diff --git a/backport-CVE-2023-0464.patch b/backport-CVE-2023-0464.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7a34e15faa2f41731b4b5e40acf1c658aa179211
--- /dev/null
+++ b/backport-CVE-2023-0464.patch
@@ -0,0 +1,216 @@
+From ed19b0008b5802505a6ccb05e5bac05baf90c418 Mon Sep 17 00:00:00 2001
+rom: Pauli <pauli@openssl.org>
+Date: Wed, 8 Mar 2023 15:28:20 +1100
+Subject: [PATCH] x509: excessive resource use verifying policy
+constraints
+
+A security vulnerability has been identified in all supported versions
+of OpenSSL related to the verification of X.509 certificate chains
+that include policy constraints.  Attackers may be able to exploit this
+vulnerability by creating a malicious certificate chain that triggers
+exponential use of computational resources, leading to a
+denial-of-service
+(DoS) attack on affected systems.
+
+Fixes CVE-2023-0464
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+(Merged from https://github.com/openssl/openssl/pull/20569)
+
+---
+ Cryptlib/OpenSSL/crypto/x509v3/pcy_int.h  |  8 +++++-
+ Cryptlib/OpenSSL/crypto/x509v3/pcy_node.c | 11 +++++++--
+ Cryptlib/OpenSSL/crypto/x509v3/pcy_tree.c | 30 ++++++++++++++---------
+ 3 files changed, 35 insertions(+), 14 deletions(-)
+
+diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_int.h b/Cryptlib/OpenSSL/crypto/x509v3/pcy_int.h
+index b5075f9..0ed2349 100644
+--- a/Cryptlib/OpenSSL/crypto/x509v3/pcy_int.h
++++ b/Cryptlib/OpenSSL/crypto/x509v3/pcy_int.h
+@@ -161,6 +161,11 @@ struct X509_POLICY_LEVEL_st {
+ };
+ 
+ struct X509_POLICY_TREE_st {
++    /* The number of nodes in the tree */
++    size_t node_count;
++    /* The maximum number of nodes in the tree */
++    size_t node_maximum;
++
+     /* This is the tree 'level' data */
+     X509_POLICY_LEVEL *levels;
+     int nlevel;
+@@ -209,7 +214,8 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
+ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+                                  const X509_POLICY_DATA *data,
+                                  X509_POLICY_NODE *parent,
+-                                 X509_POLICY_TREE *tree);
++                                 X509_POLICY_TREE *tree,
++                                 int extra_data);
+ void policy_node_free(X509_POLICY_NODE *node);
+ int policy_node_match(const X509_POLICY_LEVEL *lvl,
+                       const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
+diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_node.c b/Cryptlib/OpenSSL/crypto/x509v3/pcy_node.c
+index d6c9176..75b3791 100644
+--- a/Cryptlib/OpenSSL/crypto/x509v3/pcy_node.c
++++ b/Cryptlib/OpenSSL/crypto/x509v3/pcy_node.c
+@@ -111,9 +111,15 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
+ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+                                  const X509_POLICY_DATA *data,
+                                  X509_POLICY_NODE *parent,
+-                                 X509_POLICY_TREE *tree)
++                                 X509_POLICY_TREE *tree,
++                                 int extra_data)
+ {
+     X509_POLICY_NODE *node;
++
++    /* Verify that the tree isn't too large. this mitigates CVE-2023-0464 */
++    if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
++        return NULL;
++
+     node = OPENSSL_malloc(sizeof(X509_POLICY_NODE));
+     if (!node)
+         return NULL;
+@@ -136,7 +142,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+         }
+     }
+ 
+-    if (tree) {
++    if (extra_data) {
+         if (!tree->extra_data)
+             tree->extra_data = sk_X509_POLICY_DATA_new_null();
+         if (!tree->extra_data)
+@@ -145,6 +151,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+             goto node_error;
+     }
+ 
++    tree->node_count++;
+     if (parent)
+         parent->nchild++;
+ 
+diff --git a/Cryptlib/OpenSSL/crypto/x509v3/pcy_tree.c b/Cryptlib/OpenSSL/crypto/x509v3/pcy_tree.c
+index 09b8691..fb9a616 100644
+--- a/Cryptlib/OpenSSL/crypto/x509v3/pcy_tree.c
++++ b/Cryptlib/OpenSSL/crypto/x509v3/pcy_tree.c
+@@ -63,6 +63,10 @@
+ 
+ #include "pcy_int.h"
+ 
++#ifndef OPENSSL_POLICY_TREE_NODES_MAX
++# define OPENSSL_POLICY_TREE_NODES_MAX 1000
++#endif
++
+ /*
+  * Enable this to print out the complete policy tree at various point during
+  * evaluation.
