_DIR="${XDG_CACHE_HOME:-"$HOME"/.cache}/dotnet_bundle_extract"
diff --git a/release-key-2023.asc b/release-key-2023.asc
new file mode 100644
index 0000000000000000000000000000000000000000..8f0ec5733dd7e9a4ce220372caf0aee142800b63
--- /dev/null
+++ b/release-key-2023.asc
@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: BSN Pgp v1.1.0.0
+
+mQINBGUKsUYBEADVCJm4EhXALr1ld42kWeh/vM0XMZ2orNT6NRLDRYjpE4mm4UqA
+vpjfGCwt5fLcrT4yZng8ABkB3QwTsZzmxesAMD5AZR/gdU1G96DuDGsjp6zJvTuX
+zvz3PXUYfcl9n5X32acA6N9J5Xfp10xqX3oitUODBdYy/vKW/v/y87ZxgaR6a3wp
+pPJBJIVKwFJx13v4BHRsGp1fepliQcXPvmNKFNI20le5+FbLq6C9hY5wcwGHGfQr
+EokH79GsmqgSImqxDOIh06J5VfWA+JwV+3vf95pD8IUrRfGQ+GK7b1/bySxtM5Qa
+b/IDgvl/Qq3AzEpGarMBaqGbqMz1C7jd8Y6nyKMP/V+OCjbEdYNM8GRz6kBP3Un+
+Frat5Lc2o4DF+zB3PKIJS3hku5gwlJu6IU1F23vmYFtjUcpRGmyQZDoWyBbOWlB5
+4SXqVu16amUsRFYmOK8BJMjdotcVbriVIv6WRmugfhIMoRJzVGxYkdbuiuMAX69V
+xDoGpxX5A8S5A79y0USUVtadQfFavMTyb/gUuUe8oDsqK9gdI3ETxLYG4gYwauVX
+fCGfoLOKsq5dPzEuEA7GCRrMau+rHKFaM7BigSdnHFW7xNZ4v0YnXAagoqM2G5o5
+9sak0l57vxxTVk2V3iZzkoU2J2Zlyxyh72n5vjRmb7aNwmQh4Eav6a8ssQARAQAB
+tBlvbm54Y29yZWRldkBtaWNyb3NvZnQuY29tiQI4BBMBCAAiBQJlCrFGAhsDBgsJ
+CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRD9v1PCTbSHLtfzEADIKq15XDeQxLSo
+BG1aFa9n82K1YADVcu1LeddfhDmQWLnZNgyHtQlKN2n59282CXtgymzae3uc05s2
+feIJaqF4M4NnCX8Ct3K7Hq1jI7ZktlquPCCy9XHq9aQY8XTxmdtRevtclKgYTwDh
+w+D/KbE8vTZ6o7JoubA3MKf4k3S8qL/0rIyaC6h0EpiWoMy1TdNMMK7BT4kl6Vz4
+W6KmNgOux1Pzku5ULM4WuOzmwW+NAzpOLJowfDs1ZC2RM3+g9i1/DmwWtCHngvGD
++clA0I0agXxo05toOBTfwxd2gWYczuo/Ole16fYTzqT6n0DHqOjjcc9A7EmC72fQ
+J+hHAqM+4+CbEGuMpNnTMpCZs98bcK3Rqx/bDJYtbclZzm5O/V4nVbDrJZKzpgA1
+KuzNMLkr62P6/t15UsStgmrlTILmE5NG0CR1mj/46+mNbsMZCel3dcvnT1Zf4rTq
+QxMC7Dd/DECKQVC339G/BRfNyhOk2S1mZR/g1uS4bznL+tiwudDh/TAi5C3ZBDMh
+0muwD9caXS/QFIBWtb2ai3IcpU357R/ERPKLcWYtoYJ80RuKi6XYr1WxSPBmd5Qm
+wuncye+wR2dveo2jnIXZGUSgz50ZNgBxs/cYWAQ8J6KMgIBa+JY2qalzvIGbrC5x
+Sr+CkhS8vrktfnRgc8yBssJnvNfqXA==
+=pKgS
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/release.json b/release.json
new file mode 100644
index 0000000000000000000000000000000000000000..05a9b704456a9d774954a050a1c7788b99ce65a1
--- /dev/null
+++ b/release.json
@@ -0,0 +1,10 @@
+{
+ "release": "9.0.8",
+ "channel": "9.0",
+ "tag": "v9.0.109",
+ "sdkVersion": "9.0.109",
+ "runtimeVersion": "9.0.8",
+ "aspNetCoreVersion": "9.0.8",
+ "sourceRepository": "https://github.com/dotnet/dotnet",
+ "sourceVersion": "a1e39f97e51f1d381385d2dc6c94b368ea333784"
