diff -Nru openssl-1.0.1f/debian/changelog openssl-1.0.1f/debian/changelog
--- openssl-1.0.1f/debian/changelog	2017-01-30 18:03:16.000000000 +0000
+++ openssl-1.0.1f/debian/changelog	2017-11-02 15:30:59.000000000 +0000
@@ -1,3 +1,12 @@
+openssl (1.0.1f-1ubuntu2.23) trusty-security; urgency=medium
+
+  * SECURITY UPDATE: Malformed X.509 IPAddressFamily could cause OOB read
+    - debian/patches/CVE-2017-3735.patch: avoid out-of-bounds read in
+      crypto/x509v3/v3_addr.c.
+    - CVE-2017-3735
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 02 Nov 2017 11:30:53 -0400
+
 openssl (1.0.1f-1ubuntu2.22) trusty-security; urgency=medium
 
   * SECURITY UPDATE: Pointer arithmetic undefined behaviour
diff -Nru openssl-1.0.1f/debian/patches/CVE-2017-3735.patch openssl-1.0.1f/debian/patches/CVE-2017-3735.patch
--- openssl-1.0.1f/debian/patches/CVE-2017-3735.patch	1970-01-01 00:00:00.000000000 +0000
+++ openssl-1.0.1f/debian/patches/CVE-2017-3735.patch	2017-11-02 15:30:48.000000000 +0000
@@ -0,0 +1,40 @@
+Backport of:
+
+From 31c8b265591a0aaa462a1f3eb5770661aaac67db Mon Sep 17 00:00:00 2001
+From: Rich Salz <rsalz@openssl.org>
+Date: Tue, 22 Aug 2017 11:44:41 -0400
+Subject: [PATCH] Avoid out-of-bounds read
+
+Fixes CVE 2017-3735
+
+Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
+(Merged from https://github.com/openssl/openssl/pull/4276)
+
+(cherry picked from commit b23171744b01e473ebbfd6edad70c1c3825ffbcd)
+---
+ crypto/x509v3/v3_addr.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+Index: openssl-1.0.1f/crypto/x509v3/v3_addr.c
+===================================================================
+--- openssl-1.0.1f.orig/crypto/x509v3/v3_addr.c	2017-11-02 11:29:28.076744546 -0400
++++ openssl-1.0.1f/crypto/x509v3/v3_addr.c	2017-11-02 11:30:25.201444247 -0400
+@@ -130,12 +130,12 @@ static int length_from_afi(const unsigne
+  */
+ unsigned int v3_addr_get_afi(const IPAddressFamily *f)
+ {
+-  return ((f != NULL &&
+-	   f->addressFamily != NULL &&
+-	   f->addressFamily->data != NULL)
+-	  ? ((f->addressFamily->data[0] << 8) |
+-	     (f->addressFamily->data[1]))
+-	  : 0);
++    if (f == NULL
++            || f->addressFamily == NULL
++            || f->addressFamily->data == NULL
++            || f->addressFamily->length < 2)
++        return 0;
++    return (f->addressFamily->data[0] << 8) | f->addressFamily->data[1];
+ }
+ 
+ /*
diff -Nru openssl-1.0.1f/debian/patches/series openssl-1.0.1f/debian/patches/series
--- openssl-1.0.1f/debian/patches/series	2017-01-30 18:00:12.000000000 +0000
+++ openssl-1.0.1f/debian/patches/series	2017-11-02 15:29:24.000000000 +0000
@@ -137,3 +137,4 @@
 CVE-2016-8610-2.patch
 CVE-2017-3731-pre.patch
 CVE-2017-3731.patch
+CVE-2017-3735.patch