diff --git a/0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch b/0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch
deleted file mode 100644
index 2b099a4..0000000
--- a/0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From d233fc09d20fa24f6ee03f8505333d73f559eacf Mon Sep 17 00:00:00 2001
-From: Aurelien Jarno <aurelien@aurel32.net>
-Date: Sun, 13 Sep 2015 23:03:44 +0200
-Subject: [PATCH 1/2] target-ppc: fix vcipher, vcipherlast, vncipherlast and
- vpermxor
-
-For vector instructions, the helpers get pointers to the vector register
-in arguments. Some operands might point to the same register, including
-the operand holding the result.
-
-When emulating instructions which access the vector elements in a
-non-linear way, we need to store the result in an temporary variable.
-
-This fixes openssl when emulating a POWER8 CPU.
-
-Cc: Tom Musta <tommusta@gmail.com>
-Cc: Alexander Graf <agraf@suse.de>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
----
- target-ppc/int_helper.c | 19 ++++++++++++++-----
- 1 file changed, 14 insertions(+), 5 deletions(-)
-
-diff --git a/target-ppc/int_helper.c b/target-ppc/int_helper.c
-index 0a55d5e..b122868 100644
---- a/target-ppc/int_helper.c
-+++ b/target-ppc/int_helper.c
-@@ -2327,24 +2327,28 @@ void helper_vsbox(ppc_avr_t *r, ppc_avr_t *a)
- 
- void helper_vcipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
- {
-+    ppc_avr_t result;
-     int i;
- 
-     VECTOR_FOR_INORDER_I(i, u32) {
--        r->AVRW(i) = b->AVRW(i) ^
-+        result.AVRW(i) = b->AVRW(i) ^
-             (AES_Te0[a->AVRB(AES_shifts[4*i + 0])] ^
-              AES_Te1[a->AVRB(AES_shifts[4*i + 1])] ^
-              AES_Te2[a->AVRB(AES_shifts[4*i + 2])] ^
-              AES_Te3[a->AVRB(AES_shifts[4*i + 3])]);
-     }
-+    *r = result;
- }
- 
- void helper_vcipherlast(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
- {
-+    ppc_avr_t result;
-     int i;
- 
-     VECTOR_FOR_INORDER_I(i, u8) {
--        r->AVRB(i) = b->AVRB(i) ^ (AES_sbox[a->AVRB(AES_shifts[i])]);
-+        result.AVRB(i) = b->AVRB(i) ^ (AES_sbox[a->AVRB(AES_shifts[i])]);
-     }
-+    *r = result;
- }
- 
- void helper_vncipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
-@@ -2369,11 +2373,13 @@ void helper_vncipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
- 
- void helper_vncipherlast(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
- {
-+    ppc_avr_t result;
-     int i;
- 
-     VECTOR_FOR_INORDER_I(i, u8) {
--        r->AVRB(i) = b->AVRB(i) ^ (AES_isbox[a->AVRB(AES_ishifts[i])]);
-+        result.AVRB(i) = b->AVRB(i) ^ (AES_isbox[a->AVRB(AES_ishifts[i])]);
-     }
-+    *r = result;
- }
- 
- #define ROTRu32(v, n) (((v) >> (n)) | ((v) << (32-n)))
-@@ -2460,16 +2466,19 @@ void helper_vshasigmad(ppc_avr_t *r,  ppc_avr_t *a, uint32_t st_six)
- 
- void helper_vpermxor(ppc_avr_t *r,  ppc_avr_t *a, ppc_avr_t *b, ppc_avr_t *c)
- {
-+    ppc_avr_t result;
-     int i;
-+
-     VECTOR_FOR_INORDER_I(i, u8) {
-         int indexA = c->u8[i] >> 4;
-         int indexB = c->u8[i] & 0xF;
- #if defined(HOST_WORDS_BIGENDIAN)
--        r->u8[i] = a->u8[indexA] ^ b->u8[indexB];
-+        result.u8[i] = a->u8[indexA] ^ b->u8[indexB];
- #else
--        r->u8[i] = a->u8[15-indexA] ^ b->u8[15-indexB];
-+        result.u8[i] = a->u8[15-indexA] ^ b->u8[15-indexB];
- #endif
-     }
-+    *r = result;
- }
- 
- #undef VECTOR_FOR_INORDER_I
--- 
-2.5.0
-
diff --git a/0002-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch b/0002-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch
new file mode 100644
index 0000000..9401ea7
--- /dev/null
+++ b/0002-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch
@@ -0,0 +1,94 @@
+From: Aurelien Jarno <aurelien@aurel32.net>
+Date: Sun, 13 Sep 2015 23:03:44 +0200
+Subject: [PATCH] target-ppc: fix vcipher, vcipherlast, vncipherlast and
+ vpermxor
+
+For vector instructions, the helpers get pointers to the vector register
+in arguments. Some operands might point to the same register, including
+the operand holding the result.