+}
diff --git a/roslyn-analyzers-ppc64le-apphost.patch b/roslyn-analyzers-ppc64le-apphost.patch
new file mode 100644
index 0000000000000000000000000000000000000000..4dd465c03aa97a7c91aa832b1f3ca9f081aa22c2
--- /dev/null
+++ b/roslyn-analyzers-ppc64le-apphost.patch
@@ -0,0 +1,12 @@
+diff --git a/src/roslyn-analyzers/src/PerformanceTests/Tests/PerformanceTests.csproj b/src/roslyn-analyzers/src/PerformanceTests/Tests/PerformanceTests.csproj
+index 044a2aba4..b3f8f2611 100644
+--- a/src/roslyn-analyzers/src/PerformanceTests/Tests/PerformanceTests.csproj
++++ b/src/roslyn-analyzers/src/PerformanceTests/Tests/PerformanceTests.csproj
+@@ -4,6 +4,7 @@
+ preview
+ disable
+ Exe
++ false
+
+
+ true
diff --git a/runtime-disable-fortify-on-ilasm-parser.patch b/runtime-disable-fortify-on-ilasm-parser.patch
new file mode 100644
index 0000000000000000000000000000000000000000..a12822243fee8ec658d17930d27f9b633d2a382a
--- /dev/null
+++ b/runtime-disable-fortify-on-ilasm-parser.patch
@@ -0,0 +1,12 @@
+diff --git dotnet/src/runtime/src/coreclr/ilasm/CMakeLists.txt dotnet/src/runtime/src/coreclr/ilasm/CMakeLists.txt
+index cca2c6da185..d31e6cb2070 100644
+--- dotnet/src/runtime/src/coreclr/ilasm/CMakeLists.txt
++++ dotnet/src/runtime/src/coreclr/ilasm/CMakeLists.txt
+@@ -52,6 +52,7 @@ if(CLR_CMAKE_HOST_UNIX)
+ add_compile_options(-Wno-array-bounds)
+ add_compile_options(-Wno-unused-label)
+ set_source_files_properties( prebuilt/asmparse.cpp PROPERTIES COMPILE_FLAGS "-O0" )
++ set_source_files_properties( prebuilt/asmparse.cpp PROPERTIES COMPILE_FLAGS "-Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=0" )
+ endif(CLR_CMAKE_HOST_UNIX)
+
+ if(CLR_CMAKE_HOST_LINUX OR CLR_CMAKE_HOST_FREEBSD OR CLR_CMAKE_HOST_NETBSD OR CLR_CMAKE_HOST_SUNOS OR CLR_CMAKE_HOST_HAIKU)
diff --git a/runtime-openssl-sha1.patch b/runtime-openssl-sha1.patch
new file mode 100644
index 0000000000000000000000000000000000000000..6e307efbb2860d938ca92229cf34bea2caac2892
--- /dev/null
+++ b/runtime-openssl-sha1.patch
@@ -0,0 +1,34 @@
+From d7805229ffe6906cd0832c0482b963caf4b4fd82 Mon Sep 17 00:00:00 2001
+From: Tom Deseyn
+Date: Wed, 28 Feb 2024 14:08:15 +0100
+Subject: [PATCH] Allow certificate validation with SHA-1 signatures.
+
+RHEL OpenSSL builds disable SHA-1 signatures. This causes certificate
+validation to fail when using the X509_V_FLAG_CHECK_SS_SIGNATURE flag
+with a chain where the last certificate uses a SHA-1 signature.