+@@ -225,6 +229,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
+     if (!tree)
+         return 0;
+ 
++    /* Limit the groeth of the tree to mitigate CVE-2023-0464 */
++    tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
+     tree->flags = 0;
+     tree->levels = OPENSSL_malloc(sizeof(X509_POLICY_LEVEL) * n);
+     tree->nlevel = 0;
+@@ -247,7 +253,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
+ 
+     data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0);
+ 
+-    if (!data || !level_add_node(level, data, NULL, tree))
++    if (!data || !level_add_node(level, data, NULL, tree, 1))
+         goto bad_tree;
+ 
+     for (i = n - 2; i >= 0; i--) {
+@@ -304,7 +310,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
+ }
+ 
+ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
+-                                    const X509_POLICY_DATA *data)
++                                    const X509_POLICY_DATA *data,
++                                    X509_POLICY_TREE *tree)
+ {
+     X509_POLICY_LEVEL *last = curr - 1;
+     X509_POLICY_NODE *node;
+@@ -313,13 +320,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
+     for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) {
+         node = sk_X509_POLICY_NODE_value(last->nodes, i);
+         if (policy_node_match(last, node, data->valid_policy)) {
+-            if (!level_add_node(curr, data, node, NULL))
++            if (!level_add_node(curr, data, node, tree, 0))
+                 return 0;
+             matched = 1;
+         }
+     }
+     if (!matched && last->anyPolicy) {
+-        if (!level_add_node(curr, data, last->anyPolicy, NULL))
++        if (!level_add_node(curr, data, last->anyPolicy, tree, 0))
+             return 0;
+     }
+     return 1;
+@@ -331,7 +338,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
+  */
+ 
+ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
+-                           const X509_POLICY_CACHE *cache)
++                           const X509_POLICY_CACHE *cache,
++                           X509_POLICY_TREE *tree)
+ {
+     int i;
+     X509_POLICY_DATA *data;
+@@ -352,7 +360,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
+             continue;
+ #endif
+         /* Look for matching nodes in previous level */
+-        if (!tree_link_matching_nodes(curr, data))
++        if (!tree_link_matching_nodes(curr, data, tree))
+             return 0;
+     }
+     return 1;
+@@ -382,7 +390,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
+     /* Curr may not have anyPolicy */
+     data->qualifier_set = cache->anyPolicy->qualifier_set;
+     data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
+-    if (!level_add_node(curr, data, node, tree)) {
++    if (!level_add_node(curr, data, node, tree, 1)) {
+         policy_data_free(data);
+         return 0;
+     }
+@@ -464,7 +472,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
+         /* Curr may not have anyPolicy */
+         data->qualifier_set = cache->anyPolicy->qualifier_set;
+         data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
+-        if (!level_add_node(curr, data, node, tree)) {
++        if (!level_add_node(curr, data, node, tree, 1)) {
+             policy_data_free(data);
+             return 0;
+         }
+@@ -473,7 +481,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
+     }
+     /* Finally add link to anyPolicy */
+     if (last->anyPolicy) {
+-        if (!level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL))
++        if (!level_add_node(curr, cache->anyPolicy, last->anyPolicy, tree, 0))
+             return 0;
+     }
+     return 1;
+@@ -646,7 +654,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
+             extra->qualifier_set = anyPolicy->data->qualifier_set;
+             extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
+                 | POLICY_DATA_FLAG_EXTRA_NODE;
+-            node = level_add_node(NULL, extra, anyPolicy->parent, tree);
++            node = level_add_node(NULL, extra, anyPolicy->parent, tree, 1);
+         }
+         if (!tree->user_policies) {
+             tree->user_policies = sk_X509_POLICY_NODE_new_null();
+@@ -668,7 +676,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
+ 
+     for (i = 1; i < tree->nlevel; i++, curr++) {
+         cache = policy_cache_set(curr->cert);
+-        if (!tree_link_nodes(curr, cache))
++        if (!tree_link_nodes(curr, cache, tree))
+             return 0;
+ 
+         if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
+-- 
+2.27.0
+
diff --git a/backport-CVE-2023-3817.patch b/backport-CVE-2023-3817.patch
new file mode 100644
index 0000000000000000000000000000000000000000..77610fed3eadf9797654b1e718d202697eab3f1f
--- /dev/null
+++ b/backport-CVE-2023-3817.patch
@@ -0,0 +1,58 @@
+From 91ddeba0f2269b017dc06c46c993a788974b1aa5 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Fri, 21 Jul 2023 11:39:41 +0200
+Subject: [PATCH 1/2] DH_check(): Do not try checking q properties if it is
+ obviously invalid
+
+If  |q| >= |p| then the q value is obviously wrong as q
+is supposed to be a prime divisor of p-1.
