diff --git a/CHANGES b/CHANGES
index 7d0129e687652969f7f934c3c4c099d267463dae..f0cfcdc50823d6d0953ed4fac5dae1cc5a8bb281 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,6 +7,126 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+Changes between 1.1.1s and 1.1.1t [xx XXX xxxx]
+
+  *) Fixed a type confusion vulnerability relating to X.400 address processing
+     inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
+     but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
+     vulnerability may allow an attacker who can provide a certificate chain and
+     CRL (neither of which need have a valid signature) to pass arbitrary
+     pointers to a memcmp call, creating a possible read primitive, subject to
+     some constraints. Refer to the advisory for more information. Thanks to
+     David Benjamin for discovering this issue. (CVE-2023-0286)
+
+     This issue has been fixed by changing the public header file definition of
+     GENERAL_NAME so that x400Address reflects the implementation. It was not
+     possible for any existing application to successfully use the existing
+     definition; however, if any application references the x400Address field
+     (e.g. in dead code), note that the type of this field has changed. There is
+     no ABI change.
+
+     [Hugo Landau]
+
+ Changes between 1.1.1r and 1.1.1s [1 Nov 2022]
+
+  *) Fixed a regression introduced in 1.1.1r version not refreshing the
+     certificate data to be signed before signing the certificate.
+
+     [Gibeom Gwon]
+
+ Changes between 1.1.1q and 1.1.1r [11 Oct 2022]
+
+  *) Fixed the linux-mips64 Configure target which was missing the
+     SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that
+     platform.
+     [Adam Joseph]
+
+  *) Fixed a strict aliasing problem in bn_nist. Clang-14 optimisation was
+     causing incorrect results in some cases as a result.
+     [Paul Dale]
+
+  *) Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to
+     report correct results in some cases
+     [Matt Caswell]
+
+  *) Fixed a regression introduced in 1.1.1o for re-signing certificates with
+     different key sizes
+     [Todd Short]
+
+  *) Added the loongarch64 target
+     [Shi Pujin]
+
+  *) Fixed a DRBG seed propagation thread safety issue
+     [Bernd Edlinger]
+
+  *) Fixed a memory leak in tls13_generate_secret
+     [Bernd Edlinger]
+
+  *) Fixed reported performance degradation on aarch64. Restored the
+     implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid
+     32-bit lane assignment in CTR mode") for 64bit targets only, since it is
+     reportedly 2-17% slower and the silicon errata only affects 32bit targets.
+     The new algorithm is still used for 32 bit targets.
+     [Bernd Edlinger]
+
+  *) Added a missing header for memcmp that caused compilation failure on some
+     platforms
+     [Gregor Jasny]
+
+ Changes between 1.1.1p and 1.1.1q [5 Jul 2022]
+
+  *) AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
+     implementation would not encrypt the entirety of the data under some
+     circumstances.  This could reveal sixteen bytes of data that was
+     preexisting in the memory that wasn't written.  In the special case of
+     "in place" encryption, sixteen bytes of the plaintext would be revealed.
+
+     Since OpenSSL does not support OCB based cipher suites for TLS and DTLS,
+     they are both unaffected.
+     (CVE-2022-2097)
+     [Alex Chernyakhovsky, David Benjamin, Alejandro Sedeño]
+
+ Changes between 1.1.1o and 1.1.1p [21 Jun 2022]
+
+  *) In addition to the c_rehash shell command injection identified in
+     CVE-2022-1292, further bugs where the c_rehash script does not
+     properly sanitise shell metacharacters to prevent command injection have been
+     fixed.
+
+     When the CVE-2022-1292 was fixed it was not discovered that there
+     are other places in the script where the file names of certificates
+     being hashed were possibly passed to a command executed through the shell.
+
+     This script is distributed by some operating systems in a manner where
+     it is automatically executed.  On such operating systems, an attacker
+     could execute arbitrary commands with the privileges of the script.
+
+     Use of the c_rehash script is considered obsolete and should be replaced
+     by the OpenSSL rehash command line tool.
+     (CVE-2022-2068)
+     [Daniel Fiala, Tomáš Mráz]
+
+  *) When OpenSSL TLS client is connecting without any supported elliptic
+     curves and TLS-1.3 protocol is disabled the connection will no longer fail
+     if a ciphersuite that does not use a key exchange based on elliptic
+     curves can be negotiated.
+     [Tomáš Mráz]
+
+ Changes between 1.1.1n and 1.1.1o [3 May 2022]
+
+  *) Fixed a bug in the c_rehash script which was not properly sanitising shell
+     metacharacters to prevent command injection.  This script is distributed
+     by some operating systems in a manner where it is automatically executed.
+     On such operating systems, an attacker could execute arbitrary commands
+     with the privileges of the script.
+
+     Use of the c_rehash script is considered obsolete and should be replaced
+     by the OpenSSL rehash command line tool.
+     (CVE-2022-1292)
+     [Tomáš Mráz]
+
+
+
  Changes between 1.1.1j and 1.1.1k [25 Mar 2021]
 
