diff --git a/openssl.yaml b/openssl.yaml
index 213361b7d4f..8b0f1826c65 100644
--- a/openssl.yaml
+++ b/openssl.yaml
@@ -1,7 +1,7 @@
 package:
   name: openssl
   version: 3.1.0
-  epoch: 5
+  epoch: 6
   description: "the OpenSSL cryptography suite"
   copyright:
     - license: Apache-2.0
@@ -65,15 +65,7 @@ pipeline:
 
   - uses: patch
     with:
-      patches: CVE-2023-0464.patch
-
-  - uses: patch
-    with:
-      patches: CVE-2023-0465.patch
-
-  - uses: patch
-    with:
-      patches: CVE-2023-1255.patch
+      series: base-series
 
   - name: Configure and build
     runs: |
diff --git a/openssl/3410cc-asn1-bitstring-overflow.patch b/openssl/3410cc-asn1-bitstring-overflow.patch
new file mode 100644
index 00000000000..84bcc4dcfe7
--- /dev/null
+++ b/openssl/3410cc-asn1-bitstring-overflow.patch
@@ -0,0 +1,43 @@
+From 3410cc0c8bbcf9216b42d47d7a61e379dd6fda89 Mon Sep 17 00:00:00 2001
+From: mlitre <martinlitre@mac.com>
+Date: Mon, 1 May 2023 11:07:21 +0200
+Subject: [PATCH] Add negative integer check when using ASN1_BIT_STRING
+
+The negative integer check is done to prevent potential overflow.
+Fixes #20719.
+
+CLA: trivial
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Paul Dale <pauli@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/20862)
+
+(cherry picked from commit 1258a8e4361320cd3cfaf9ede692492ce01034c8)
+---
+ crypto/asn1/a_bitstr.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c
+index 7c256493571e..462aa10aa10f 100644
+--- a/crypto/asn1/a_bitstr.c
++++ b/crypto/asn1/a_bitstr.c
+@@ -148,6 +148,9 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
+     int w, v, iv;
+     unsigned char *c;
+ 
++    if (n < 0)
++        return 0;
++
+     w = n / 8;
+     v = 1 << (7 - (n & 0x07));
+     iv = ~v;
+@@ -182,6 +185,9 @@ int ASN1_BIT_STRING_get_bit(const ASN1_BIT_STRING *a, int n)
+ {
+     int w, v;
+ 
++    if (n < 0)
++        return 0;
++
+     w = n / 8;
+     v = 1 << (7 - (n & 0x07));
+     if ((a == NULL) || (a->length < (w + 1)) || (a->data == NULL))
diff --git a/openssl/base-series b/openssl/base-series
new file mode 100644
index 00000000000..7950c8ade0b
--- /dev/null
+++ b/openssl/base-series
@@ -0,0 +1,8 @@
+# CHECK-WHEN-VERSION-CHANGES: 3.1.0
+# CVE fixes (< 3.1.1)
+CVE-2023-0464.patch
+CVE-2023-0465.patch
+CVE-2023-1255.patch
+
+# Other security fixes (< 3.1.1)
+3410cc-asn1-bitstring-overflow.patch