diff --git a/SOURCES/1007-dhcp-nettools-handle-io-failure-rh1843357.patch b/SOURCES/1007-dhcp-nettools-handle-io-failure-rh1843357.patch
new file mode 100644
index 0000000..4ffec8b
--- /dev/null
+++ b/SOURCES/1007-dhcp-nettools-handle-io-failure-rh1843357.patch
@@ -0,0 +1,137 @@
+From ec23a125054566b67b6db3a27c6d2127355b1470 Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Wed, 29 Apr 2020 18:18:28 +0200
+Subject: [PATCH 1/1] n-dhcp4: don't fail dispatch in case of receive errors
+
+Currently any error encountered in n_dhcp4_c_connection_dispatch_io()
+causes a dispatch failure and interrupts the library state
+machine. The recvmsg() on the socket can fail for different reasons;
+one of these is for example that the UDP request previously sent got a
+ICMP port-unreachable response. This can be reproduced in the
+following way:
+
+ ip netns add ns1
+ ip link add veth0 type veth peer name veth1
+ ip link set veth1 netns ns1
+ ip link set veth0 up
+
+ cat > dhcpd.conf <<EOF
+ server-identifier 172.25.0.1;
+ max-lease-time 120;
+ default-lease-time 120;
+ subnet 172.25.0.0 netmask 255.255.255.0 {
+        range 172.25.0.100 172.25.0.200;
+ }
+ EOF
+
+ ip -n ns1 link set veth1 up
+ ip -n ns1 address add dev veth1 172.25.0.1/24
+ ip netns exec ns1 iptables -A INPUT -p udp --dport 67 -j REJECT
+ ip netns exec ns1 dhcpd -4 -cf dhcpd.conf -pf /tmp/dhcp-server.pid
+
+If a client is started on veth0, it is able to obtain a lease despite
+the firewall rule blocking DHCP, because dhcpd uses a packet
+socket. Then it fails during the renewal because the recvmsg() fails:
+
+ dhcp4 (veth0): send REQUEST of 172.25.0.178 to 172.25.0.1
+ dhcp4 (veth0): error -111 dispatching events
+ dhcp4 (veth0): state changed bound -> fail
+
+The client should consider such errors non fatal and keep running.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1829178
+https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/486
+(cherry picked from commit c5d1d4c498c50dfc7d2d18b213a117dd1199f1de)
+(cherry picked from commit bee01292f886dcff7114dc421983f1d50f1939b0)
+(cherry picked from commit f2fdb6710f92d8621667e84485b82a9b712228c7)
+---
+ shared/n-dhcp4/src/n-dhcp4-c-connection.c | 29 ++++++++++++++++-------
+ shared/n-dhcp4/src/n-dhcp4-c-probe.c      |  1 +
+ 2 files changed, 22 insertions(+), 8 deletions(-)
+
+diff --git a/shared/n-dhcp4/src/n-dhcp4-c-connection.c b/shared/n-dhcp4/src/n-dhcp4-c-connection.c
+index a5c8ea66fe9d..30514e286d32 100644
+--- a/shared/n-dhcp4/src/n-dhcp4-c-connection.c
++++ b/shared/n-dhcp4/src/n-dhcp4-c-connection.c
+@@ -1136,6 +1136,13 @@ int n_dhcp4_c_connection_dispatch_timer(NDhcp4CConnection *connection,
+         return 0;
+ }
+ 
++/*
++ * Returns:
++ *  0                     on success
++ *  N_DHCP4_E_MALFORMED   if a malformed packet was received
++ *  N_DHCP4_E_UNEXPECTED  if the packet received contains unexpected data
++ *  N_DHCP4_E_AGAIN       if there was another error (non fatal for the client)
++ */
+ int n_dhcp4_c_connection_dispatch_io(NDhcp4CConnection *connection,
+                                      NDhcp4Incoming **messagep) {
+         _c_cleanup_(n_dhcp4_incoming_freep) NDhcp4Incoming *message = NULL;
+@@ -1150,10 +1157,11 @@ int n_dhcp4_c_connection_dispatch_io(NDhcp4CConnection *connection,
+                                                  connection->scratch_buffer,
