diff --git a/SOURCES/buildah-1810069.patch b/SOURCES/buildah-1810069.patch
new file mode 100644
index 0000000..02d3176
--- /dev/null
+++ b/SOURCES/buildah-1810069.patch
@@ -0,0 +1,130 @@
+From 49ab77998f85a05f05814f6575b25de264bf8256 Mon Sep 17 00:00:00 2001
+From: TomSweeneyRedHat <tsweeney@redhat.com>
+Date: Sat, 18 Jan 2020 15:43:05 -0500
+Subject: [PATCH] Fix COPY in containerfile with envvar
+
+If a Containerfile had lines like:
+
+```
+FROM alpine
+ENV VERSION=0.0.1
+COPY file-${VERSION}.txt /
+```
+
+Buildah would not resolve the VERSION variable in the copy statement.
+If the 'ENV' in the above Containerfile was changed to ARG, then this
+would work.
+
+A recent change to the handling of variables now only looks at variables
+set by 'ARG' and not the ones set by the 'ENV' command.  This PR
+adds the the variables set by the `ENV` to the list of `ARG` variables
+when those variables are being resolved by the code.
+
+This also includes added test to guard against this regression in the future.
+
+Addresses:  https://github.com/containers/libpod/issues/4878
+
+Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
+---
+ imagebuildah/stage_executor.go       | 13 +++++++------
+ tests/bud.bats                       | 12 ++++++++++++
+ tests/bud/copy-envvar/Containerfile  |  3 +++
+ tests/bud/copy-envvar/file-0.0.1.txt |  0
+ 4 files changed, 22 insertions(+), 6 deletions(-)
+ create mode 100644 tests/bud/copy-envvar/Containerfile
+ create mode 100644 tests/bud/copy-envvar/file-0.0.1.txt
+
+diff --git a/imagebuildah/stage_executor.go b/imagebuildah/stage_executor.go
+index 4fd630a83..60fa10888 100644
+--- a/imagebuildah/stage_executor.go
++++ b/imagebuildah/stage_executor.go
+@@ -253,7 +253,7 @@ func (s *StageExecutor) volumeCacheRestore() error {
+ // don't care about the details of where in the filesystem the content actually
+ // goes, because we're not actually going to add it here, so this is less
+ // involved than Copy().
+-func (s *StageExecutor) digestSpecifiedContent(node *parser.Node, argValues []string) (string, error) {
++func (s *StageExecutor) digestSpecifiedContent(node *parser.Node, argValues []string, envValues []string) (string, error) {
+ 	// No instruction: done.
+ 	if node == nil {
+ 		return "", nil
+@@ -298,10 +298,11 @@ func (s *StageExecutor) digestSpecifiedContent(node *parser.Node, argValues []st
+ 		}
+ 	}
+ 
++	varValues := append(argValues, envValues...)
+ 	for _, src := range srcs {
+ 		// If src has an argument within it, resolve it to its
+ 		// value.  Otherwise just return the value found.
+-		name, err := imagebuilder.ProcessWord(src, argValues)
++		name, err := imagebuilder.ProcessWord(src, varValues)
+ 		if err != nil {
+ 			return "", errors.Wrapf(err, "unable to resolve source %q", src)
+ 		}
+@@ -345,7 +346,7 @@ func (s *StageExecutor) digestSpecifiedContent(node *parser.Node, argValues []st
+ 
+ 	// If destination.Value has an argument within it, resolve it to its
+ 	// value.  Otherwise just return the value found.
+-	destValue, destErr := imagebuilder.ProcessWord(destination.Value, argValues)
++	destValue, destErr := imagebuilder.ProcessWord(destination.Value, varValues)
+ 	if destErr != nil {
+ 		return "", errors.Wrapf(destErr, "unable to resolve destination %q", destination.Value)
+ 	}
+@@ -868,7 +869,7 @@ func (s *StageExecutor) Execute(ctx context.Context, stage imagebuilder.Stage, b
+ 				return "", nil, errors.Wrapf(err, "error building at STEP \"%s\"", step.Message)
+ 			}
+ 			// In case we added content, retrieve its digest.
