diff --git a/debian/changelog b/debian/changelog
index ee5f348..de4ae2c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+openssl (1.1.1k-1) UNRELEASED; urgency=medium
+
+  * New upstream version.
+    - CVE-2021-3450 (CA certificate check bypass with X509_V_FLAG_X509_STRICT).
+    - CVE-2021-3449 (NULL pointer deref in signature_algorithms processing).
+
+ -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Thu, 25 Mar 2021 21:36:26 +0100
+
 openssl (1.1.1j-1) unstable; urgency=medium
 
   * New upstream version.
diff --git a/debian/patches/c_rehash-compat.patch b/debian/patches/c_rehash-compat.patch
index 1ed5050..5606691 100644
--- a/debian/patches/c_rehash-compat.patch
+++ b/debian/patches/c_rehash-compat.patch
@@ -7,7 +7,7 @@
  1 file changed, 14 insertions(+), 6 deletions(-)
 
 diff --git a/tools/c_rehash.in b/tools/c_rehash.in
-index 421fd892086f..5ad1ab1d655f 100644
+index fa7c6c9fef91..a7e538a72d7d 100644
 --- a/tools/c_rehash.in
 +++ b/tools/c_rehash.in
 @@ -17,8 +17,6 @@ my $prefix = {- quotify1($config{prefix}) -};
@@ -46,7 +46,7 @@
  sub link_hash_cert {
  		my $fname = $_[0];
 +		my $x509hash = $_[1] || '-subject_hash';
- 		$fname =~ s/'/'\\''/g;
+ 		$fname =~ s/\"/\\\"/g;
  		my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
  		chomp $hash;
 @@ -198,10 +196,20 @@ sub link_hash_cert {
diff --git a/debian/patches/man-section.patch b/debian/patches/man-section.patch
index 982e16a..002015b 100644
--- a/debian/patches/man-section.patch
+++ b/debian/patches/man-section.patch
@@ -8,7 +8,7 @@
  2 files changed, 6 insertions(+), 3 deletions(-)
 
 diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
-index 3a24d551359b..d0c90cb2546c 100644
+index 41648c952667..e013d464bd73 100644
 --- a/Configurations/unix-Makefile.tmpl
 +++ b/Configurations/unix-Makefile.tmpl
 @@ -281,7 +281,8 @@ HTMLDIR=$(DOCDIR)/html