+
+When emulating instructions which access the vector elements in a
+non-linear way, we need to store the result in an temporary variable.
+
+This fixes openssl when emulating a POWER8 CPU.
+
+Cc: Tom Musta <tommusta@gmail.com>
+Cc: Alexander Graf <agraf@suse.de>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
+---
+ target-ppc/int_helper.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/target-ppc/int_helper.c b/target-ppc/int_helper.c
+index 0a55d5e..b122868 100644
+--- a/target-ppc/int_helper.c
++++ b/target-ppc/int_helper.c
+@@ -2327,24 +2327,28 @@ void helper_vsbox(ppc_avr_t *r, ppc_avr_t *a)
+ 
+ void helper_vcipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
+ {
++    ppc_avr_t result;
+     int i;
+ 
+     VECTOR_FOR_INORDER_I(i, u32) {
+-        r->AVRW(i) = b->AVRW(i) ^
++        result.AVRW(i) = b->AVRW(i) ^
+             (AES_Te0[a->AVRB(AES_shifts[4*i + 0])] ^
+              AES_Te1[a->AVRB(AES_shifts[4*i + 1])] ^
+              AES_Te2[a->AVRB(AES_shifts[4*i + 2])] ^
+              AES_Te3[a->AVRB(AES_shifts[4*i + 3])]);
+     }
++    *r = result;
+ }
+ 
+ void helper_vcipherlast(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
+ {
++    ppc_avr_t result;
+     int i;
+ 
+     VECTOR_FOR_INORDER_I(i, u8) {
+-        r->AVRB(i) = b->AVRB(i) ^ (AES_sbox[a->AVRB(AES_shifts[i])]);
++        result.AVRB(i) = b->AVRB(i) ^ (AES_sbox[a->AVRB(AES_shifts[i])]);
+     }
++    *r = result;
+ }
+ 
+ void helper_vncipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
+@@ -2369,11 +2373,13 @@ void helper_vncipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
+ 
+ void helper_vncipherlast(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b)
+ {
++    ppc_avr_t result;
+     int i;
+ 
+     VECTOR_FOR_INORDER_I(i, u8) {
+-        r->AVRB(i) = b->AVRB(i) ^ (AES_isbox[a->AVRB(AES_ishifts[i])]);
++        result.AVRB(i) = b->AVRB(i) ^ (AES_isbox[a->AVRB(AES_ishifts[i])]);
+     }
++    *r = result;
+ }
+ 
+ #define ROTRu32(v, n) (((v) >> (n)) | ((v) << (32-n)))
+@@ -2460,16 +2466,19 @@ void helper_vshasigmad(ppc_avr_t *r,  ppc_avr_t *a, uint32_t st_six)
+ 
+ void helper_vpermxor(ppc_avr_t *r,  ppc_avr_t *a, ppc_avr_t *b, ppc_avr_t *c)
+ {
++    ppc_avr_t result;
+     int i;
++
+     VECTOR_FOR_INORDER_I(i, u8) {
+         int indexA = c->u8[i] >> 4;
+         int indexB = c->u8[i] & 0xF;
+ #if defined(HOST_WORDS_BIGENDIAN)
+-        r->u8[i] = a->u8[indexA] ^ b->u8[indexB];
++        result.u8[i] = a->u8[indexA] ^ b->u8[indexB];
+ #else
+-        r->u8[i] = a->u8[15-indexA] ^ b->u8[15-indexB];
++        result.u8[i] = a->u8[15-indexA] ^ b->u8[15-indexB];
+ #endif
+     }
++    *r = result;
+ }
+ 
+ #undef VECTOR_FOR_INORDER_I
diff --git a/0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch b/0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch
deleted file mode 100644
index 94e7b83..0000000
--- a/0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From d539a02e18916c558985f26cf37af1e83851d9fd Mon Sep 17 00:00:00 2001