+-			addedContentDigest, err := s.digestSpecifiedContent(node, ib.Arguments())
++			addedContentDigest, err := s.digestSpecifiedContent(node, ib.Arguments(), ib.Config().Env)
+ 			if err != nil {
+ 				return "", nil, err
+ 			}
+@@ -917,7 +918,7 @@ func (s *StageExecutor) Execute(ctx context.Context, stage imagebuilder.Stage, b
+ 		// cached images so far, look for one that matches what we
+ 		// expect to produce for this instruction.
+ 		if checkForLayers && !(s.executor.squash && lastInstruction && lastStage) {
+-			addedContentDigest, err := s.digestSpecifiedContent(node, ib.Arguments())
++			addedContentDigest, err := s.digestSpecifiedContent(node, ib.Arguments(), ib.Config().Env)
+ 			if err != nil {
+ 				return "", nil, err
+ 			}
+@@ -975,7 +976,7 @@ func (s *StageExecutor) Execute(ctx context.Context, stage imagebuilder.Stage, b
+ 				return "", nil, errors.Wrapf(err, "error building at STEP \"%s\"", step.Message)
+ 			}
+ 			// In case we added content, retrieve its digest.
+-			addedContentDigest, err := s.digestSpecifiedContent(node, ib.Arguments())
++			addedContentDigest, err := s.digestSpecifiedContent(node, ib.Arguments(), ib.Config().Env)
+ 			if err != nil {
+ 				return "", nil, err
+ 			}
+diff --git a/tests/bud.bats b/tests/bud.bats
+index 022088b72..966864cae 100644
+--- a/tests/bud.bats
++++ b/tests/bud.bats
+@@ -1882,3 +1882,15 @@ EOM
+   run_buildah 1 bud --signature-policy ${TESTSDIR}/policy.json -t ${target} -f ${TESTSDIR}/bud/copy/Dockerfile.url ${TESTSDIR}/bud/copy
+   rm -r ${TESTSDIR}/bud/copy
+ }
++
++@test "bud COPY with Env Var in Containerfile" {
++  run_buildah bud --signature-policy ${TESTSDIR}/policy.json -t testctr ${TESTSDIR}/bud/copy-envvar
++  run_buildah from testctr
++  run_buildah run testctr-working-container ls /file-0.0.1.txt
++  run_buildah rm -a
++
++  run_buildah bud --signature-policy ${TESTSDIR}/policy.json --layers -t testctr ${TESTSDIR}/bud/copy-envvar
++  run_buildah from testctr
++  run_buildah run testctr-working-container ls /file-0.0.1.txt
++  run_buildah rm -a
++}
+diff --git a/tests/bud/copy-envvar/Containerfile b/tests/bud/copy-envvar/Containerfile
+new file mode 100644
+index 000000000..0e8c9109d
+--- /dev/null
++++ b/tests/bud/copy-envvar/Containerfile
+@@ -0,0 +1,3 @@
++FROM alpine 
++ENV VERSION=0.0.1
++COPY file-${VERSION}.txt /
+diff --git a/tests/bud/copy-envvar/file-0.0.1.txt b/tests/bud/copy-envvar/file-0.0.1.txt
+new file mode 100644
+index 000000000..e69de29bb
diff --git a/SOURCES/buildah-CVE-2020-10696.patch b/SOURCES/buildah-CVE-2020-10696.patch
new file mode 100644
index 0000000..b0c58fd
--- /dev/null
+++ b/SOURCES/buildah-CVE-2020-10696.patch
@@ -0,0 +1,58 @@
+From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001
+From: TomSweeneyRedHat <tsweeney@redhat.com>
+Date: Tue, 24 Mar 2020 20:10:22 -0400
+Subject: [PATCH] Fix potential CVE in tarfile w/ symlink
+
+Stealing @nalind 's workaround to avoid refetching
+content after a file read failure.  Under the right
+circumstances that could be a symlink to a file meant
+to overwrite a good file with bad data.
