diff --git a/SOURCES/expat-2.2.5-CVE-2022-43680.patch b/SOURCES/expat-2.2.5-CVE-2022-43680.patch
new file mode 100644
index 0000000..25488ff
--- /dev/null
+++ b/SOURCES/expat-2.2.5-CVE-2022-43680.patch
@@ -0,0 +1,89 @@
+commit a739613cfb5ee60919bd5ad545a5582fa8a6dad9
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date:   Mon Nov 14 12:37:16 2022 +0100
+
+    Fix CVE-2022-43680
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 0cc24f6..3f765f7 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1016,6 +1016,14 @@ parserCreate(const XML_Char *encodingName,
+   parserInit(parser, encodingName);
+ 
+   if (encodingName && !parser->m_protocolEncodingName) {
++    if (dtd) {
++      // We need to stop the upcoming call to XML_ParserFree from happily
++      // destroying parser->m_dtd because the DTD is shared with the parent
++      // parser and the only guard that keeps XML_ParserFree from destroying
++      // parser->m_dtd is parser->m_isParamEntity but it will be set to
++      // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all).
++      parser->m_dtd = NULL;
++    }
+     XML_ParserFree(parser);
+     return NULL;
+   }
+diff --git a/tests/runtests.c b/tests/runtests.c
+index f3ebbd7..f58f794 100644
+--- a/tests/runtests.c
++++ b/tests/runtests.c
+@@ -10819,6 +10819,48 @@ START_TEST(test_alloc_long_notation)
+ }
+ END_TEST
+ 
++static int XMLCALL
++external_entity_parser_create_alloc_fail_handler(XML_Parser parser,
++                                                 const XML_Char *context,
++                                                 const XML_Char *UNUSED_P(base),
++                                                 const XML_Char *UNUSED_P(systemId),
++                                                 const XML_Char *UNUSED_P(publicId)) {
++  if (context != NULL)
++    fail("Unexpected non-NULL context");
++
++  // The following number intends to fail the upcoming allocation in line
++  // "parser->m_protocolEncodingName = copyString(encodingName,
++  // &(parser->m_mem));" in function parserInit.
++  allocation_count = 3;
++
++  const XML_Char *const encodingName = XCS("UTF-8"); // needs something non-NULL
++  const XML_Parser ext_parser
++      = XML_ExternalEntityParserCreate(parser, context, encodingName);
++  if (ext_parser != NULL)
++    fail(
++        "Call to XML_ExternalEntityParserCreate was expected to fail out-of-memory");
++
++  allocation_count = ALLOC_ALWAYS_SUCCEED;
++  return XML_STATUS_ERROR;
++}
++
++START_TEST(test_alloc_reset_after_external_entity_parser_create_fail) {
++  const char *const text = "<!DOCTYPE doc SYSTEM 'foo'><doc/>";
++
++  XML_SetExternalEntityRefHandler(
++      parser, external_entity_parser_create_alloc_fail_handler);
++  XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
++
++  if (XML_Parse(parser, text, (int)strlen(text), XML_TRUE)
++      != XML_STATUS_ERROR)
++    fail("Call to parse was expected to fail");
++
++  if (XML_GetErrorCode(parser) != XML_ERROR_EXTERNAL_ENTITY_HANDLING)
++    fail("Call to parse was expected to fail from the external entity handler");
++
++  XML_ParserReset(parser, NULL);
++}
++END_TEST
+ 
+ static void
+ nsalloc_setup(void)
+@@ -12653,6 +12695,10 @@ make_suite(void)
+     tcase_add_test(tc_alloc, test_alloc_long_entity_value);
+     tcase_add_test(tc_alloc, test_alloc_long_notation);
+ 
++    #ifdef XML_DTD
++    tcase_add_test(tc_alloc,
++                   test_alloc_reset_after_external_entity_parser_create_fail);
++    #endif
+     suite_add_tcase(s, tc_nsalloc);
+     tcase_add_checked_fixture(tc_nsalloc, nsalloc_setup, nsalloc_teardown);
+     tcase_add_test(tc_nsalloc, test_nsalloc_xmlns);
diff --git a/SOURCES/expat-2.2.5-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch b/SOURCES/expat-2.2.5-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch
new file mode 100644
index 0000000..76e6a7c
--- /dev/null
+++ b/SOURCES/expat-2.2.5-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch
@@ -0,0 +1,118 @@
+commit bfecc1f11ab5f0cc2aa3dc5cb87d3236a87ce61d
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date:   Fri Sep 30 10:52:04 2022 +0200
+
+    Fix CVE-2022-40674
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index d47e42c..0cc24f6 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -5765,8 +5765,14 @@ internalEntityProcessor(XML_Parser parser,