-From: Aurelien Jarno <aurelien@aurel32.net>
-Date: Sun, 13 Sep 2015 23:03:45 +0200
-Subject: [PATCH 2/2] target-ppc: fix xscmpodp and xscmpudp decoding
-
-The xscmpodp and xscmpudp instructions only have the AX, BX bits in
-there encoding, the lowest bit (usually TX) is marked as an invalid
-bit. We therefore can't decode them with GEN_XX2FORM, which decodes
-the two lowest bit.
-
-Introduce a new form GEN_XX2FORM, which decodes AX and BX and mark
-the lowest bit as invalid.
-
-Cc: Tom Musta <tommusta@gmail.com>
-Cc: Alexander Graf <agraf@suse.de>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
----
- target-ppc/translate.c | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/target-ppc/translate.c b/target-ppc/translate.c
-index 84c5cea..c0eed13 100644
---- a/target-ppc/translate.c
-+++ b/target-ppc/translate.c
-@@ -10670,6 +10670,13 @@ GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 1, opc3, 0, PPC_NONE, fl2), \
- GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 2, opc3, 0, PPC_NONE, fl2), \
- GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 3, opc3, 0, PPC_NONE, fl2)
- 
-+#undef GEN_XX2IFORM
-+#define GEN_XX2IFORM(name, opc2, opc3, fl2)                           \
-+GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 0, opc3, 1, PPC_NONE, fl2), \
-+GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 1, opc3, 1, PPC_NONE, fl2), \
-+GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 2, opc3, 1, PPC_NONE, fl2), \
-+GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 3, opc3, 1, PPC_NONE, fl2)
-+
- #undef GEN_XX3_RC_FORM
- #define GEN_XX3_RC_FORM(name, opc2, opc3, fl2)                          \
- GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 0x00, opc3 | 0x00, 0, PPC_NONE, fl2), \
-@@ -10731,8 +10738,8 @@ GEN_XX3FORM(xsnmaddadp, 0x04, 0x14, PPC2_VSX),
- GEN_XX3FORM(xsnmaddmdp, 0x04, 0x15, PPC2_VSX),
- GEN_XX3FORM(xsnmsubadp, 0x04, 0x16, PPC2_VSX),
- GEN_XX3FORM(xsnmsubmdp, 0x04, 0x17, PPC2_VSX),
--GEN_XX2FORM(xscmpodp,  0x0C, 0x05, PPC2_VSX),
--GEN_XX2FORM(xscmpudp,  0x0C, 0x04, PPC2_VSX),
-+GEN_XX2IFORM(xscmpodp,  0x0C, 0x05, PPC2_VSX),
-+GEN_XX2IFORM(xscmpudp,  0x0C, 0x04, PPC2_VSX),
- GEN_XX3FORM(xsmaxdp, 0x00, 0x14, PPC2_VSX),
- GEN_XX3FORM(xsmindp, 0x00, 0x15, PPC2_VSX),
- GEN_XX2FORM(xscvdpsp, 0x12, 0x10, PPC2_VSX),
--- 
-2.5.0
-
diff --git a/0003-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch b/0003-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch
new file mode 100644
index 0000000..2d2f370
--- /dev/null
+++ b/0003-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch
@@ -0,0 +1,49 @@
+From: Aurelien Jarno <aurelien@aurel32.net>
+Date: Sun, 13 Sep 2015 23:03:45 +0200
+Subject: [PATCH] target-ppc: fix xscmpodp and xscmpudp decoding
+
+The xscmpodp and xscmpudp instructions only have the AX, BX bits in
+there encoding, the lowest bit (usually TX) is marked as an invalid
+bit. We therefore can't decode them with GEN_XX2FORM, which decodes
+the two lowest bit.