+
+Testing:
+```
+goodstuff
+
+[1] 14901
+
+127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
+127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
+no FROM statement found
+
+goodstuff
+```
+
+Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
+---
+ imagebuildah/util.go | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/imagebuildah/util.go b/imagebuildah/util.go
+index 29ea60970..5f14c9883 100644
+--- a/imagebuildah/util.go
++++ b/imagebuildah/util.go
+@@ -14,6 +14,7 @@ import (
+ 
+ 	"github.com/containers/buildah"
+ 	"github.com/containers/storage/pkg/chrootarchive"
++	"github.com/containers/storage/pkg/ioutils"
+ 	"github.com/opencontainers/runtime-spec/specs-go"
+ 	"github.com/pkg/errors"
+ 	"github.com/sirupsen/logrus"
+@@ -57,7 +58,7 @@ func downloadToDirectory(url, dir string) error {
+ 		}
+ 		dockerfile := filepath.Join(dir, "Dockerfile")
+ 		// Assume this is a Dockerfile
+-		if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {
++		if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {
+ 			return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)
+ 		}
+ 	}
+@@ -75,7 +76,7 @@ func stdinToDirectory(dir string) error {
+ 	if err := chrootarchive.Untar(reader, dir, nil); err != nil {
+ 		dockerfile := filepath.Join(dir, "Dockerfile")
+ 		// Assume this is a Dockerfile
+-		if err := ioutil.WriteFile(dockerfile, b, 0600); err != nil {
++		if err := ioutils.AtomicWriteFile(dockerfile, b, 0600); err != nil {
+ 			return errors.Wrapf(err, "Failed to write bytes to %q", dockerfile)
+ 		}
+ 	}
diff --git a/SOURCES/buildah-CVE-2020-1702.patch b/SOURCES/buildah-CVE-2020-1702.patch
new file mode 100644
index 0000000..00ea466
--- /dev/null
+++ b/SOURCES/buildah-CVE-2020-1702.patch
@@ -0,0 +1,390 @@
+From be1eb6f70fb40e45096b69aeb048d54c526a4a8f Mon Sep 17 00:00:00 2001
+From: Valentin Rothberg <rothberg@redhat.com>
+Date: Thu, 6 Feb 2020 09:49:15 +0100
+Subject: [PATCH] [1.11-rhel] update github.com/containers/image
+
+Note that this includes fixes for
+https://access.redhat.com/security/cve/CVE-2020-1702.
+
+Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
+---
+ go.mod                                        |  2 +-
+ go.sum                                        |  2 +
+ .../image/v5/docker/docker_client.go          |  6 +-
+ .../image/v5/docker/docker_image_dest.go      |  3 +-
+ .../image/v5/docker/docker_image_src.go       | 10 ++--
+ .../image/v5/docker/tarfile/dest.go           |  3 +-
+ .../containers/image/v5/docker/tarfile/src.go |  9 +--
+ .../image/v5/image/docker_schema2.go          |  4 +-
+ .../containers/image/v5/image/oci.go          |  4 +-
+ .../image/v5/internal/iolimits/iolimits.go    | 60 +++++++++++++++++++
+ .../image/v5/openshift/openshift.go           |  4 +-
+ vendor/modules.txt                            |  3 +-
+ 12 files changed, 89 insertions(+), 21 deletions(-)
+ create mode 100644 vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go
+
+diff --git a/go.mod b/go.mod
+index 684b00ff5..b94792238 100644
+--- a/go.mod
++++ b/go.mod
+@@ -5,7 +5,7 @@ go 1.12
+ require (
+ 	github.com/blang/semver v3.5.0+incompatible // indirect
+ 	github.com/containernetworking/cni v0.7.1
+-	github.com/containers/image/v5 v5.0.0
++	github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0
+ 	github.com/containers/storage v1.14.0
+ 	github.com/cyphar/filepath-securejoin v0.2.2
+ 	github.com/docker/distribution v2.7.1+incompatible
+diff --git a/go.sum b/go.sum
+index 1cce3ff7e..ef8729952 100644
+--- a/go.sum
++++ b/go.sum
