diff --git a/0065-CVE-2022-1292.patch b/0065-CVE-2022-1292.patch
new file mode 100644
index 0000000..5531fb3
--- /dev/null
+++ b/0065-CVE-2022-1292.patch
@@ -0,0 +1,58 @@
+diff --git a/tools/c_rehash.in b/tools/c_rehash.in
+index d51d8856d7..a630773a02 100644
+--- a/tools/c_rehash.in
++++ b/tools/c_rehash.in
+@@ -152,6 +152,23 @@ sub check_file {
+     return ($is_cert, $is_crl);
+ }
+ 
++sub compute_hash {
++    my $fh;
++    if ( $^O eq "VMS" ) {
++        # VMS uses the open through shell
++        # The file names are safe there and list form is unsupported
++        if (!open($fh, "-|", join(' ', @_))) {
++            print STDERR "Cannot compute hash on '$fname'\n";
++            return;
++        }
++    } else {
++        if (!open($fh, "-|", @_)) {
++            print STDERR "Cannot compute hash on '$fname'\n";
++            return;
++        }
++    }
++    return (<$fh>, <$fh>);
++}
+ 
+ # Link a certificate to its subject name hash value, each hash is of
+ # the form <hash>.<n> where n is an integer. If the hash value already exists
+@@ -161,10 +178,12 @@ sub check_file {
+ 
+ sub link_hash_cert {
+     my $fname = $_[0];
+-    $fname =~ s/\"/\\\"/g;
+-    my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
++    my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
++                                       "-fingerprint", "-noout",
++                                       "-in", $fname);
+     chomp $hash;
+     chomp $fprint;
++    return if !$hash;
+     $fprint =~ s/^.*=//;
+     $fprint =~ tr/://d;
+     my $suffix = 0;
+@@ -202,10 +221,12 @@ sub link_hash_cert {
+ 
+ sub link_hash_crl {
+     my $fname = $_[0];
+-    $fname =~ s/'/'\\''/g;
+-    my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
++    my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
++                                       "-fingerprint", "-noout",
++                                       "-in", $fname);
+     chomp $hash;
+     chomp $fprint;
++    return if !$hash;
+     $fprint =~ s/^.*=//;
+     $fprint =~ tr/://d;
+     my $suffix = 0;
diff --git a/openssl.spec b/openssl.spec
index 40d0dc3..dfa064b 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -123,7 +123,8 @@ Patch62: 0062-Disable-EVP_PKEY_-sign-verify-in-FIPS-provider.patch
 Patch63: 0063-CVE-2022-1473.patch
 # upstream commits 55c80c222293a972587004c185dc5653ae207a0e 2eda98790c5c2741d76d23cc1e74b0dc4f4b391a
 Patch64: 0064-CVE-2022-1343.diff
-
+# upstream commit 1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2
+Patch65: 0065-CVE-2022-1292.patch
 
 License: ASL 2.0
 URL: http://www.openssl.org/
@@ -460,6 +461,8 @@ install -m644 %{SOURCE9} \
 - CVE-2022-1343 openssl: Signer certificate verification returned
   inaccurate response when using OCSP_NOCHECKS
 - Resolves: rhbz#2087911
+- CVE-2022-1292 openssl: c_rehash script allows command injection
+- Resolves: rhbz#2090362
 
 * Thu May 19 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-32
 - `openssl ecparam -list_curves` lists only FIPS-approved curves in FIPS mode