+                                                  sizeof(connection->scratch_buffer),
+                                                  &message);
+-                if (r)
++                if (!r)
++                        break;
++                else if (r == N_DHCP4_E_MALFORMED)
+                         return r;
+-
+-                break;
++                return N_DHCP4_E_AGAIN;
+         case N_DHCP4_C_CONNECTION_STATE_DRAINING:
+                 r = n_dhcp4_c_socket_packet_recv(connection->fd_packet,
+                                                  connection->scratch_buffer,
+@@ -1161,8 +1169,10 @@ int n_dhcp4_c_connection_dispatch_io(NDhcp4CConnection *connection,
+                                                  &message);
+                 if (!r)
+                         break;
+-                else if (r != N_DHCP4_E_AGAIN)
++                else if (r == N_DHCP4_E_MALFORMED)
+                         return r;
++                else if (r != N_DHCP4_E_AGAIN)
++                        return N_DHCP4_E_AGAIN;
+ 
+                 /*
+                  * The UDP socket is open and the packet socket has been shut down
+@@ -1180,18 +1190,21 @@ int n_dhcp4_c_connection_dispatch_io(NDhcp4CConnection *connection,
+                                               connection->scratch_buffer,
+                                               sizeof(connection->scratch_buffer),
+                                               &message);
+-                if (r)
++                if (!r)
++                        break;
++                else if (r == N_DHCP4_E_MALFORMED)
+                         return r;
+-
+-                break;
++                return N_DHCP4_E_AGAIN;
+         default:
+                 abort();
+                 return -ENOTRECOVERABLE;
+         }
+ 
+         r = n_dhcp4_c_connection_verify_incoming(connection, message, &type);
+-        if (r)
++        if (r == N_DHCP4_E_MALFORMED || r == N_DHCP4_E_UNEXPECTED)
+                 return r;
++        else if (r != 0)
++                return N_DHCP4_E_AGAIN;
+ 
+         if (type == N_DHCP4_MESSAGE_OFFER || type == N_DHCP4_MESSAGE_ACK) {
+                 n_dhcp4_c_log(connection->client_config, LOG_INFO,
+diff --git a/shared/n-dhcp4/src/n-dhcp4-c-probe.c b/shared/n-dhcp4/src/n-dhcp4-c-probe.c
+index e4477a7c7472..5e97129834d1 100644
+--- a/shared/n-dhcp4/src/n-dhcp4-c-probe.c
++++ b/shared/n-dhcp4/src/n-dhcp4-c-probe.c
+@@ -1242,6 +1242,7 @@ int n_dhcp4_client_probe_dispatch_io(NDhcp4ClientProbe *probe, uint32_t events)
+                         return 0;
+                 }
+ 
++                abort();
+                 return r;
+         }
+ 
+-- 
+2.26.2
+
diff --git a/SOURCES/1008-ifcfg-rh-handle-802-1x-ca-path-cve-2020-10754.patch b/SOURCES/1008-ifcfg-rh-handle-802-1x-ca-path-cve-2020-10754.patch
new file mode 100644
index 0000000..22f4f1d
--- /dev/null
+++ b/SOURCES/1008-ifcfg-rh-handle-802-1x-ca-path-cve-2020-10754.patch
@@ -0,0 +1,54 @@
+From 0da5e2e48c617f13e4583d72c2c5a72e4b6e299c Mon Sep 17 00:00:00 2001
+From: Thomas Haller <thaller@redhat.com>
+Date: Tue, 26 May 2020 15:26:04 +0200
+Subject: [PATCH 1/1] ifcfg-rh: fix handling "802-1x.{phase2-,}ca-path" in
+ ifcfg-rh settings plugin
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1840210
+https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/448