+@@ -54,6 +54,8 @@ github.com/containers/image/v4 v4.0.1 h1:idNGHChj0Pyv3vLrxul2oSVMZLeFqpoq3CjLeVg
+ github.com/containers/image/v4 v4.0.1/go.mod h1:0ASJH1YgJiX/eqFZObqepgsvIA4XjCgpyfwn9pDGafA=
+ github.com/containers/image/v5 v5.0.0 h1:arnXgbt1ucsC/ndtSpiQY87rA0UjhF+/xQnPzqdBDn4=
+ github.com/containers/image/v5 v5.0.0/go.mod h1:MgiLzCfIeo8lrHi+4Lb8HP+rh513sm0Mlk6RrhjFOLY=
++github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0 h1:iV4aHKRoPcHp5BISsuiPMyaCjGJfLKp/FUMAG1NeqvE=
++github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0/go.mod h1:MgiLzCfIeo8lrHi+4Lb8HP+rh513sm0Mlk6RrhjFOLY=
+ github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b h1:Q8ePgVfHDplZ7U33NwHZkrVELsZP5fYj9pM5WBZB2GE=
+ github.com/containers/libtrust v0.0.0-20190913040956-14b96171aa3b/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
+ github.com/containers/storage v1.13.4 h1:j0bBaJDKbUHtAW1MXPFnwXJtqcH+foWeuXK1YaBV5GA=
+diff --git a/vendor/github.com/containers/image/v5/docker/docker_client.go b/vendor/github.com/containers/image/v5/docker/docker_client.go
+index 0b012c703..bff077a40 100644
+--- a/vendor/github.com/containers/image/v5/docker/docker_client.go
++++ b/vendor/github.com/containers/image/v5/docker/docker_client.go
+@@ -6,7 +6,6 @@ import (
+ 	"encoding/json"
+ 	"fmt"
+ 	"io"
+-	"io/ioutil"
+ 	"net/http"
+ 	"net/url"
+ 	"os"
+@@ -17,6 +16,7 @@ import (
+ 	"time"
+ 
+ 	"github.com/containers/image/v5/docker/reference"
++	"github.com/containers/image/v5/internal/iolimits"
+ 	"github.com/containers/image/v5/pkg/docker/config"
+ 	"github.com/containers/image/v5/pkg/sysregistriesv2"
+ 	"github.com/containers/image/v5/pkg/tlsclientconfig"
+@@ -597,7 +597,7 @@ func (c *dockerClient) getBearerToken(ctx context.Context, challenge challenge,
+ 	default:
+ 		return nil, errors.Errorf("unexpected http code: %d (%s), URL: %s", res.StatusCode, http.StatusText(res.StatusCode), authReq.URL)
+ 	}
+-	tokenBlob, err := ioutil.ReadAll(res.Body)
++	tokenBlob, err := iolimits.ReadAtMost(res.Body, iolimits.MaxAuthTokenBodySize)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+@@ -690,7 +690,7 @@ func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerRe
+ 		return nil, errors.Wrapf(clientLib.HandleErrorResponse(res), "Error downloading signatures for %s in %s", manifestDigest, ref.ref.Name())
+ 	}
+ 
+-	body, err := ioutil.ReadAll(res.Body)
++	body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxSignatureListBodySize)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
+index 417d97aec..ce8a1f357 100644
+--- a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
++++ b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go
+@@ -15,6 +15,7 @@ import (
+ 	"strings"
+ 
+ 	"github.com/containers/image/v5/docker/reference"
++	"github.com/containers/image/v5/internal/iolimits"
+ 	"github.com/containers/image/v5/manifest"
+ 	"github.com/containers/image/v5/pkg/blobinfocache/none"
+ 	"github.com/containers/image/v5/types"
+@@ -620,7 +621,7 @@ sigExists:
+ 		}
+ 		defer res.Body.Close()
+ 		if res.StatusCode != http.StatusCreated {
+-			body, err := ioutil.ReadAll(res.Body)
++			body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxErrorBodySize)
+ 			if err == nil {
+ 				logrus.Debugf("Error body %s", string(body))
+ 			}
+diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_src.go b/vendor/github.com/containers/image/v5/docker/docker_image_src.go
+index 35beb30e5..5436d9b7d 100644
+--- a/vendor/github.com/containers/image/v5/docker/docker_image_src.go