+
+Introduce a new form GEN_XX2FORM, which decodes AX and BX and mark
+the lowest bit as invalid.
+
+Cc: Tom Musta <tommusta@gmail.com>
+Cc: Alexander Graf <agraf@suse.de>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
+---
+ target-ppc/translate.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/target-ppc/translate.c b/target-ppc/translate.c
+index 84c5cea..c0eed13 100644
+--- a/target-ppc/translate.c
++++ b/target-ppc/translate.c
+@@ -10670,6 +10670,13 @@ GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 1, opc3, 0, PPC_NONE, fl2), \
+ GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 2, opc3, 0, PPC_NONE, fl2), \
+ GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 3, opc3, 0, PPC_NONE, fl2)
+ 
++#undef GEN_XX2IFORM
++#define GEN_XX2IFORM(name, opc2, opc3, fl2)                           \
++GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 0, opc3, 1, PPC_NONE, fl2), \
++GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 1, opc3, 1, PPC_NONE, fl2), \
++GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 2, opc3, 1, PPC_NONE, fl2), \
++GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 3, opc3, 1, PPC_NONE, fl2)
++
+ #undef GEN_XX3_RC_FORM
+ #define GEN_XX3_RC_FORM(name, opc2, opc3, fl2)                          \
+ GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 0x00, opc3 | 0x00, 0, PPC_NONE, fl2), \
+@@ -10731,8 +10738,8 @@ GEN_XX3FORM(xsnmaddadp, 0x04, 0x14, PPC2_VSX),
+ GEN_XX3FORM(xsnmaddmdp, 0x04, 0x15, PPC2_VSX),
+ GEN_XX3FORM(xsnmsubadp, 0x04, 0x16, PPC2_VSX),
+ GEN_XX3FORM(xsnmsubmdp, 0x04, 0x17, PPC2_VSX),
+-GEN_XX2FORM(xscmpodp,  0x0C, 0x05, PPC2_VSX),
+-GEN_XX2FORM(xscmpudp,  0x0C, 0x04, PPC2_VSX),
++GEN_XX2IFORM(xscmpodp,  0x0C, 0x05, PPC2_VSX),
++GEN_XX2IFORM(xscmpudp,  0x0C, 0x04, PPC2_VSX),
+ GEN_XX3FORM(xsmaxdp, 0x00, 0x14, PPC2_VSX),
+ GEN_XX3FORM(xsmindp, 0x00, 0x15, PPC2_VSX),
+ GEN_XX2FORM(xscvdpsp, 0x12, 0x10, PPC2_VSX),
diff --git a/0004-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch b/0004-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch
new file mode 100644
index 0000000..9e77105
--- /dev/null
+++ b/0004-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch
@@ -0,0 +1,35 @@
+From: P J P <pjp@fedoraproject.org>
+Date: Fri, 4 Sep 2015 17:21:06 +0100
+Subject: [PATCH] e1000: Avoid infinite loop in processing transmit descriptor
+ (CVE-2015-6815)
+
+While processing transmit descriptors, it could lead to an infinite
+loop if 'bytes' was to become zero; Add a check to avoid it.
+
+[The guest can force 'bytes' to 0 by setting the hdr_len and mss
+descriptor fields to 0.