+(cherry picked from commit b6b6639c7c8fa667b8fcbc310b65d88124fdc260)
+(cherry picked from commit 67f1da27fe95fbe09999a953558a0b3e4dcfdd69)
+(cherry picked from commit 7a20dd4dbbd51081b598f4d42254190a03271471)
+---
+ src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c | 8 ++++++++
+ src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c | 5 +++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
+index e01f7344cdfe..9cb21f92ac5b 100644
+--- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
++++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-reader.c
+@@ -3626,6 +3626,14 @@ next:
+ 	timeout = svGetValueInt64 (ifcfg, "IEEE_8021X_AUTH_TIMEOUT", 10, 0, G_MAXINT32, 0);
+ 	g_object_set (s_8021x, NM_SETTING_802_1X_AUTH_TIMEOUT, (int) timeout, NULL);
+ 
++	nm_clear_g_free (&value);
++	v = svGetValueStr (ifcfg, "IEEE_8021X_CA_PATH", &value);
++	g_object_set (s_8021x, NM_SETTING_802_1X_CA_PATH, v, NULL);
++
++	nm_clear_g_free (&value);
++	v = svGetValueStr (ifcfg, "IEEE_8021X_PHASE2_CA_PATH", &value);
++	g_object_set (s_8021x, NM_SETTING_802_1X_PHASE2_CA_PATH, v, NULL);
++
+ 	g_object_set (s_8021x,
+ 	              NM_SETTING_802_1X_OPTIONAL,
+ 	              svGetValueBoolean (ifcfg, "IEEE_8021X_OPTIONAL", FALSE),
+diff --git a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
+index 90a1a2b8f6f9..3afdb2acd14d 100644
+--- a/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
++++ b/src/settings/plugins/ifcfg-rh/nms-ifcfg-rh-writer.c
+@@ -530,6 +530,11 @@ write_8021x_setting (NMConnection *connection,
+ 	                             "IEEE_8021X_OPTIONAL",
+ 	                             nm_setting_802_1x_get_optional (s_8021x));
+ 
++	svSetValue (ifcfg, "IEEE_8021X_CA_PATH",
++	            nm_setting_802_1x_get_ca_path (s_8021x));
++	svSetValue (ifcfg, "IEEE_8021X_PHASE2_CA_PATH",
++	            nm_setting_802_1x_get_phase2_ca_path (s_8021x));
++
+ 	if (!write_8021x_certs (s_8021x, secrets, blobs, FALSE, ifcfg, error))
+ 		return FALSE;
+ 
+-- 
+2.26.2
+
diff --git a/SPECS/NetworkManager.spec b/SPECS/NetworkManager.spec
index 292ace9..2de4ffb 100644
--- a/SPECS/NetworkManager.spec
+++ b/SPECS/NetworkManager.spec
@@ -7,7 +7,7 @@
 %global epoch_version 1
 %global rpm_version 1.22.8
 %global real_version 1.22.8
-%global release_version 4
+%global release_version 5
 %global snapshot %{nil}
 %global git_sha %{nil}
 
@@ -152,6 +152,8 @@ Patch1003: 1003-dhcp-keep-trying-after-send-failure-rh1806516.patch
 Patch1004: 1004-ovs-fail-enslavement-if-no-bridge-rh1797696.patch
 Patch1005: 1005-fix-leak-device-state-files-rh1810153.patch
 Patch1006: 1006-dhcp-nettools-clear-source-rh1810188.patch
+Patch1007: 1007-dhcp-nettools-handle-io-failure-rh1843357.patch
+Patch1008: 1008-ifcfg-rh-handle-802-1x-ca-path-cve-2020-10754.patch
 
 # The pregenerated docs contain default values and paths that depend
 # on the configure options when creating the source tarball.
@@ -1075,6 +1077,10 @@ fi
 
 
 %changelog
+* Wed Jun  3 2020 Thomas Haller <thaller@redhat.com> - 1:1.22.8-5
+- dhcp: fix handling IO error in nettools DHCPv4 client (rh #1843357)
+- ifcfg-rh: handle "802-1x.{,phase2-}ca-path" (rh #1843360, CVE-2020-10754)
+
 * Fri Mar  6 2020 Thomas Haller <thaller@redhat.com> - 1:1.22.8-4
 - core: fix leaking device state files in /run (rh #1810153)
 - dhcp: fix crash in nettools client when leaking GSource (rh #1810188)