++++ b/vendor/github.com/containers/image/v5/docker/docker_image_src.go
+@@ -12,6 +12,7 @@ import (
+ 	"strconv"
+ 
+ 	"github.com/containers/image/v5/docker/reference"
++	"github.com/containers/image/v5/internal/iolimits"
+ 	"github.com/containers/image/v5/manifest"
+ 	"github.com/containers/image/v5/pkg/sysregistriesv2"
+ 	"github.com/containers/image/v5/types"
+@@ -156,7 +157,8 @@ func (s *dockerImageSource) fetchManifest(ctx context.Context, tagOrDigest strin
+ 	if res.StatusCode != http.StatusOK {
+ 		return nil, "", errors.Wrapf(client.HandleErrorResponse(res), "Error reading manifest %s in %s", tagOrDigest, s.ref.ref.Name())
+ 	}
+-	manblob, err := ioutil.ReadAll(res.Body)
++
++	manblob, err := iolimits.ReadAtMost(res.Body, iolimits.MaxManifestBodySize)
+ 	if err != nil {
+ 		return nil, "", err
+ 	}
+@@ -342,7 +344,7 @@ func (s *dockerImageSource) getOneSignature(ctx context.Context, url *url.URL) (
+ 		} else if res.StatusCode != http.StatusOK {
+ 			return nil, false, errors.Errorf("Error reading signature from %s: status %d (%s)", url.String(), res.StatusCode, http.StatusText(res.StatusCode))
+ 		}
+-		sig, err := ioutil.ReadAll(res.Body)
++		sig, err := iolimits.ReadAtMost(res.Body, iolimits.MaxSignatureBodySize)
+ 		if err != nil {
+ 			return nil, false, err
+ 		}
+@@ -401,7 +403,7 @@ func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerRefere
+ 		return err
+ 	}
+ 	defer get.Body.Close()
+-	manifestBody, err := ioutil.ReadAll(get.Body)
++	manifestBody, err := iolimits.ReadAtMost(get.Body, iolimits.MaxManifestBodySize)
+ 	if err != nil {
+ 		return err
+ 	}
+@@ -424,7 +426,7 @@ func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerRefere
+ 	}
+ 	defer delete.Body.Close()
+ 
+-	body, err := ioutil.ReadAll(delete.Body)
++	body, err := iolimits.ReadAtMost(delete.Body, iolimits.MaxErrorBodySize)
+ 	if err != nil {
+ 		return err
+ 	}
+diff --git a/vendor/github.com/containers/image/v5/docker/tarfile/dest.go b/vendor/github.com/containers/image/v5/docker/tarfile/dest.go
+index b02c60bb3..9748ca112 100644
+--- a/vendor/github.com/containers/image/v5/docker/tarfile/dest.go
++++ b/vendor/github.com/containers/image/v5/docker/tarfile/dest.go
+@@ -13,6 +13,7 @@ import (
+ 	"time"
+ 
+ 	"github.com/containers/image/v5/docker/reference"
++	"github.com/containers/image/v5/internal/iolimits"
+ 	"github.com/containers/image/v5/internal/tmpdir"
+ 	"github.com/containers/image/v5/manifest"
+ 	"github.com/containers/image/v5/types"
+@@ -135,7 +136,7 @@ func (d *Destination) PutBlob(ctx context.Context, stream io.Reader, inputInfo t
+ 	}
+ 
+ 	if isConfig {
+-		buf, err := ioutil.ReadAll(stream)
++		buf, err := iolimits.ReadAtMost(stream, iolimits.MaxConfigBodySize)
+ 		if err != nil {
+ 			return types.BlobInfo{}, errors.Wrap(err, "Error reading Config file stream")
+ 		}
+diff --git a/vendor/github.com/containers/image/v5/docker/tarfile/src.go b/vendor/github.com/containers/image/v5/docker/tarfile/src.go
+index ad0a3d2cb..bbf604da6 100644
+--- a/vendor/github.com/containers/image/v5/docker/tarfile/src.go
++++ b/vendor/github.com/containers/image/v5/docker/tarfile/src.go
+@@ -11,6 +11,7 @@ import (
+ 	"path"
+ 	"sync"
+ 
++	"github.com/containers/image/v5/internal/iolimits"
+ 	"github.com/containers/image/v5/internal/tmpdir"
+ 	"github.com/containers/image/v5/manifest"
+ 	"github.com/containers/image/v5/pkg/compression"
+@@ -187,13 +188,13 @@ func findTarComponent(inputFile io.Reader, path string) (*tar.Reader, *tar.Heade
+ }
+ 
+ // readTarComponent returns full contents of componentPath.