+--Stefan]
+
+Signed-off-by: P J P <pjp@fedoraproject.org>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com
+(cherry picked from commit b947ac2bf26479e710489739c465c8af336599e7)
+---
+ hw/net/e1000.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/net/e1000.c b/hw/net/e1000.c
+index 5c6bcd0..09c9e9d 100644
+--- a/hw/net/e1000.c
++++ b/hw/net/e1000.c
+@@ -740,7 +740,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+                 memmove(tp->data, tp->header, tp->hdr_len);
+                 tp->size = tp->hdr_len;
+             }
+-        } while (split_size -= bytes);
++            split_size -= bytes;
++        } while (bytes && split_size);
+     } else if (!tp->tse && tp->cptse) {
+         // context descriptor TSE is not set, while data descriptor TSE is set
+         DBGOUT(TXERR, "TCP segmentation error\n");
diff --git a/0005-ide-fix-ATAPI-command-permissions.patch b/0005-ide-fix-ATAPI-command-permissions.patch
new file mode 100644
index 0000000..7afc084
--- /dev/null
+++ b/0005-ide-fix-ATAPI-command-permissions.patch
@@ -0,0 +1,141 @@
+From: John Snow <jsnow@redhat.com>
+Date: Thu, 17 Sep 2015 14:17:05 -0400
+Subject: [PATCH] ide: fix ATAPI command permissions
+
+We're a little too lenient with what we'll let an ATAPI drive handle.
+Clamp down on the IDE command execution table to remove CD_OK permissions
+from commands that are not and have never been ATAPI commands.
+
+For ATAPI command validity, please see:
+- ATA4 Section 6.5 ("PACKET Command feature set")
+- ATA8/ACS Section 4.3 ("The PACKET feature set")
+- ACS3 Section 4.3 ("The PACKET feature set")
+
+ACS3 has a historical command validity table in Table B.4
+("Historical Command Assignments") that can be referenced to find when
+a command was introduced, deprecated, obsoleted, etc.
+
+The only reference for ATAPI command validity is by checking that
+version's PACKET feature set section.
+
+ATAPI was introduced by T13 into ATA4, all commands retired prior to ATA4
+therefore are assumed to have never been ATAPI commands.
+
+Mandatory commands, as listed in ATA8-ACS3, are:
+
+- DEVICE RESET
+- EXECUTE DEVICE DIAGNOSTIC
+- IDENTIFY DEVICE
+- IDENTIFY PACKET DEVICE
+- NOP
+- PACKET
+- READ SECTOR(S)
+- SET FEATURES
+
+Optional commands as listed in ATA8-ACS3, are:
+
+- FLUSH CACHE
+- READ LOG DMA EXT
+- READ LOG EXT
+- WRITE LOG DMA EXT
+- WRITE LOG EXT
+
+All other commands are illegal to send to an ATAPI device and should
+be rejected by the device.
+
+CD_OK removal justifications:
+
+0x06 WIN_DSM              Defined in ACS2. Not valid for ATAPI.
+0x21 WIN_READ_ONCE        Retired in ATA5. Not ATAPI in ATA4.
+0x94 WIN_STANDBYNOW2      Retired in ATA4. Did not coexist with ATAPI.
+0x95 WIN_IDLEIMMEDIATE2   Retired in ATA4. Did not coexist with ATAPI.
+0x96 WIN_STANDBY2         Retired in ATA4. Did not coexist with ATAPI.
+0x97 WIN_SETIDLE2         Retired in ATA4. Did not coexist with ATAPI.
+0x98 WIN_CHECKPOWERMODE2  Retired in ATA4. Did not coexist with ATAPI.
+0x99 WIN_SLEEPNOW2        Retired in ATA4. Did not coexist with ATAPI.
+0xE0 WIN_STANDBYNOW1      Not part of ATAPI in ATA4, ACS or ACS3.
+0xE1 WIN_IDLEIMMDIATE     Not part of ATAPI in ATA4, ACS or ACS3.