+
+We check if p is overly large so this added test implies that
+q is not large either when performing subsequent tests using that
+q value.
+
+Otherwise if it is too large these additional checks of the q value
+such as the primality test can then trigger DoS by doing overly long
+computations.
+
+Fixes CVE-2023-3817
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/21551)
+---
+ crypto/dh/dh_check.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
+index 2001d2e7cb..9ae96991eb 100644
+--- a/Cryptlib/OpenSSL/crypto/dh/dh_check.c
++++ b/Cryptlib/OpenSSL/crypto/dh/dh_check.c
+@@ -97,7 +97,7 @@ int DH_check_ex(const DH *dh)
+ 
+ int DH_check(const DH *dh, int *ret)
+ {
+-    int ok = 0;
++    int ok = 0, q_good = 0;
+     BN_CTX *ctx = NULL;
+     BN_ULONG l;
+     BIGNUM *t1 = NULL, *t2 = NULL;
+@@ -120,7 +120,14 @@ int DH_check(const DH *dh, int *ret)
+     if (t2 == NULL)
+         goto err;
+ 
+-    if (dh->q) {
++    if (dh->q != NULL) {
++        if (BN_ucmp(dh->p, dh->q) > 0)
++            q_good = 1;
++        else
++            *ret |= DH_CHECK_INVALID_Q_VALUE;
++    }
++
++    if (q_good) {
+         if (BN_cmp(dh->g, BN_value_one()) <= 0)
+             *ret |= DH_NOT_SUITABLE_GENERATOR;
+         else if (BN_cmp(dh->g, dh->p) >= 0)
+-- 
+2.33.0
+
diff --git a/shim.spec b/shim.spec
index 36703a39e84b38be67ed0f85643059969ce5192a..ccb65abfae6aa3918aaeb03483bc89ddacfb575c 100644
--- a/shim.spec
+++ b/shim.spec
@@ -25,7 +25,7 @@
 
 Name:	   	   shim
 Version:	   15.6
-Release:	   11
+Release:	   12
 Summary:	   First-stage UEFI bootloader
 ExclusiveArch:     x86_64 aarch64
 License:	   BSD
@@ -54,6 +54,8 @@ Patch17:backport-CVE-2018-0737.patch
 Patch18:backport-make-update-EVP_F_EVP_DECRYPTUPDATE.patch
 Patch19:backport-make-update-EVP_F_EVP_DECRYPTDECRYPTUPDATE.patch
 Patch20:backport-CVE-2021-23840.patch
+Patch21:backport-CVE-2023-0464.patch
+Patch22:backport-CVE-2023-3817.patch
 
 # Feature for shim SMx support
 Patch9000:Feature-shim-openssl-add-ec-support.patch
@@ -175,6 +177,9 @@ make test
 /usr/src/debug/%{name}-%{version}-%{release}/*
 
 %changelog
+* Sat Oct 28 2023 luhuaxin <luhuaxin1@huawei.com> - 15.6-12
+- fix CVE-2023-0464 CVE-2023-3817
+
 * Thu Jul 13 2023 jinlun <jinlun@huawei.com> - 15.6-11
 - fix CVE-2018-0737 , CVE-2021-23840