diff --git a/.gitignore b/.gitignore
index c044edf..999c732 100644
--- a/.gitignore
+++ b/.gitignore
@@ -24,3 +24,4 @@ openssl-1.0.0a-usa.tar.bz2
 /openssl-1.0.1k-hobbled.tar.xz
 /openssl-1.0.2a-hobbled.tar.xz
 /openssl-1.0.2c-hobbled.tar.xz
+/openssl-1.0.2d-hobbled.tar.xz
diff --git a/openssl-1.0.2a-manfix.patch b/openssl-1.0.2a-manfix.patch
deleted file mode 100644
index 91071b0..0000000
--- a/openssl-1.0.2a-manfix.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-diff -up openssl-1.0.2a/doc/apps/ec.pod.manfix openssl-1.0.2a/doc/apps/ec.pod
---- openssl-1.0.2a/doc/apps/ec.pod.manfix	2015-01-20 13:33:36.000000000 +0100
-+++ openssl-1.0.2a/doc/apps/ec.pod	2015-04-21 17:39:20.084574580 +0200
-@@ -93,10 +93,6 @@ prints out the public, private key compo
- 
- this option prevents output of the encoded version of the key.
- 
--=item B<-modulus>
--
--this option prints out the value of the public key component of the key.
--
- =item B<-pubin>
- 
- by default a private key is read from the input file: with this option a
-diff -up openssl-1.0.2a/doc/apps/openssl.pod.manfix openssl-1.0.2a/doc/apps/openssl.pod
---- openssl-1.0.2a/doc/apps/openssl.pod.manfix	2015-01-20 13:33:36.000000000 +0100
-+++ openssl-1.0.2a/doc/apps/openssl.pod	2015-04-21 17:39:20.084574580 +0200
-@@ -163,7 +163,7 @@ Create or examine a netscape certificate
- 
- Online Certificate Status Protocol utility.
- 
--=item L<B<passwd>|passwd(1)>
-+=item L<B<passwd>|sslpasswd(1)>
- 
- Generation of hashed passwords.
- 
-@@ -187,7 +187,7 @@ Public key algorithm parameter managemen
- 
- Public key algorithm cryptographic operation utility.
- 
--=item L<B<rand>|rand(1)>
-+=item L<B<rand>|sslrand(1)>
- 
- Generate pseudo-random bytes.
- 
-@@ -401,9 +401,9 @@ L<crl(1)|crl(1)>, L<crl2pkcs7(1)|crl2pkc
- L<dhparam(1)|dhparam(1)>, L<dsa(1)|dsa(1)>, L<dsaparam(1)|dsaparam(1)>,
- L<enc(1)|enc(1)>, L<gendsa(1)|gendsa(1)>, L<genpkey(1)|genpkey(1)>,
- L<genrsa(1)|genrsa(1)>, L<nseq(1)|nseq(1)>, L<openssl(1)|openssl(1)>,
--L<passwd(1)|passwd(1)>,
-+L<sslpasswd(1)|sslpasswd(1)>,
- L<pkcs12(1)|pkcs12(1)>, L<pkcs7(1)|pkcs7(1)>, L<pkcs8(1)|pkcs8(1)>,
--L<rand(1)|rand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
-+L<sslrand(1)|sslrand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
- L<rsautl(1)|rsautl(1)>, L<s_client(1)|s_client(1)>,
- L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>,
- L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
-diff -up openssl-1.0.2a/doc/apps/s_client.pod.manfix openssl-1.0.2a/doc/apps/s_client.pod
---- openssl-1.0.2a/doc/apps/s_client.pod.manfix	2015-04-21 17:39:20.085574603 +0200
-+++ openssl-1.0.2a/doc/apps/s_client.pod	2015-04-21 17:41:00.215924162 +0200
-@@ -34,6 +34,9 @@ B<openssl> B<s_client>
- [B<-ssl2>]
- [B<-ssl3>]
- [B<-tls1>]
-+[B<-tls1_1>]
-+[B<-tls1_2>]
-+[B<-dtls1>]
- [B<-no_ssl2>]
- [B<-no_ssl3>]
- [B<-no_tls1>]
-@@ -200,7 +203,7 @@ Use the PSK key B<key> when using a PSK
- given as a hexadecimal number without leading 0x, for example -psk
- 1a2b3c4d.
