Index: crypto/bio/b_sock.c
===================================================================
--- crypto/bio/b_sock.c.orig
+++ crypto/bio/b_sock.c
@@ -735,7 +735,7 @@ int BIO_get_accept_socket(char *host, in
 		}
 
 again:
-	s=socket(server.sa.sa_family,SOCK_STREAM,SOCKET_PROTOCOL);
+	s=socket(server.sa.sa_family,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL);
 	if (s == INVALID_SOCKET)
 		{
 		SYSerr(SYS_F_SOCKET,get_last_socket_error());
@@ -784,7 +784,7 @@ again:
 					}
 				else	goto err;
 				}
-			cs=socket(client.sa.sa_family,SOCK_STREAM,SOCKET_PROTOCOL);
+			cs=socket(client.sa.sa_family,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL);
 			if (cs != INVALID_SOCKET)
 				{
 				int ii;
Index: crypto/bio/bss_conn.c
===================================================================
--- crypto/bio/bss_conn.c.orig
+++ crypto/bio/bss_conn.c
@@ -209,7 +209,7 @@ static int conn_state(BIO *b, BIO_CONNEC
 			c->them.sin_addr.s_addr=htonl(l);
 			c->state=BIO_CONN_S_CREATE_SOCKET;
 
-			ret=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
+			ret=socket(AF_INET,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL);
 			if (ret == INVALID_SOCKET)
 				{
 				SYSerr(SYS_F_SOCKET,get_last_socket_error());
Index: crypto/bio/bss_dgram.c
===================================================================
--- crypto/bio/bss_dgram.c.orig
+++ crypto/bio/bss_dgram.c
@@ -1032,7 +1032,7 @@ static int dgram_sctp_read(BIO *b, char
 			msg.msg_control = cmsgbuf;
 			msg.msg_controllen = 512;
 			msg.msg_flags = 0;
-			n = recvmsg(b->num, &msg, 0);
+			n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
 
 			if (msg.msg_controllen > 0)
 				{
@@ -1593,7 +1593,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
 	msg.msg_controllen = 0;
 	msg.msg_flags = 0;
 
-	n = recvmsg(b->num, &msg, MSG_PEEK);
+	n = recvmsg(b->num, &msg, MSG_PEEK| MSG_CMSG_CLOEXEC);
 	if (n <= 0)
 		{
 		if ((n < 0) && (get_last_socket_error() != EAGAIN) && (get_last_socket_error() != EWOULDBLOCK))
@@ -1616,7 +1616,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
 		msg.msg_controllen = 0;
 		msg.msg_flags = 0;
 
-		n = recvmsg(b->num, &msg, 0);
+		n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
 		if (n <= 0)
 			{
 			if ((n < 0) && (get_last_socket_error() != EAGAIN) && (get_last_socket_error() != EWOULDBLOCK))
@@ -1677,7 +1677,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
 			fcntl(b->num, F_SETFL, O_NONBLOCK);
 			}
 
-		n = recvmsg(b->num, &msg, MSG_PEEK);
+		n = recvmsg(b->num, &msg, MSG_PEEK | MSG_CMSG_CLOEXEC);
 
 		if (is_dry)
 			{
@@ -1721,7 +1721,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b)
 
 		sockflags = fcntl(b->num, F_GETFL, 0);
 		fcntl(b->num, F_SETFL, O_NONBLOCK);
-		n = recvmsg(b->num, &msg, MSG_PEEK);
+		n = recvmsg(b->num, &msg, MSG_PEEK | MSG_CMSG_CLOEXEC);
 		fcntl(b->num, F_SETFL, sockflags);
 
 		/* if notification, process and try again */
@@ -1742,7 +1742,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b)
 			msg.msg_control = NULL;
 			msg.msg_controllen = 0;
 			msg.msg_flags = 0;
-			n = recvmsg(b->num, &msg, 0);
+			n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
 
 			if (data->handle_notifications != NULL)
 				data->handle_notifications(b, data->notification_context, (void*) &snp);
Index: crypto/bio/bss_file.c
===================================================================
--- crypto/bio/bss_file.c.orig
+++ crypto/bio/bss_file.c
@@ -120,6 +120,10 @@ BIO *BIO_new_file(const char *filename,
 	{
 	BIO  *ret;
 	FILE *file=NULL;
+    size_t modelen = strlen (mode);
+    char newmode[modelen + 2];
+
+    memcpy (mempcpy (newmode, mode, modelen), "e", 2);
 
 #if defined(_WIN32) && defined(CP_UTF8)
 	int sz, len_0 = (int)strlen(filename)+1;
@@ -162,7 +166,7 @@ BIO *BIO_new_file(const char *filename,
 		file = fopen(filename,mode);
 		}
 #else
-	file=fopen(filename,mode);	
+	file=fopen(filename,newmode);	
 #endif
 	if (file == NULL)
 		{
@@ -275,7 +279,7 @@ static long MS_CALLBACK file_ctrl(BIO *b
 	long ret=1;
 	FILE *fp=(FILE *)b->ptr;
 	FILE **fpp;
-	char p[4];
+	char p[5];
 
 	switch (cmd)
 		{
@@ -392,6 +396,8 @@ static long MS_CALLBACK file_ctrl(BIO *b
 		else
 			strcat(p,"t");
 #endif
+		strcat(p, "e");
+
 		fp=fopen(ptr,p);
 		if (fp == NULL)
 			{
Index: crypto/rand/rand_unix.c
===================================================================
--- crypto/rand/rand_unix.c.orig
+++ crypto/rand/rand_unix.c
@@ -262,7 +262,7 @@ int RAND_poll(void)
 	for (i = 0; (i < sizeof(randomfiles)/sizeof(randomfiles[0])) &&
 			(n < ENTROPY_NEEDED); i++)
 		{
-		if ((fd = open(randomfiles[i], O_RDONLY
+		if ((fd = open(randomfiles[i], O_RDONLY | O_CLOEXEC
 #ifdef O_NONBLOCK
 			|O_NONBLOCK
 #endif
Index: crypto/rand/randfile.c
===================================================================
--- crypto/rand/randfile.c.orig
+++ crypto/rand/randfile.c
@@ -136,7 +136,7 @@ int RAND_load_file(const char *file, lon
 #ifdef OPENSSL_SYS_VMS
 	in=vms_fopen(file,"rb",VMS_OPEN_ATTRS);
 #else
-	in=fopen(file,"rb");
+	in=fopen(file,"rbe");
 #endif
 	if (in == NULL) goto err;
 #if defined(S_IFBLK) && defined(S_IFCHR) && !defined(OPENSSL_NO_POSIX_IO)
@@ -209,7 +209,7 @@ int RAND_write_file(const char *file)
 #endif
 	/* chmod(..., 0600) is too late to protect the file,
 	 * permissions should be restrictive from the start */
-	int fd = open(file, O_WRONLY|O_CREAT|O_BINARY, 0600);
+	int fd = open(file, O_WRONLY|O_CREAT|O_BINARY|O_CLOEXEC, 0600);
 	if (fd != -1)
 		out = fdopen(fd, "wb");
 	}
@@ -240,7 +240,7 @@ int RAND_write_file(const char *file)
 		out = vms_fopen(file,"wb",VMS_OPEN_ATTRS);
 #else
 	if (out == NULL)
-		out = fopen(file,"wb");
+		out = fopen(file,"wbe");
 #endif
 	if (out == NULL) goto err;