   *) Fixed a problem with verifying a certificate chain when using the
diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c
index d7d7d80eea912aabb74aa5f2b95443b138a3ea53..92a7c8436e97394db00c965a718fcd6d846a6296 100644
--- a/crypto/asn1/bio_ndef.c
+++ b/crypto/asn1/bio_ndef.c
@@ -49,12 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg);
 static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen,
                             void *parg);
 
+/*
+ * On success, the returned BIO owns the input BIO as part of its BIO chain.
+ * On failure, NULL is returned and the input BIO is owned by the caller.
+ *
+ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream()
+ */
 BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
 {
     NDEF_SUPPORT *ndef_aux = NULL;
     BIO *asn_bio = NULL;
     const ASN1_AUX *aux = it->funcs;
     ASN1_STREAM_ARG sarg;
+    BIO *pop_bio = NULL;
 
     if (!aux || !aux->asn1_cb) {
         ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED);
@@ -69,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
     out = BIO_push(asn_bio, out);
     if (out == NULL)
         goto err;
+    pop_bio = asn_bio;
 
-    BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
-    BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
+    if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0
+            || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0
+            || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0)
+        goto err;
 
     /*
-     * Now let callback prepends any digest, cipher etc BIOs ASN1 structure
-     * needs.
+     * Now let the callback prepend any digest, cipher, etc., that the BIO's
+     * ASN1 structure needs.
      */
 
     sarg.out = out;
     sarg.ndef_bio = NULL;
     sarg.boundary = NULL;
 
-    if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0)
+    /*
+     * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the
+     * middle of some partially built, but not returned BIO chain.
+     */
+    if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) {
+        /*
+         * ndef_aux is now owned by asn_bio so we must not free it in the err
+         * clean up block
+         */
+        ndef_aux = NULL;
         goto err;
+    }
+
+    /*
+     * We must not fail now because the callback has prepended additional
+     * BIOs to the chain
+     */
 
     ndef_aux->val = val;
     ndef_aux->it = it;
@@ -91,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
     ndef_aux->boundary = sarg.boundary;
     ndef_aux->out = out;
 
-    BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux);
-
     return sarg.ndef_bio;
 
  err:
+    /* BIO_pop() is NULL safe */
+    (void)BIO_pop(pop_bio);
     BIO_free(asn_bio);
     OPENSSL_free(ndef_aux);
     return NULL;
diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c
index 87a5eff47cd99a61d7a5e00ad1c5a1c35626dba5..e54ddc55c957aa3ca9fce64d3eafaf4dc931b84e 100644
--- a/crypto/x509v3/v3_genn.c
+++ b/crypto/x509v3/v3_genn.c
@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
         return -1;
     switch (a->type) {
     case GEN_X400:
-        result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
+        result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
         break;
 
     case GEN_EDIPARTY:
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index 90fa3592ce58f7bdf6e1757519a6ec223f380e76..e61c0f29d4b4de249e04eda183699bf37e946eb3 100644
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st {
         OTHERNAME *otherName;   /* otherName */
         ASN1_IA5STRING *rfc822Name;
         ASN1_IA5STRING *dNSName;
-        ASN1_TYPE *x400Address;
+        ASN1_STRING *x400Address;
         X509_NAME *directoryName;
         EDIPARTYNAME *ediPartyName;
         ASN1_IA5STRING *uniformResourceIdentifier;
diff --git a/test/v3nametest.c b/test/v3nametest.c
index d1852190b84eb948de8b5665762021b23b2c7766..37819da8fd78361785f01421fb44066208a532cb 100644
--- a/test/v3nametest.c
+++ b/test/v3nametest.c
@@ -646,6 +646,14 @@ static struct gennamedata {
             0xb7, 0x09, 0x02, 0x02
         },
         15
+    }, {
+        /*
+         * Regression test for CVE-2023-0286.
+         */
+        {
+            0xa3, 0x00
+        },
+        2
     }
 };