+   {
+     parser->m_processor = contentProcessor;
+     /* see externalEntityContentProcessor vs contentProcessor */
+-    return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding, s, end,
+-                     nextPtr, (XML_Bool)!parser->m_parsingStatus.finalBuffer);
++    result = doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
++                      s, end, nextPtr,
++                      (XML_Bool)! parser->m_parsingStatus.finalBuffer);
++    if (result == XML_ERROR_NONE) {
++      if (! storeRawNames(parser))
++        return XML_ERROR_NO_MEMORY;
++    }
++    return result;
+   }
+ }
+ 
+diff --git a/tests/runtests.c b/tests/runtests.c
+index 569ad8c..f3ebbd7 100644
+--- a/tests/runtests.c
++++ b/tests/runtests.c
+@@ -5401,6 +5401,78 @@ START_TEST(test_resume_entity_with_syntax_error)
+ }
+ END_TEST
+ 
++void
++suspending_comment_handler(void *userData, const XML_Char *UNUSED_P(data)) {
++  XML_Parser parser = (XML_Parser)userData;
++  XML_StopParser(parser, XML_TRUE);
++}
++
++START_TEST(test_suspend_resume_internal_entity_issue_629) {
++  const char *const text
++      = "<!DOCTYPE a [<!ENTITY e '<!--COMMENT-->a'>]><a>&e;<b>\n"
++        "<"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
++        "/>"
++        "</b></a>";
++  const size_t firstChunkSizeBytes = 54;
++
++  XML_Parser parser = XML_ParserCreate(NULL);
++  XML_SetUserData(parser, parser);
++  XML_SetCommentHandler(parser, suspending_comment_handler);
++
++  if (XML_Parse(parser, text, (int)firstChunkSizeBytes, XML_FALSE)
++      != XML_STATUS_SUSPENDED)
++    xml_failure(parser);
++  if (XML_ResumeParser(parser) != XML_STATUS_OK)
++    xml_failure(parser);
++  if (XML_Parse(parser, text + firstChunkSizeBytes,
++                (int)(strlen(text) - firstChunkSizeBytes), XML_TRUE)
++      != XML_STATUS_OK)
++    xml_failure(parser);
++  XML_ParserFree(parser);
++}
++END_TEST
++
++
+ /* Test suspending and resuming in a parameter entity substitution */
+ static void XMLCALL
+ element_decl_suspender(void *UNUSED_P(userData),
+@@ -12395,6 +12467,7 @@ make_suite(void)
+     tcase_add_test(tc_basic, test_hash_collision);
+     tcase_add_test(tc_basic, test_suspend_resume_internal_entity);
+     tcase_add_test(tc_basic, test_resume_entity_with_syntax_error);
++    tcase_add_test(tc_basic, test_suspend_resume_internal_entity_issue_629);
+     tcase_add_test(tc_basic, test_suspend_resume_parameter_entity);
+     tcase_add_test(tc_basic, test_restart_on_error);
+     tcase_add_test(tc_basic, test_reject_lt_in_attribute_value);
diff --git a/SPECS/expat.spec b/SPECS/expat.spec
index a0c8a18..5ceff69 100644
--- a/SPECS/expat.spec
+++ b/SPECS/expat.spec
@@ -3,7 +3,7 @@
 Summary: An XML parser library
 Name: expat
 Version: %(echo %{unversion} | sed 's/_/./g')
-Release: 9%{?dist}
+Release: 11%{?dist}
 Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
 URL: https://libexpat.github.io/
 License: MIT
@@ -20,6 +20,8 @@ Patch8: expat-2.2.5-Add-missing-validation-of-encoding.patch
 Patch9: expat-2.2.5-Prevent-integer-overflow-in-storeRawNames.patch
 Patch10: expat-2.2.5-Prevent-integer-overflow-in-copyString.patch
 Patch11: expat-2.2.5-Prevent-stack-exhaustion-in-build_model.patch
+Patch12: expat-2.2.5-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch
+Patch13: expat-2.2.5-CVE-2022-43680.patch
 
 %description
 This is expat, the C library for parsing XML, written by James Clark. Expat
@@ -59,6 +61,8 @@ Install it if you need to link statically with expat.
 %patch9 -p1 -b .CVE-2022-25315
 %patch10 -p1 -b .CVE-2022-25314
 %patch11 -p1 -b .CVE-2022-25313
+%patch12 -p1 -b .CVE-2022-40674
+%patch13 -p1 -b .CVE-2022-43680
 
 sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
 ./buildconf.sh
@@ -97,6 +101,14 @@ make check
 %{_libdir}/lib*.a
 
 %changelog
+* Mon Nov 14 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-11
+- CVE-2022-43680 expat: use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate
+- Resolves: CVE-2022-43680
+
+* Fri Sep 30 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-10
+- Ensure raw tagnames are safe exiting internalEntityParser
+- Resolves: CVE-2022-40674
+
 * Fri May 06 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-9
 - Fix multiple CVEs
 - Resolves: CVE-2022-25314