diff --git a/SOURCES/rpm-4.14.3-hdrblobInit-add-bounds-check.patch b/SOURCES/rpm-4.14.3-hdrblobInit-add-bounds-check.patch
new file mode 100644
index 0000000..8321161
--- /dev/null
+++ b/SOURCES/rpm-4.14.3-hdrblobInit-add-bounds-check.patch
@@ -0,0 +1,100 @@
+commit 8f4b3c3cab8922a2022b9e47c71f1ecf906077ef
+Author: Demi Marie Obenour <athena@invisiblethingslab.com>
+Date:   Mon Feb 8 16:05:01 2021 -0500
+
+    hdrblobInit() needs bounds checks too
+    
+    Users can pass untrusted data to hdrblobInit() and it must be robust
+    against this.
+
+diff --git a/lib/header.c b/lib/header.c
+index ea39e679f..ebba9c2b0 100644
+--- a/lib/header.c
++++ b/lib/header.c
+@@ -11,6 +11,7 @@
+ #include "system.h"
+ #include <netdb.h>
+ #include <errno.h>
++#include <inttypes.h>
+ #include <rpm/rpmtypes.h>
+ #include <rpm/rpmstring.h>
+ #include "lib/header_internal.h"
+@@ -1912,6 +1913,25 @@ hdrblob hdrblobFree(hdrblob blob)
+     return NULL;
+ }
+ 
++static rpmRC hdrblobVerifyLengths(rpmTagVal regionTag, uint32_t il, uint32_t dl,
++				  char **emsg) {
++    uint32_t il_max = HEADER_TAGS_MAX;
++    uint32_t dl_max = HEADER_DATA_MAX;
++    if (regionTag == RPMTAG_HEADERSIGNATURES) {
++	il_max = 32;
++	dl_max = 64 * 1024 * 1024;
++    }
++    if (hdrchkRange(il_max, il)) {
++	rasprintf(emsg, _("hdr tags: BAD, no. of tags(%" PRIu32 ") out of range"), il);
++	return RPMRC_FAIL;
++    }
++    if (hdrchkRange(dl_max, dl)) {
++	rasprintf(emsg, _("hdr data: BAD, no. of bytes(%" PRIu32 ") out of range"), dl);
++	return RPMRC_FAIL;
++    }
++    return RPMRC_OK;
++}
++
+ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrblob blob, char **emsg)
+ {
+     int32_t block[4];
+@@ -1924,13 +1944,6 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl
+     size_t nb;
+     rpmRC rc = RPMRC_FAIL;		/* assume failure */
+     int xx;
+-    int32_t il_max = HEADER_TAGS_MAX;
+-    int32_t dl_max = HEADER_DATA_MAX;
+-
+-    if (regionTag == RPMTAG_HEADERSIGNATURES) {
+-	il_max = 32;
+-	dl_max = 64 * 1024 * 1024;
+-    }
+ 
+     memset(block, 0, sizeof(block));
+     if ((xx = Freadall(fd, bs, blen)) != blen) {
+@@ -1943,15 +1956,9 @@ rpmRC hdrblobRead(FD_t fd, int magic, int exact_size, rpmTagVal regionTag, hdrbl
+ 	goto exit;
+     }
+     il = ntohl(block[2]);
+-    if (hdrchkRange(il_max, il)) {
+-	rasprintf(emsg, _("hdr tags: BAD, no. of tags(%d) out of range"), il);
+-	goto exit;
+-    }
+     dl = ntohl(block[3]);
+-    if (hdrchkRange(dl_max, dl)) {
+-	rasprintf(emsg, _("hdr data: BAD, no. of bytes(%d) out of range"), dl);
++    if (hdrblobVerifyLengths(regionTag, il, dl, emsg))
+ 	goto exit;
+-    }
+ 
+     nb = (il * sizeof(struct entryInfo_s)) + dl;
+     uc = sizeof(il) + sizeof(dl) + nb;
+@@ -1995,11 +2002,18 @@ rpmRC hdrblobInit(const void *uh, size_t uc,
+ 		struct hdrblob_s *blob, char **emsg)
+ {
+     rpmRC rc = RPMRC_FAIL;
+-
+     memset(blob, 0, sizeof(*blob));
++    if (uc && uc < 8) {
++	rasprintf(emsg, _("hdr length: BAD"));
++	goto exit;
++    }
++
+     blob->ei = (int32_t *) uh; /* discards const */
+-    blob->il = ntohl(blob->ei[0]);
+-    blob->dl = ntohl(blob->ei[1]);
++    blob->il = ntohl((uint32_t)(blob->ei[0]));
++    blob->dl = ntohl((uint32_t)(blob->ei[1]));
++    if (hdrblobVerifyLengths(regionTag, blob->il, blob->dl, emsg) != RPMRC_OK)
++	goto exit;
++
+     blob->pe = (entryInfo) &(blob->ei[2]);
+     blob->pvlen = sizeof(blob->il) + sizeof(blob->dl) +
+ 		  (blob->il * sizeof(*blob->pe)) + blob->dl;
diff --git a/SOURCES/rpm-4.14.3-preserve-kmod-secure-boot-signature.patch b/SOURCES/rpm-4.14.3-preserve-kmod-secure-boot-signature.patch
new file mode 100644
index 0000000..c85d990
--- /dev/null
+++ b/SOURCES/rpm-4.14.3-preserve-kmod-secure-boot-signature.patch
@@ -0,0 +1,48 @@
+commit cfdb8300f6e3aed0abc41406a3c4737eb1192067
+Author: Michal Domonkos <mdomonko@redhat.com>
+Date:   Sun Jul 11 18:08:26 2021 +0200
+
+    Don't brp-strip .ko files
+    
+    Otherwise SecureBoot signatures may be stripped too.
+    
+    We used to exclude shared libraries from this strip as they were
+    supposed to be covered by another brp script (brp-strip-shared), however
+    it turned out the latter was never really used, so we removed the
+    exclusion in commit 0ab151ab138fd4fb6d3176fd0270d9cc6f4623f3.
+    
+    As it turns out, that was a little too ambitious, since we may now
+    inadvertently strip SecureBoot signatures from kernel modules too,
+    provided that they're made during the build, prior to the invocation of
+    brp-strip.
+    
+    Note that this regression currently does *not* affect the following two
+    cases on Fedora/RHEL systems with redhat-rpm-config installed:
+    
+      - in-tree kernel modules; these are built from kernel.spec which
+        already contains a hack ensuring that module signing only happens
+        *after* any stripping (see %__modsign_install_post in kernel.spec)
+    
+      - out-of-tree kernel modules built with debuginfo enabled; this is
+        because brp-strip is only called when %debug_package is set to
+        %{nil}
+    
+    Any other combinations may be affected, depending on the macros and
+    .spec files used, so let's fix this by effectively "reverting" said
+    commit for .ko files only.
+    
+    Fixes: rhbz#1967291
+
+    Backported into 4.14.3
+diff -up rpm-4.14.3/scripts/brp-strip.orig rpm-4.14.3/scripts/brp-strip
+--- rpm-4.14.3/scripts/brp-strip.orig	2021-07-12 17:21:04.446396789 +0200
++++ rpm-4.14.3/scripts/brp-strip	2021-07-12 17:21:20.673633783 +0200
+@@ -12,7 +12,7 @@ Darwin*) exit 0 ;;
+ esac
+ 
+ # Strip ELF binaries
+-for f in `find "$RPM_BUILD_ROOT" -type f -exec file {} \; | \
++for f in `find "$RPM_BUILD_ROOT" -type f \! -name "*.ko" -exec file {} \; | \
+         grep -v "^${RPM_BUILD_ROOT}/\?usr/lib/debug"  | \
+ 	sed -n -e 's/^\(.*\):[ 	]*ELF.*, not stripped.*/\1/p'`; do
+ 	$STRIP -g "$f" || :
diff --git a/SPECS/rpm.spec b/SPECS/rpm.spec
index 0af92a3..fa86546 100644
--- a/SPECS/rpm.spec
+++ b/SPECS/rpm.spec
@@ -30,7 +30,7 @@
 