+-func (s *Source) readTarComponent(path string) ([]byte, error) {
++func (s *Source) readTarComponent(path string, limit int) ([]byte, error) {
+ 	file, err := s.openTarComponent(path)
+ 	if err != nil {
+ 		return nil, errors.Wrapf(err, "Error loading tar component %s", path)
+ 	}
+ 	defer file.Close()
+-	bytes, err := ioutil.ReadAll(file)
++	bytes, err := iolimits.ReadAtMost(file, limit)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+@@ -224,7 +225,7 @@ func (s *Source) ensureCachedDataIsPresentPrivate() error {
+ 	}
+ 
+ 	// Read and parse config.
+-	configBytes, err := s.readTarComponent(tarManifest[0].Config)
++	configBytes, err := s.readTarComponent(tarManifest[0].Config, iolimits.MaxConfigBodySize)
+ 	if err != nil {
+ 		return err
+ 	}
+@@ -250,7 +251,7 @@ func (s *Source) ensureCachedDataIsPresentPrivate() error {
+ // loadTarManifest loads and decodes the manifest.json.
+ func (s *Source) loadTarManifest() ([]ManifestItem, error) {
+ 	// FIXME? Do we need to deal with the legacy format?
+-	bytes, err := s.readTarComponent(manifestFileName)
++	bytes, err := s.readTarComponent(manifestFileName, iolimits.MaxTarFileManifestSize)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+diff --git a/vendor/github.com/containers/image/v5/image/docker_schema2.go b/vendor/github.com/containers/image/v5/image/docker_schema2.go
+index 254c13f78..29c5047d7 100644
+--- a/vendor/github.com/containers/image/v5/image/docker_schema2.go
++++ b/vendor/github.com/containers/image/v5/image/docker_schema2.go
+@@ -7,10 +7,10 @@ import (
+ 	"encoding/hex"
+ 	"encoding/json"
+ 	"fmt"
+-	"io/ioutil"
+ 	"strings"
+ 
+ 	"github.com/containers/image/v5/docker/reference"
++	"github.com/containers/image/v5/internal/iolimits"
+ 	"github.com/containers/image/v5/manifest"
+ 	"github.com/containers/image/v5/pkg/blobinfocache/none"
+ 	"github.com/containers/image/v5/types"
+@@ -102,7 +102,7 @@ func (m *manifestSchema2) ConfigBlob(ctx context.Context) ([]byte, error) {
+ 			return nil, err
+ 		}
+ 		defer stream.Close()
+-		blob, err := ioutil.ReadAll(stream)
++		blob, err := iolimits.ReadAtMost(stream, iolimits.MaxConfigBodySize)
+ 		if err != nil {
+ 			return nil, err
+ 		}
+diff --git a/vendor/github.com/containers/image/v5/image/oci.go b/vendor/github.com/containers/image/v5/image/oci.go
+index 18a38d463..406da262f 100644
+--- a/vendor/github.com/containers/image/v5/image/oci.go
++++ b/vendor/github.com/containers/image/v5/image/oci.go
+@@ -4,9 +4,9 @@ import (
+ 	"context"
+ 	"encoding/json"
+ 	"fmt"
+-	"io/ioutil"
+ 
+ 	"github.com/containers/image/v5/docker/reference"
++	"github.com/containers/image/v5/internal/iolimits"
+ 	"github.com/containers/image/v5/manifest"
+ 	"github.com/containers/image/v5/pkg/blobinfocache/none"
+ 	"github.com/containers/image/v5/types"
+@@ -67,7 +67,7 @@ func (m *manifestOCI1) ConfigBlob(ctx context.Context) ([]byte, error) {
+ 			return nil, err
+ 		}
+ 		defer stream.Close()
+-		blob, err := ioutil.ReadAll(stream)
++		blob, err := iolimits.ReadAtMost(stream, iolimits.MaxConfigBodySize)
+ 		if err != nil {
+ 			return nil, err
+ 		}
+diff --git a/vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go b/vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go
+new file mode 100644
+index 000000000..3fed1995c
+--- /dev/null
++++ b/vendor/github.com/containers/image/v5/internal/iolimits/iolimits.go
+@@ -0,0 +1,60 @@
++package iolimits
++
++import (
++	"io"
++	"io/ioutil"
++
++	"github.com/pkg/errors"
++)
++
++// All constants below are intended to be used as limits for `ReadAtMost`. The
++// immediate use-case for limiting the size of in-memory copied data is to
++// protect against OOM DOS attacks as described inCVE-2020-1702. Instead of
++// copying data until running out of memory, we error out after hitting the
++// specified limit.