+
+This removes X509_V_FLAG_CHECK_SS_SIGNATURE flag to have the default
+OpenSSL behavior for certificate validation.
+---
+ .../libs/System.Security.Cryptography.Native/pal_x509.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c
+index 04c6ba06cd..2cd3413dae 100644
+--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c
++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_x509.c
+@@ -272,11 +272,6 @@ int32_t CryptoNative_X509StoreCtxInit(X509_STORE_CTX* ctx, X509_STORE* store, X5
+
+ int32_t val = X509_STORE_CTX_init(ctx, store, x509, extraStore);
+
+- if (val != 0)
+- {
+- X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CHECK_SS_SIGNATURE);
+- }
+-
+ return val;
+ }
+
+--
+2.43.2
+
diff --git a/runtime-re-enable-implicit-rejection.patch b/runtime-re-enable-implicit-rejection.patch
new file mode 100644
index 0000000000000000000000000000000000000000..a2e5614edac3694c35e52c222da1fd27005e73f4
--- /dev/null
+++ b/runtime-re-enable-implicit-rejection.patch
@@ -0,0 +1,142 @@
+From 5fdc289903bd3a77d455583650b00297da0cae8f Mon Sep 17 00:00:00 2001
+From: Omair Majid
+Date: Fri, 2 Feb 2024 15:51:23 -0500
+Subject: [PATCH] Revert "Disable implicit rejection for RSA PKCS#1 (#95216)"
+
+This reverts commit a5fc8ff9b03ffb2fdb81dad524ad1a20a0714995.
+
+To quote Clemens Lang:
+
+> [Disabling implcit rejection] re-enables a Bleichenbacher timing oracle
+> attack against PKCS#1v1.5 decryption. See
+> https://people.redhat.com/~hkario/marvin/ for details and
+> https://github.com/dotnet/runtime/pull/95157#issuecomment-1842784399 for a
+> comment by the researcher who published the vulnerability and proposed the
+> change in OpenSSL.
+
+For more details, see:
+https://github.com/dotnet/runtime/pull/95216#issuecomment-1842799314
+---
+ .../RSA/EncryptDecrypt.cs | 49 ++++---------------
+ .../opensslshim.h | 6 ---
+ .../pal_evp_pkey_rsa.c | 13 -----
+ 3 files changed, 10 insertions(+), 58 deletions(-)
+
+diff --git a/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs b/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
+index 39f3ebc82ec..5b97f468a42 100644
+--- a/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
++++ b/src/runtime/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
+@@ -353,10 +353,19 @@ private void RsaCryptRoundtrip(RSAEncryptionPadding paddingMode, bool expectSucc
+ Assert.Equal(TestData.HelloBytes, output);
+ }
+
+- [ConditionalFact(nameof(PlatformSupportsEmptyRSAEncryption))]
++ [ConditionalFact]
+ [SkipOnTargetFramework(TargetFrameworkMonikers.NetFramework)]
+ public void RoundtripEmptyArray()
+ {
++ if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6))
++ {
++ throw new SkipTestException("iOS prior to 13.6 does not reliably support RSA encryption of empty data.");
++ }
++ if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0))
++ {
++ throw new SkipTestException("tvOS prior to 14.0 does not reliably support RSA encryption of empty data.");
++ }
++
+ using (RSA rsa = RSAFactory.Create(TestData.RSA2048Params))
+ {
+ void RoundtripEmpty(RSAEncryptionPadding paddingMode)
+@@ -757,23 +746,5 @@ public static IEnumerable OaepPaddingModes
+ }
+ }
+ }
+-
+- public static bool PlatformSupportsEmptyRSAEncryption
+- {
+- get
+- {