- 
--=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
-+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
- 
- these options disable the use of certain SSL or TLS protocols. By default
- the initial handshake uses a method which should be compatible with all
-diff -up openssl-1.0.2a/doc/apps/s_server.pod.manfix openssl-1.0.2a/doc/apps/s_server.pod
---- openssl-1.0.2a/doc/apps/s_server.pod.manfix	2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/doc/apps/s_server.pod	2015-04-21 17:39:20.085574603 +0200
-@@ -212,7 +212,7 @@ Use the PSK key B<key> when using a PSK
- given as a hexadecimal number without leading 0x, for example -psk
- 1a2b3c4d.
- 
--=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
-+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
- 
- these options disable the use of certain SSL or TLS protocols. By default
- the initial handshake uses a method which should be compatible with all
-diff -up openssl-1.0.2a/doc/ssl/SSL_CTX_use_serverinfo.pod.manfix openssl-1.0.2a/doc/ssl/SSL_CTX_use_serverinfo.pod
---- openssl-1.0.2a/doc/ssl/SSL_CTX_use_serverinfo.pod.manfix	2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/doc/ssl/SSL_CTX_use_serverinfo.pod	2015-04-22 20:12:43.082395251 +0200
-@@ -2,7 +2,7 @@
- 
- =head1 NAME
- 
--SSL_CTX_use_serverinfo, SSL_CTX_use_serverinfo_file
-+SSL_CTX_use_serverinfo, SSL_CTX_use_serverinfo_file - load serverinfo extensions
- 
- =head1 SYNOPSIS
- 
diff --git a/openssl-1.0.2d-manfix.patch b/openssl-1.0.2d-manfix.patch
new file mode 100644
index 0000000..b509a2b
--- /dev/null
+++ b/openssl-1.0.2d-manfix.patch
@@ -0,0 +1,81 @@
+diff -up openssl-1.0.2a/doc/apps/ec.pod.manfix openssl-1.0.2a/doc/apps/ec.pod
+--- openssl-1.0.2a/doc/apps/ec.pod.manfix	2015-01-20 13:33:36.000000000 +0100
++++ openssl-1.0.2a/doc/apps/ec.pod	2015-04-21 17:39:20.084574580 +0200
+@@ -93,10 +93,6 @@ prints out the public, private key compo
+ 
+ this option prevents output of the encoded version of the key.
+ 
+-=item B<-modulus>
+-
+-this option prints out the value of the public key component of the key.
+-
+ =item B<-pubin>
+ 
+ by default a private key is read from the input file: with this option a
+diff -up openssl-1.0.2a/doc/apps/openssl.pod.manfix openssl-1.0.2a/doc/apps/openssl.pod
+--- openssl-1.0.2a/doc/apps/openssl.pod.manfix	2015-01-20 13:33:36.000000000 +0100
++++ openssl-1.0.2a/doc/apps/openssl.pod	2015-04-21 17:39:20.084574580 +0200
+@@ -163,7 +163,7 @@ Create or examine a netscape certificate
+ 
+ Online Certificate Status Protocol utility.
+ 
+-=item L<B<passwd>|passwd(1)>
++=item L<B<passwd>|sslpasswd(1)>
+ 
+ Generation of hashed passwords.
+ 
+@@ -187,7 +187,7 @@ Public key algorithm parameter managemen
+ 
+ Public key algorithm cryptographic operation utility.
+ 
+-=item L<B<rand>|rand(1)>
++=item L<B<rand>|sslrand(1)>
+ 
+ Generate pseudo-random bytes.