 %global rpmver 4.14.3
 #global snapver rc2
-%global rel 14
+%global rel 15
 
 %global srcver %{version}%{?snapver:-%{snapver}}
 %global srcdir %{?snapver:testing}%{!?snapver:%{name}-%(echo %{version} | cut -d'.' -f1-2).x}
@@ -104,6 +104,8 @@ Patch151: 0001-Unblock-signals-in-forked-scriptlets.patch
 Patch152: rpm-4.14.3-fix-ambiguous-diagnostics-on-file-triggers.patch
 Patch153: rpm-4.14.3-ELF-files-strip-when-debuginfo-disabled.patch
 Patch154: rpm-4.14.3-more-careful-sig-hdr-copy.patch
+Patch155: rpm-4.14.3-preserve-kmod-secure-boot-signature.patch
+Patch156: rpm-4.14.3-hdrblobInit-add-bounds-check.patch
 
 # Python 3 string API sanity
 Patch500: 0001-In-Python-3-return-all-our-string-data-as-surrogate-.patch
@@ -682,6 +684,11 @@ make check || cat tests/rpmtests.log
 %doc doc/librpm/html/*
 
 %changelog
+* Thu Jul 15 2021 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-15
+- Add out-of-bounds checks to hdrblobInit() (#1929445)
+- Fixes CVE-2021-20266
+- Fix regression in brp-strip causing kmods to lose SecureBoot sig (#1967291)
+
 * Thu May 27 2021 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-14
 - Be more careful about copying data from signature header (#1958477)
 - Fixes CVE-2021-20271