+0xE2 WIN_STANDBY          Not part of ATAPI in ATA4, ACS or ACS3.
+0xE3 WIN_SETIDLE1         Not part of ATAPI in ATA4, ACS or ACS3.
+0xE4 WIN_CHECKPOWERMODE1  Not part of ATAPI in ATA4, ACS or ACS3.
+0xE5 WIN_SLEEPNOW1        Not part of ATAPI in ATA4, ACS or ACS3.
+0xF8 WIN_READ_NATIVE_MAX  Obsoleted in ACS3. Not ATAPI in ATA4 or ACS.
+
+This patch fixes a divide by zero fault that can be caused by sending
+the WIN_READ_NATIVE_MAX command to an ATAPI drive, which causes it to
+attempt to use zeroed CHS values to perform sector arithmetic.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: John Snow <jsnow@redhat.com>
+Reviewed-by: Markus Armbruster <armbru@redhat.com>
+Message-id: 1441816082-21031-1-git-send-email-jsnow@redhat.com
+CC: qemu-stable@nongnu.org
+(cherry picked from commit d9033e1d3aa666c5071580617a57bd853c5d794a)
+---
+ hw/ide/core.c | 30 +++++++++++++++---------------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/hw/ide/core.c b/hw/ide/core.c
+index 50449ca..71caea9 100644
+--- a/hw/ide/core.c
++++ b/hw/ide/core.c
+@@ -1747,11 +1747,11 @@ static const struct {
+ } ide_cmd_table[0x100] = {
+     /* NOP not implemented, mandatory for CD */
+     [CFA_REQ_EXT_ERROR_CODE]      = { cmd_cfa_req_ext_error_code, CFA_OK },
+-    [WIN_DSM]                     = { cmd_data_set_management, ALL_OK },
++    [WIN_DSM]                     = { cmd_data_set_management, HD_CFA_OK },
+     [WIN_DEVICE_RESET]            = { cmd_device_reset, CD_OK },
+     [WIN_RECAL]                   = { cmd_nop, HD_CFA_OK | SET_DSC},
+     [WIN_READ]                    = { cmd_read_pio, ALL_OK },
+-    [WIN_READ_ONCE]               = { cmd_read_pio, ALL_OK },
++    [WIN_READ_ONCE]               = { cmd_read_pio, HD_CFA_OK },
+     [WIN_READ_EXT]                = { cmd_read_pio, HD_CFA_OK },
+     [WIN_READDMA_EXT]             = { cmd_read_dma, HD_CFA_OK },
+     [WIN_READ_NATIVE_MAX_EXT]     = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
+@@ -1770,12 +1770,12 @@ static const struct {
+     [CFA_TRANSLATE_SECTOR]        = { cmd_cfa_translate_sector, CFA_OK },
+     [WIN_DIAGNOSE]                = { cmd_exec_dev_diagnostic, ALL_OK },
+     [WIN_SPECIFY]                 = { cmd_nop, HD_CFA_OK | SET_DSC },
+-    [WIN_STANDBYNOW2]             = { cmd_nop, ALL_OK },
+-    [WIN_IDLEIMMEDIATE2]          = { cmd_nop, ALL_OK },
+-    [WIN_STANDBY2]                = { cmd_nop, ALL_OK },
+-    [WIN_SETIDLE2]                = { cmd_nop, ALL_OK },
+-    [WIN_CHECKPOWERMODE2]         = { cmd_check_power_mode, ALL_OK | SET_DSC },
+-    [WIN_SLEEPNOW2]               = { cmd_nop, ALL_OK },
++    [WIN_STANDBYNOW2]             = { cmd_nop, HD_CFA_OK },
++    [WIN_IDLEIMMEDIATE2]          = { cmd_nop, HD_CFA_OK },
++    [WIN_STANDBY2]                = { cmd_nop, HD_CFA_OK },
++    [WIN_SETIDLE2]                = { cmd_nop, HD_CFA_OK },
++    [WIN_CHECKPOWERMODE2]         = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
++    [WIN_SLEEPNOW2]               = { cmd_nop, HD_CFA_OK },
+     [WIN_PACKETCMD]               = { cmd_packet, CD_OK },
+     [WIN_PIDENTIFY]               = { cmd_identify_packet, CD_OK },
+     [WIN_SMART]                   = { cmd_smart, HD_CFA_OK | SET_DSC },
+@@ -1789,19 +1789,19 @@ static const struct {
+     [WIN_WRITEDMA]                = { cmd_write_dma, HD_CFA_OK },
+     [WIN_WRITEDMA_ONCE]           = { cmd_write_dma, HD_CFA_OK },
+     [CFA_WRITE_MULTI_WO_ERASE]    = { cmd_write_multiple, CFA_OK },
+-    [WIN_STANDBYNOW1]             = { cmd_nop, ALL_OK },
+-    [WIN_IDLEIMMEDIATE]           = { cmd_nop, ALL_OK },
