diff --git a/SOURCES/expat-2.1.0-CVE-2018-20843.patch b/SOURCES/expat-2.1.0-CVE-2018-20843.patch
new file mode 100644
index 0000000..677e021
--- /dev/null
+++ b/SOURCES/expat-2.1.0-CVE-2018-20843.patch
@@ -0,0 +1,14 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-20843
+
+--- expat-2.1.0/lib/xmlparse.c.cve20843
++++ expat-2.1.0/lib/xmlparse.c
+@@ -5433,7 +5433,7 @@
+       else
+         poolDiscard(&dtd->pool);
+       elementType->prefix = prefix;
+-
++      break;
+     }
+   }
+   return 1;
diff --git a/SOURCES/expat-2.1.0-CVE-2019-15903.patch b/SOURCES/expat-2.1.0-CVE-2019-15903.patch
new file mode 100644
index 0000000..7a3be0f
--- /dev/null
+++ b/SOURCES/expat-2.1.0-CVE-2019-15903.patch
@@ -0,0 +1,167 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-15903
+
+https://github.com/libexpat/libexpat/commit/6da1f19625592bfb928253620cac568d9a9b9c65
+
+--- expat-2.1.0/lib/xmlparse.c.cve15903
++++ expat-2.1.0/lib/xmlparse.c
+@@ -331,7 +331,7 @@
+ static enum XML_Error
+ doProlog(XML_Parser parser, const ENCODING *enc, const char *s,
+          const char *end, int tok, const char *next, const char **nextPtr,
+-         XML_Bool haveMore);
++         XML_Bool haveMore, XML_Bool allowClosingDoctype);
+ static enum XML_Error
+ processInternalEntity(XML_Parser parser, ENTITY *entity,
+                       XML_Bool betweenDecl);
+@@ -3699,7 +3699,7 @@
+ 
+   processor = prologProcessor;
+   return doProlog(parser, encoding, s, end, tok, next,
+-                  nextPtr, (XML_Bool)!ps_finalBuffer);
++                  nextPtr, (XML_Bool)!ps_finalBuffer, XML_TRUE);
+ }
+ 
+ static enum XML_Error PTRCALL
+@@ -3749,7 +3749,7 @@
+   const char *next = s;
+   int tok = XmlPrologTok(encoding, s, end, &next);
+   return doProlog(parser, encoding, s, end, tok, next,
+-                  nextPtr, (XML_Bool)!ps_finalBuffer);
++                  nextPtr, (XML_Bool)!ps_finalBuffer, XML_TRUE);
+ }
+ 
+ static enum XML_Error
+@@ -3760,7 +3760,8 @@
+          int tok,
+          const char *next,
+          const char **nextPtr,
+-         XML_Bool haveMore)
++         XML_Bool haveMore,
++         XML_Bool allowClosingDoctype)
+ {
+ #ifdef XML_DTD
+   static const XML_Char externalSubsetName[] = { ASCII_HASH , '\0' };
+@@ -3936,6 +3937,11 @@
+       }
+       break;
+     case XML_ROLE_DOCTYPE_CLOSE:
++      if (allowClosingDoctype != XML_TRUE) {
++        /* Must not close doctype from within expanded parameter entities */
++        return XML_ERROR_INVALID_TOKEN;
++      }
++
+       if (doctypeName) {
+         startDoctypeDeclHandler(handlerArg, doctypeName,
+                                 doctypeSysid, doctypePubid, 0);
+@@ -4837,7 +4843,7 @@
+   if (entity->is_param) {
+     int tok = XmlPrologTok(internalEncoding, textStart, textEnd, &next);
+     result = doProlog(parser, internalEncoding, textStart, textEnd, tok,
+-                      next, &next, XML_FALSE);
++                      next, &next, XML_FALSE, XML_FALSE);
+   }
+   else
+ #endif /* XML_DTD */
+@@ -4882,7 +4888,7 @@
+   if (entity->is_param) {
+     int tok = XmlPrologTok(internalEncoding, textStart, textEnd, &next);
+     result = doProlog(parser, internalEncoding, textStart, textEnd, tok,
+-                      next, &next, XML_FALSE);
++                      next, &next, XML_FALSE, XML_TRUE);
+   }
+   else
+ #endif /* XML_DTD */
+@@ -4909,7 +4915,7 @@
+     processor = prologProcessor;
+     tok = XmlPrologTok(encoding, s, end, &next);
+     return doProlog(parser, encoding, s, end, tok, next, nextPtr,
+-                    (XML_Bool)!ps_finalBuffer);
++                    (XML_Bool)!ps_finalBuffer, XML_TRUE);
+   }
+   else
+ #endif /* XML_DTD */
+--- expat-2.1.0/tests/runtests.c.cve15903
++++ expat-2.1.0/tests/runtests.c
+@@ -1157,6 +1157,69 @@
+     CharData_AppendString(storage, "\n");
+ }
+ 
++#ifdef XML_DTD
++START_TEST(test_misc_deny_internal_entity_closing_doctype_issue_317) {
++  const char *const inputOne = "<!DOCTYPE d [\n"