+ 
+@@ -401,9 +401,9 @@ L<crl(1)|crl(1)>, L<crl2pkcs7(1)|crl2pkc
+ L<dhparam(1)|dhparam(1)>, L<dsa(1)|dsa(1)>, L<dsaparam(1)|dsaparam(1)>,
+ L<enc(1)|enc(1)>, L<gendsa(1)|gendsa(1)>, L<genpkey(1)|genpkey(1)>,
+ L<genrsa(1)|genrsa(1)>, L<nseq(1)|nseq(1)>, L<openssl(1)|openssl(1)>,
+-L<passwd(1)|passwd(1)>,
++L<sslpasswd(1)|sslpasswd(1)>,
+ L<pkcs12(1)|pkcs12(1)>, L<pkcs7(1)|pkcs7(1)>, L<pkcs8(1)|pkcs8(1)>,
+-L<rand(1)|rand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
++L<sslrand(1)|sslrand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
+ L<rsautl(1)|rsautl(1)>, L<s_client(1)|s_client(1)>,
+ L<s_server(1)|s_server(1)>, L<s_time(1)|s_time(1)>,
+ L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
+diff -up openssl-1.0.2a/doc/apps/s_client.pod.manfix openssl-1.0.2a/doc/apps/s_client.pod
+--- openssl-1.0.2a/doc/apps/s_client.pod.manfix	2015-04-21 17:39:20.085574603 +0200
++++ openssl-1.0.2a/doc/apps/s_client.pod	2015-04-21 17:41:00.215924162 +0200
+@@ -34,6 +34,9 @@ B<openssl> B<s_client>
+ [B<-ssl2>]
+ [B<-ssl3>]
+ [B<-tls1>]
++[B<-tls1_1>]
++[B<-tls1_2>]
++[B<-dtls1>]
+ [B<-no_ssl2>]
+ [B<-no_ssl3>]
+ [B<-no_tls1>]
+@@ -200,7 +203,7 @@ Use the PSK key B<key> when using a PSK
+ given as a hexadecimal number without leading 0x, for example -psk
+ 1a2b3c4d.
+ 
+-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
++=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+ 
+ these options disable the use of certain SSL or TLS protocols. By default
+ the initial handshake uses a method which should be compatible with all
+diff -up openssl-1.0.2a/doc/apps/s_server.pod.manfix openssl-1.0.2a/doc/apps/s_server.pod
+--- openssl-1.0.2a/doc/apps/s_server.pod.manfix	2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/doc/apps/s_server.pod	2015-04-21 17:39:20.085574603 +0200
+@@ -212,7 +212,7 @@ Use the PSK key B<key> when using a PSK
+ given as a hexadecimal number without leading 0x, for example -psk
+ 1a2b3c4d.
+ 
+-=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
++=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-dtls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
+ 
+ these options disable the use of certain SSL or TLS protocols. By default
+ the initial handshake uses a method which should be compatible with all
diff --git a/openssl.spec b/openssl.spec
index 5d2753c..97458b9 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,8 +22,8 @@
 
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 1.0.2c
-Release: 3%{?dist}
+Version: 1.0.2d
+Release: 1%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -70,7 +70,7 @@ Patch65: openssl-1.0.2a-chil-fixes.patch
 Patch66: openssl-1.0.2a-pkgconfig-krb5.patch
 Patch68: openssl-1.0.2a-secure-getenv.patch
 Patch70: openssl-1.0.2a-fips-ec.patch
-Patch71: openssl-1.0.2a-manfix.patch
+Patch71: openssl-1.0.2d-manfix.patch
 Patch72: openssl-1.0.2a-fips-ctor.patch
 Patch73: openssl-1.0.2c-ecc-suiteb.patch
 Patch74: openssl-1.0.2a-no-md5-verify.patch
@@ -474,6 +474,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Thu Jul  9 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.2d-1
+- minor upstream release 1.0.2d fixing a high severity security issue
+
 * Tue Jul  7 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.2c-3
 - fix the aarch64 build
 
diff --git a/sources b/sources
index c5a84d6..172dba7 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-178792e60274974ec47aedc6dc5eba7a  openssl-1.0.2c-hobbled.tar.xz
+e777c33ca529b963d5457a21cb11d6c3  openssl-1.0.2d-hobbled.tar.xz