++const (
++	// megaByte denotes one megabyte and is intended to be used as a limit in
++	// `ReadAtMost`.
++	megaByte = 1 << 20
++	// MaxManifestBodySize is the maximum allowed size of a manifest. The limit
++	// of 4 MB aligns with the one of a Docker registry:
++	// https://github.com/docker/distribution/blob/a8371794149d1d95f1e846744b05c87f2f825e5a/registry/handlers/manifests.go#L30
++	MaxManifestBodySize = 4 * megaByte
++	// MaxAuthTokenBodySize is the maximum allowed size of an auth token.
++	// The limit of 1 MB is considered to be greatly sufficient.
++	MaxAuthTokenBodySize = megaByte
++	// MaxSignatureListBodySize is the maximum allowed size of a signature list.
++	// The limit of 4 MB is considered to be greatly sufficient.
++	MaxSignatureListBodySize = 4 * megaByte
++	// MaxSignatureBodySize is the maximum allowed size of a signature.
++	// The limit of 4 MB is considered to be greatly sufficient.
++	MaxSignatureBodySize = 4 * megaByte
++	// MaxErrorBodySize is the maximum allowed size of an error-response body.
++	// The limit of 1 MB is considered to be greatly sufficient.
++	MaxErrorBodySize = megaByte
++	// MaxConfigBodySize is the maximum allowed size of a config blob.
++	// The limit of 4 MB is considered to be greatly sufficient.
++	MaxConfigBodySize = 4 * megaByte
++	// MaxOpenShiftStatusBody is the maximum allowed size of an OpenShift status body.
++	// The limit of 4 MB is considered to be greatly sufficient.
++	MaxOpenShiftStatusBody = 4 * megaByte
++	// MaxTarFileManifestSize is the maximum allowed size of a (docker save)-like manifest (which may contain multiple images)
++	// The limit of 1 MB is considered to be greatly sufficient.
++	MaxTarFileManifestSize = megaByte
++)
++
++// ReadAtMost reads from reader and errors out if the specified limit (in bytes) is exceeded.