+- if (OperatingSystem.IsIOS() && !OperatingSystem.IsIOSVersionAtLeast(13, 6))
+- {
+- return false;
+- }
+-
+- if (OperatingSystem.IsTvOS() && !OperatingSystem.IsTvOSVersionAtLeast(14, 0))
+- {
+- return false;
+- }
+-
+- return true;
+- }
+- }
+ }
+ }
+diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h b/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
+index 0748e305d5c..cf10d2f7949 100644
+--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.h
+@@ -296,10 +296,8 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len);
+ REQUIRED_FUNCTION(ERR_peek_error) \
+ REQUIRED_FUNCTION(ERR_peek_error_line) \
+ REQUIRED_FUNCTION(ERR_peek_last_error) \
+- REQUIRED_FUNCTION(ERR_pop_to_mark) \
+ FALLBACK_FUNCTION(ERR_put_error) \
+ REQUIRED_FUNCTION(ERR_reason_error_string) \
+- REQUIRED_FUNCTION(ERR_set_mark) \
+ LIGHTUP_FUNCTION(ERR_set_debug) \
+ LIGHTUP_FUNCTION(ERR_set_error) \
+ REQUIRED_FUNCTION(EVP_aes_128_cbc) \
+@@ -355,7 +353,6 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len);
+ REQUIRED_FUNCTION(EVP_PKCS82PKEY) \
+ REQUIRED_FUNCTION(EVP_PKEY2PKCS8) \
+ REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl) \
+- REQUIRED_FUNCTION(EVP_PKEY_CTX_ctrl_str) \
+ REQUIRED_FUNCTION(EVP_PKEY_CTX_free) \
+ REQUIRED_FUNCTION(EVP_PKEY_CTX_get0_pkey) \
+ REQUIRED_FUNCTION(EVP_PKEY_CTX_new) \
+@@ -797,10 +794,8 @@ FOR_ALL_OPENSSL_FUNCTIONS
+ #define ERR_peek_error_line ERR_peek_error_line_ptr
+ #define ERR_peek_last_error ERR_peek_last_error_ptr
+ #define ERR_put_error ERR_put_error_ptr
+-#define ERR_pop_to_mark ERR_pop_to_mark_ptr
+ #define ERR_reason_error_string ERR_reason_error_string_ptr
+ #define ERR_set_debug ERR_set_debug_ptr
+-#define ERR_set_mark ERR_set_mark_ptr
+ #define ERR_set_error ERR_set_error_ptr
+ #define EVP_aes_128_cbc EVP_aes_128_cbc_ptr
+ #define EVP_aes_128_cfb8 EVP_aes_128_cfb8_ptr
+@@ -855,7 +850,6 @@ FOR_ALL_OPENSSL_FUNCTIONS
+ #define EVP_PKCS82PKEY EVP_PKCS82PKEY_ptr
+ #define EVP_PKEY2PKCS8 EVP_PKEY2PKCS8_ptr
+ #define EVP_PKEY_CTX_ctrl EVP_PKEY_CTX_ctrl_ptr
+-#define EVP_PKEY_CTX_ctrl_str EVP_PKEY_CTX_ctrl_str_ptr
+ #define EVP_PKEY_CTX_free EVP_PKEY_CTX_free_ptr
+ #define EVP_PKEY_CTX_get0_pkey EVP_PKEY_CTX_get0_pkey_ptr
+ #define EVP_PKEY_CTX_new EVP_PKEY_CTX_new_ptr
+diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
+index 043bf9f9d1e..c9ccdf33e3a 100644
+--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c
+@@ -67,19 +67,6 @@ static bool ConfigureEncryption(EVP_PKEY_CTX* ctx, RsaPaddingMode padding, const
+ {
+ return false;
+ }
+-
+- // OpenSSL 3.2 introduced a change where PKCS#1 RSA decryption does not fail for invalid padding.
+- // If the padding is invalid, the decryption operation returns random data.
+- // See https://github.com/openssl/openssl/pull/13817 for background.
+- // Some Linux distributions backported this change to previous versions of OpenSSL.
+- // Here we do a best-effort to set a flag to revert the behavior to failing if the padding is invalid.
+- ERR_set_mark();
+-
+- EVP_PKEY_CTX_ctrl_str(ctx, "rsa_pkcs1_implicit_rejection", "0");
+-
+- // Undo any changes to the error queue that may have occured while configuring implicit rejection if the
+- // current version does not support implicit rejection.
+- ERR_pop_to_mark();
+ }
+ else
+ {
+--
+2.43.0
+