+-    [WIN_STANDBY]                 = { cmd_nop, ALL_OK },
+-    [WIN_SETIDLE1]                = { cmd_nop, ALL_OK },
+-    [WIN_CHECKPOWERMODE1]         = { cmd_check_power_mode, ALL_OK | SET_DSC },
+-    [WIN_SLEEPNOW1]               = { cmd_nop, ALL_OK },
++    [WIN_STANDBYNOW1]             = { cmd_nop, HD_CFA_OK },
++    [WIN_IDLEIMMEDIATE]           = { cmd_nop, HD_CFA_OK },
++    [WIN_STANDBY]                 = { cmd_nop, HD_CFA_OK },
++    [WIN_SETIDLE1]                = { cmd_nop, HD_CFA_OK },
++    [WIN_CHECKPOWERMODE1]         = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
++    [WIN_SLEEPNOW1]               = { cmd_nop, HD_CFA_OK },
+     [WIN_FLUSH_CACHE]             = { cmd_flush_cache, ALL_OK },
+     [WIN_FLUSH_CACHE_EXT]         = { cmd_flush_cache, HD_CFA_OK },
+     [WIN_IDENTIFY]                = { cmd_identify, ALL_OK },
+     [WIN_SETFEATURES]             = { cmd_set_features, ALL_OK | SET_DSC },
+     [IBM_SENSE_CONDITION]         = { cmd_ibm_sense_condition, CFA_OK | SET_DSC },
+     [CFA_WEAR_LEVEL]              = { cmd_cfa_erase_sectors, HD_CFA_OK | SET_DSC },
+-    [WIN_READ_NATIVE_MAX]         = { cmd_read_native_max, ALL_OK | SET_DSC },
++    [WIN_READ_NATIVE_MAX]         = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
+ };
+ 
+ static bool ide_cmd_permitted(IDEState *s, uint32_t cmd)
diff --git a/0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch b/0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch
new file mode 100644
index 0000000..c1f70ca
--- /dev/null
+++ b/0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch
@@ -0,0 +1,32 @@
+From: P J P <pjp@fedoraproject.org>
+Date: Tue, 15 Sep 2015 16:46:59 +0530
+Subject: [PATCH] net: avoid infinite loop when receiving
+ packets(CVE-2015-5278)
+
+Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
+bytes to process network packets. While receiving packets
+via ne2000_receive() routine, a local 'index' variable
+could exceed the ring buffer size, leading to an infinite
+loop situation.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: P J P <pjp@fedoraproject.org>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 737d2b3c41d59eb8f94ab7eb419b957938f24943)
+---
+ hw/net/ne2000.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
+index 3492db3..44a4264 100644
+--- a/hw/net/ne2000.c
++++ b/hw/net/ne2000.c
+@@ -253,7 +253,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
+         if (index <= s->stop)
+             avail = s->stop - index;
+         else
+-            avail = 0;
++            break;
+         len = size;
+         if (len > avail)
+             len = avail;
diff --git a/0007-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch b/0007-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch
new file mode 100644
index 0000000..d197a7e
--- /dev/null
+++ b/0007-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch
@@ -0,0 +1,67 @@
+From: P J P <pjp@fedoraproject.org>
+Date: Tue, 15 Sep 2015 16:40:49 +0530
+Subject: [PATCH] net: add checks to validate ring buffer
+ pointers(CVE-2015-5279)
+
+Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
+bytes to process network packets. While receiving packets
+via ne2000_receive() routine, a local 'index' variable
+could exceed the ring buffer size, which could lead to a
+memory buffer overflow. Added other checks at initialisation.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: P J P <pjp@fedoraproject.org>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4)
+---
+ hw/net/ne2000.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