++func ReadAtMost(reader io.Reader, limit int) ([]byte, error) {
++	limitedReader := io.LimitReader(reader, int64(limit+1))
++
++	res, err := ioutil.ReadAll(limitedReader)
++	if err != nil {
++		return nil, err
++	}
++
++	if len(res) > limit {
++		return nil, errors.Errorf("exceeded maximum allowed size of %d bytes", limit)
++	}
++
++	return res, nil
++}
+diff --git a/vendor/github.com/containers/image/v5/openshift/openshift.go b/vendor/github.com/containers/image/v5/openshift/openshift.go
+index 016de4803..c37e1b751 100644
+--- a/vendor/github.com/containers/image/v5/openshift/openshift.go
++++ b/vendor/github.com/containers/image/v5/openshift/openshift.go
+@@ -7,13 +7,13 @@ import (
+ 	"encoding/json"
+ 	"fmt"
+ 	"io"
+-	"io/ioutil"
+ 	"net/http"
+ 	"net/url"
+ 	"strings"
+ 
+ 	"github.com/containers/image/v5/docker"
+ 	"github.com/containers/image/v5/docker/reference"
++	"github.com/containers/image/v5/internal/iolimits"
+ 	"github.com/containers/image/v5/manifest"
+ 	"github.com/containers/image/v5/types"
+ 	"github.com/containers/image/v5/version"
+@@ -102,7 +102,7 @@ func (c *openshiftClient) doRequest(ctx context.Context, method, path string, re
+ 		return nil, err
+ 	}
+ 	defer res.Body.Close()
+-	body, err := ioutil.ReadAll(res.Body)
++	body, err := iolimits.ReadAtMost(res.Body, iolimits.MaxOpenShiftStatusBody)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+diff --git a/vendor/modules.txt b/vendor/modules.txt
+index 840dae067..3f72f3f34 100644
+--- a/vendor/modules.txt
++++ b/vendor/modules.txt
+@@ -48,7 +48,7 @@ github.com/containernetworking/cni/pkg/types
+ github.com/containernetworking/cni/pkg/types/020
+ github.com/containernetworking/cni/pkg/types/current
+ github.com/containernetworking/cni/pkg/version
+-# github.com/containers/image/v5 v5.0.0
++# github.com/containers/image/v5 v5.0.1-0.20200205124631-82291c45f2b0
+ github.com/containers/image/v5/copy
+ github.com/containers/image/v5/directory
+ github.com/containers/image/v5/directory/explicitfilepath
+@@ -59,6 +59,7 @@ github.com/containers/image/v5/docker/policyconfiguration
+ github.com/containers/image/v5/docker/reference
+ github.com/containers/image/v5/docker/tarfile
+ github.com/containers/image/v5/image
++github.com/containers/image/v5/internal/iolimits
+ github.com/containers/image/v5/internal/pkg/keyctl
+ github.com/containers/image/v5/internal/tmpdir
+ github.com/containers/image/v5/manifest
diff --git a/SPECS/buildah.spec b/SPECS/buildah.spec
index e4a384b..03f5f32 100644
--- a/SPECS/buildah.spec
+++ b/SPECS/buildah.spec
@@ -25,9 +25,9 @@ scl enable go-toolset-1.12 -- go build -buildmode pie -compiler gc -tags="rpm_cr
 
 Name: %{repo}
 Version: 1.11.6
-Release: 8%{?dist}
+Release: 11%{?dist}
 Summary: A command line tool used for creating OCI Images
-ExcludeArch: s390 ppc ppc64 
+ExcludeArch: %{ix86} s390 ppc ppc64
 License: ASL 2.0
 URL: https://%{name}.io
 Source: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
@@ -39,6 +39,15 @@ Patch2: buildah-1756986.patch
 # tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-8945
 # backported:  https://github.com/containers/skopeo/pull/825.patch
 Patch3: buildah-CVE-2020-8945.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1702
+# https://github.com/containers/buildah/commit/be1eb6f70fb40e45096b69aeb048d54c526a4a8f.patch
+Patch4: buildah-CVE-2020-1702.patch
+# tracker bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10696
+# patch:       https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed.patch
+Patch5: buildah-CVE-2020-10696.patch
+# related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1810069
+# backported:  https://github.com/containers/buildah/pull/2095.patch
+Patch6: buildah-1810069.patch
 
 BuildRequires: go-toolset-1.12
 BuildRequires: git
@@ -125,6 +134,18 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} -C docs install
 %{_datadir}/%{name}/test
 
 %changelog
+* Wed Apr 08 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-11
+- fix "buildah is not expanding env vars in file paths"
+- Resolves: #1822031
+
+* Tue Mar 31 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-10
+- fix "CVE-2020-10696 buildah: crafted input tar file may lead to local file overwriting during image build process"
+- Resolves: #1817738
+
+* Mon Mar 16 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-9
+- fix "CVE-2020-1702 buildah: containers/image: Container images read entire image manifest into memory"
+- Resolves: #1810612
+
 * Tue Mar 03 2020 Jindrich Novy <jnovy@redhat.com> - 1.11.6-8
 - fix "CVE-2020-8945 proglottis/gpgme: Use-after-free in GPGME bindings during container image pull"
 - Resolves: #1803583