++                               "<!ENTITY % e ']><d/>'>\n"
++                               "\n"
++                               "%e;";
++  const char *const inputTwo = "<!DOCTYPE d [\n"
++                               "<!ENTITY % e1 ']><d/>'><!ENTITY % e2 '&e1;'>\n"
++                               "\n"
++                               "%e2;";
++  const char *const inputThree = "<!DOCTYPE d [\n"
++                                 "<!ENTITY % e ']><d'>\n"
++                                 "\n"
++                                 "%e;";
++  const char *const inputIssue317 = "<!DOCTYPE doc [\n"
++                                    "<!ENTITY % foo ']>\n"
++                                    "<doc>Hell<oc (#PCDATA)*>'>\n"
++                                    "%foo;\n"
++                                    "]>\n"
++                                    "<doc>Hello, world</dVc>";
++
++  const char *const inputs[] = {inputOne, inputTwo, inputThree, inputIssue317};
++  size_t inputIndex = 0;
++
++  for (; inputIndex < sizeof(inputs) / sizeof(inputs[0]); inputIndex++) {
++    XML_Parser parser;
++    enum XML_Status parseResult;
++    int setParamEntityResult;
++    XML_Size lineNumber;
++    XML_Size columnNumber;
++    const char *const input = inputs[inputIndex];
++
++    parser = XML_ParserCreate(NULL);
++    setParamEntityResult
++        = XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
++    if (setParamEntityResult != 1)
++      fail("Failed to set XML_PARAM_ENTITY_PARSING_ALWAYS.");
++
++    parseResult = XML_Parse(parser, input, (int)strlen(input), 0);
++    if (parseResult != XML_STATUS_ERROR) {
++      parseResult = XML_Parse(parser, "", 0, 1);
++      if (parseResult != XML_STATUS_ERROR) {
++        fail("Parsing was expected to fail but succeeded.");
++      }
++    }
++
++    if (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN)
++      fail("Error code does not match XML_ERROR_INVALID_TOKEN");
++
++    lineNumber = XML_GetCurrentLineNumber(parser);
++    if (lineNumber != 4)
++      fail("XML_GetCurrentLineNumber does not work as expected.");
++
++    columnNumber = XML_GetCurrentColumnNumber(parser);
++    if (columnNumber != 0)
++      fail("XML_GetCurrentColumnNumber does not work as expected.");
++
++    XML_ParserFree(parser);
++  }
++}
++END_TEST
++#endif
++
+ static void
+ run_ns_tagname_overwrite_test(char *text, char *result)
+ {
+@@ -1479,6 +1542,11 @@
+     tcase_add_test(tc_namespace, test_ns_unbound_prefix_on_attribute);
+     tcase_add_test(tc_namespace, test_ns_unbound_prefix_on_element);
+ 
++#ifdef XML_DTD
++    tcase_add_test(tc_basic,
++                   test_misc_deny_internal_entity_closing_doctype_issue_317);
++#endif
++
+     return s;
+ }
+ 
diff --git a/SPECS/expat.spec b/SPECS/expat.spec
index 07da724..fa09adc 100644
--- a/SPECS/expat.spec
+++ b/SPECS/expat.spec
@@ -1,12 +1,14 @@
 Summary: An XML parser library
 Name: expat
 Version: 2.1.0
-Release: 11%{?dist}
+Release: 12%{?dist}
 Group: System Environment/Libraries
 Source: http://downloads.sourceforge.net/expat/expat-%{version}.tar.gz
 Patch0: expat-2.1.0-xmlwfargs.patch
 Patch1: expat-2.1.0-CVE-2016-0718.patch
 Patch2: expat-2.1.0-CVE-2015-2716.patch
+Patch3: expat-2.1.0-CVE-2018-20843.patch
+Patch4: expat-2.1.0-CVE-2019-15903.patch
 URL: http://www.libexpat.org/
 License: MIT
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -43,6 +45,8 @@ Install it if you need to link statically with expat.
 %patch0 -p1 -b .xmlwfargs
 %patch1 -p1 -b .cve0718
 %patch2 -p1 -b .cve2716
+%patch3 -p1 -b .cve20843
+%patch4 -p1 -b .cve15903
 
 %build
 rm -rf autom4te*.cache
@@ -89,6 +93,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_libdir}/lib*.a
 
 %changelog
+* Thu Apr  2 2020 Joe Orton <jorton@redhat.com> - 2.1.0-12
+- add security fixes for CVE-2018-20843, CVE-2019-15903
+
 * Thu Jul 25 2019 Joe Orton <jorton@redhat.com> - 2.1.0-11
 - add security fix for CVE-2015-2716