diff --git a/openssh-5.3p1-randclean.patch b/openssh-5.3p1-randclean.patch
new file mode 100644
index 0000000..897c3f8
--- /dev/null
+++ b/openssh-5.3p1-randclean.patch
@@ -0,0 +1,110 @@
+diff -up openssh-5.3p1/ssh-add.c.randclean openssh-5.3p1/ssh-add.c
+--- openssh-5.3p1/ssh-add.c.randclean	2010-01-20 19:13:28.000000000 +0100
++++ openssh-5.3p1/ssh-add.c	2010-01-20 19:13:29.000000000 +0100
+@@ -41,6 +41,7 @@
+ #include <sys/stat.h>
+ #include <sys/param.h>
+ 
++#include <openssl/rand.h>
+ #include <openssl/evp.h>
+ #include <openssl/fips.h>
+ #include "openbsd-compat/openssl-compat.h"
+@@ -471,6 +472,9 @@ main(int argc, char **argv)
+ 	int use_nss = 0;
+ #endif
+ 
++	/* clean the PRNG status when exiting the program */
++	atexit(RAND_cleanup);
++
+ 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+ 	sanitise_stdfd();
+ 
+diff -up openssh-5.3p1/ssh.c.randclean openssh-5.3p1/ssh.c
+--- openssh-5.3p1/ssh.c.randclean	2010-01-20 19:13:29.000000000 +0100
++++ openssh-5.3p1/ssh.c	2010-01-20 19:13:29.000000000 +0100
+@@ -70,6 +70,7 @@
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+ 
++#include <openssl/rand.h>
+ #include <openssl/evp.h>
+ #include <openssl/err.h>
+ #include <openssl/fips.h>
+@@ -220,6 +221,9 @@ main(int ac, char **av)
+ 	struct servent *sp;
+ 	Forward fwd;
+ 
++	/* clean the PRNG status when exiting the program */
++	atexit(RAND_cleanup);
++
+ 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+ 	sanitise_stdfd();
+ 
+diff -up openssh-5.3p1/sshd.c.randclean openssh-5.3p1/sshd.c
+--- openssh-5.3p1/sshd.c.randclean	2010-01-20 19:13:29.000000000 +0100
++++ openssh-5.3p1/sshd.c	2010-01-20 19:13:29.000000000 +0100
+@@ -1263,6 +1263,9 @@ main(int ac, char **av)
+ 	Key *key;
+ 	Authctxt *authctxt;
+ 
++	/* clean the PRNG status when exiting the program */
++	atexit(RAND_cleanup);
++
+ #ifdef HAVE_SECUREWARE
+ 	(void)set_auth_parameters(ac, av);
+ #endif
+diff -up openssh-5.3p1/ssh-keygen.c.randclean openssh-5.3p1/ssh-keygen.c
+--- openssh-5.3p1/ssh-keygen.c.randclean	2010-01-20 19:13:29.000000000 +0100
++++ openssh-5.3p1/ssh-keygen.c	2010-01-20 19:13:29.000000000 +0100
+@@ -19,6 +19,7 @@
+ #include <sys/stat.h>
+ #include <sys/param.h>
+ 
++#include <openssl/rand.h>
+ #include <openssl/evp.h>
+ #include <openssl/pem.h>
+ #include <openssl/fips.h>
+@@ -1120,6 +1121,9 @@ main(int argc, char **argv)
+ 	extern int optind;
+ 	extern char *optarg;
+ 
++	/* clean the PRNG status when exiting the program */
++	atexit(RAND_cleanup);
++
+ 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+ 	sanitise_stdfd();
+ 
+diff -up openssh-5.3p1/ssh-keyscan.c.randclean openssh-5.3p1/ssh-keyscan.c
+--- openssh-5.3p1/ssh-keyscan.c.randclean	2009-01-28 06:31:23.000000000 +0100
++++ openssh-5.3p1/ssh-keyscan.c	2010-01-20 19:21:16.000000000 +0100
+@@ -18,6 +18,7 @@
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+ 
++#include <openssl/rand.h>
+ #include <openssl/bn.h>
+ 
+ #include <netdb.h>
+@@ -730,6 +731,9 @@ main(int argc, char **argv)
+ 	extern int optind;
+ 	extern char *optarg;
+ 
++	/* clean the PRNG status when exiting the program */
++	atexit(RAND_cleanup);
++
+ 	__progname = ssh_get_progname(argv[0]);
+ 	init_rng();
+ 	seed_rng();
+diff -up openssh-5.3p1/ssh-keysign.c.randclean openssh-5.3p1/ssh-keysign.c
+--- openssh-5.3p1/ssh-keysign.c.randclean	2006-09-01 07:38:37.000000000 +0200
++++ openssh-5.3p1/ssh-keysign.c	2010-01-20 19:13:29.000000000 +0100
+@@ -158,6 +158,9 @@ main(int argc, char **argv)
+ 	u_int slen, dlen;
+ 	u_int32_t rnd[256];
+ 
++	/* clean the PRNG status when exiting the program */
++	atexit(RAND_cleanup);
++
+ 	/* Ensure that stdin and stdout are connected */
+ 	if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2)
+ 		exit(1);
diff --git a/openssh.spec b/openssh.spec
index 820e81f..d57b0ea 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -69,7 +69,7 @@
 Summary: An open source implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: 5.3p1
-Release: 16%{?dist}%{?rescue_rel}
+Release: 17%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #URL1: http://pamsshauth.sourceforge.net
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@@ -109,6 +109,7 @@ Patch69: openssh-5.3p1-selabel.patch
 Patch71: openssh-5.2p1-edns.patch
 Patch72: openssh-5.3p1-pka.patch
 Patch73: openssh-5.3p1-gsskex.patch
+Patch74: openssh-5.3p1-randclean.patch
 
 License: BSD
 Group: Applications/Internet
@@ -266,6 +267,7 @@ popd
 %patch71 -p1 -b .edns
 %patch72 -p1 -b .pka
 %patch73 -p1 -b .gsskex
+%patch74 -p1 -b .randclean
 
 autoreconf
 
@@ -525,6 +527,9 @@ fi
 %endif
 
 %changelog
+* Wed Jan 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-17
+- add RAND_cleanup at the exit of each program using RAND (#557166)
+
 * Tue Jan 19 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-16
 - set FD_CLOEXEC on accepted socket (#541809)