+index 44a4264..2bdb4c9 100644
+--- a/hw/net/ne2000.c
++++ b/hw/net/ne2000.c
+@@ -230,6 +230,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
+     }
+ 
+     index = s->curpag << 8;
++    if (index >= NE2000_PMEM_END) {
++        index = s->start;
++    }
+     /* 4 bytes for header */
+     total_len = size + 4;
+     /* address for next packet (4 bytes for CRC) */
+@@ -315,13 +318,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
+         offset = addr | (page << 4);
+         switch(offset) {
+         case EN0_STARTPG:
+-            s->start = val << 8;
++            if (val << 8 <= NE2000_PMEM_END) {
++                s->start = val << 8;
++            }
+             break;
+         case EN0_STOPPG:
+-            s->stop = val << 8;
++            if (val << 8 <= NE2000_PMEM_END) {
++                s->stop = val << 8;
++            }
+             break;
+         case EN0_BOUNDARY:
+-            s->boundary = val;
++            if (val << 8 < NE2000_PMEM_END) {
++                s->boundary = val;
++            }
+             break;
+         case EN0_IMR:
+             s->imr = val;
+@@ -362,7 +371,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val)
+             s->phys[offset - EN1_PHYS] = val;
+             break;
+         case EN1_CURPAG:
+-            s->curpag = val;
++            if (val << 8 < NE2000_PMEM_END) {
++                s->curpag = val;
++            }
+             break;
+         case EN1_MULT ... EN1_MULT + 7:
+             s->mult[offset - EN1_MULT] = val;
diff --git a/qemu.spec b/qemu.spec
index 1e7d1f8..33b84e6 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -40,7 +40,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 2.4.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
 Group: Development/Tools
@@ -71,10 +71,19 @@ Source13: qemu-kvm.sh
 # CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface
 # (bz #1255899)
 Patch0001: 0001-vnc-fix-memory-corruption-CVE-2015-5225.patch
-
-# Fix emulation of various instructions, required by libm in F22 ppc64 guests.
-Patch0002: 0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch
-Patch0003: 0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch
+# Fix emulation of various instructions, required by libm in F22 ppc64
+# guests.
+Patch0002: 0002-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch
+Patch0003: 0003-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch
+# CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225)
+Patch0004: 0004-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch
+# CVE-2015-6855: ide: divide by zero issue (bz #1261793)
+Patch0005: 0005-ide-fix-ATAPI-command-permissions.patch
+# CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284)
+Patch0006: 0006-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch
+# CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz
+# #1263287)
+Patch0007: 0007-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch
 
 BuildRequires: SDL2-devel
 BuildRequires: zlib-devel
@@ -1207,6 +1216,12 @@ getent passwd qemu >/dev/null || \
 
 
 %changelog
+* Mon Sep 21 2015 Cole Robinson <crobinso@redhat.com> - 2:2.4.0-4
+- CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225)
+- CVE-2015-6855: ide: divide by zero issue (bz #1261793)
+- CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284)
+- CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz #1263287)
+
 * Sun Sep 20 2015 Richard W.M. Jones <rjones@redhat.com> - 2:2.4.0-3
 - Fix emulation of various instructions, required by libm in F22 ppc64 guests.