diff --git a/SOURCES/0001-http-control-GSSAPI-credential-delegation.patch b/SOURCES/0001-http-control-GSSAPI-credential-delegation.patch
new file mode 100644
index 0000000..ccec896
--- /dev/null
+++ b/SOURCES/0001-http-control-GSSAPI-credential-delegation.patch
@@ -0,0 +1,90 @@
+From 7dbd01e4815727ce46de0b5d6c2916fec9154196 Mon Sep 17 00:00:00 2001
+From: Petr Stodulka <pstodulk@redhat.com>
+Date: Mon, 5 Dec 2016 16:49:09 +0100
+Subject: [PATCH] http: control GSSAPI credential delegation
+
+Delegation of credentials is disabled by default in libcurl since
+version 7.21.7 due to security vulnerability CVE-2011-2192. Which
+makes troubles with GSS/kerberos authentication when delegation
+of credentials is required. This can be changed with option
+CURLOPT_GSSAPI_DELEGATION in libcurl with set expected parameter
+since libcurl version 7.22.0.
+
+This patch provides new configuration variable http.delegation
+which corresponds to curl parameter "--delegation" (see man 1 curl).
+
+The following values are supported:
+
+* none (default).
+* policy
+* always
+---
+ http.c | 38 ++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 38 insertions(+)
+
+diff --git a/http.c b/http.c
+index a1c7dcb..e7c77c0 100644
+--- a/http.c
++++ b/http.c
+@@ -66,6 +66,19 @@ static struct curl_slist *no_pragma_header;
+ 
+ static struct active_request_slot *active_queue_head;
+ 
++#if LIBCURL_VERSION_NUM >= 0x071600
++static const char *curl_deleg;
++static struct {
++	const char *name;
++	long curl_deleg_param;
++} curl_deleg_levels[] = {
++	{ "none", CURLGSSAPI_DELEGATION_NONE },
++	{ "policy", CURLGSSAPI_DELEGATION_POLICY_FLAG },
++	{ "always", CURLGSSAPI_DELEGATION_FLAG },
++};
++#endif
++
++
+ size_t fread_buffer(char *ptr, size_t eltsize, size_t nmemb, void *buffer_)
+ {
+ 	size_t size = eltsize * nmemb;
+@@ -169,6 +182,16 @@ static int http_options(const char *var, const char *value, void *cb)
+ 		curl_ssl_try = git_config_bool(var, value);
+ 		return 0;
+ 	}
++
++	if (!strcmp("http.delegation", var)) {
++#if LIBCURL_VERSION_NUM >= 0x071600
++		return git_config_string(&curl_deleg, var, value);
++#else
++		warning("Delegation control is not supported with cURL < 7.22.0");
++		return 0;
++#endif
++	}
++
+ 	if (!strcmp("http.minsessions", var)) {
+ 		min_curl_sessions = git_config_int(var, value);
+ #ifndef USE_CURL_MULTI
+@@ -271,6 +294,21 @@ static CURL *get_curl_handle(void)
+ #ifdef LIBCURL_CAN_HANDLE_AUTH_ANY
+ 	curl_easy_setopt(result, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
+ #endif
++#if LIBCURL_VERSION_NUM >= 0x071600
++	if (curl_deleg) {
++		int i;
++		for (i = 0; i < ARRAY_SIZE(curl_deleg_levels); i++) {
++			if (!strcmp(curl_deleg, curl_deleg_levels[i].name)) {
++				curl_easy_setopt(result, CURLOPT_GSSAPI_DELEGATION,
++						curl_deleg_levels[i].curl_deleg_param);
++				break;
++			}
++		}
++		if (i == ARRAY_SIZE(curl_deleg_levels))
++			warning("Unknown delegation method '%s': using default",
++				curl_deleg);
++	}
++#endif
+ 
+ 	if (http_proactive_auth)
+ 		init_curl_http_auth(result);
+-- 
+2.5.5
+
diff --git a/SOURCES/0007-git-prompt.patch b/SOURCES/0007-git-prompt.patch
new file mode 100644
index 0000000..a179403
--- /dev/null
+++ b/SOURCES/0007-git-prompt.patch
@@ -0,0 +1,53 @@
+From 7e546ae76da784185ba9515ed86e435ba17fdd65 Mon Sep 17 00:00:00 2001
+From: Petr Stodulka <pstodulk@redhat.com>
+Date: Wed, 29 Mar 2017 13:08:28 +0200
+Subject: [PATCH] git-prompt.sh: don't put unsanitized branch names in $PS1
+
+---
+ contrib/completion/git-prompt.sh | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/contrib/completion/git-prompt.sh b/contrib/completion/git-prompt.sh
+index eaf5c36..2c872e5 100644
+--- a/contrib/completion/git-prompt.sh
++++ b/contrib/completion/git-prompt.sh
+@@ -360,8 +360,11 @@ __git_ps1 ()
+ 		fi
+ 
+ 		local f="$w$i$s$u"
++		b=${b##refs/heads/}
+ 		if [ $pcmode = yes ]; then
+ 			local gitstring=
++			__git_ps1_branch_name=$b
++			b="\${__git_ps1_branch_name}"
+ 			if [ -n "${GIT_PS1_SHOWCOLORHINTS-}" ]; then
+ 				local c_red='\e[31m'
+ 				local c_green='\e[32m'
+@@ -371,7 +374,7 @@ __git_ps1 ()
+ 				local ok_color=$c_green
+ 				local branch_color="$c_clear"
+ 				local flags_color="$c_lblue"
+-				local branchstring="$c${b##refs/heads/}"
++				local branchstring="$c$b"
+ 
+ 				if [ $detached = no ]; then
+ 					branch_color="$ok_color"
+@@ -400,13 +403,13 @@ __git_ps1 ()
+ 				fi
+ 				gitstring="$gitstring\[$c_clear\]$r$p"
+ 			else
+-				gitstring="$c${b##refs/heads/}${f:+ $f}$r$p"
++				gitstring="$c$b${f:+ $f}$r$p"
+ 			fi
+ 			gitstring=$(printf -- "$printf_format" "$gitstring")
+ 			PS1="$ps1pc_start$gitstring$ps1pc_end"
+ 		else
+ 			# NO color option unless in PROMPT_COMMAND mode
+-			printf -- "$printf_format" "$c${b##refs/heads/}${f:+ $f}$r$p"
++			printf -- "$printf_format" "$c$b${f:+ $f}$r$p"
+ 		fi
+ 	fi
+ }
+-- 
+2.5.5
+
diff --git a/SOURCES/0008-Fix-CVE-2017-8386.patch b/SOURCES/0008-Fix-CVE-2017-8386.patch
new file mode 100644
index 0000000..88b19e9
--- /dev/null
+++ b/SOURCES/0008-Fix-CVE-2017-8386.patch
@@ -0,0 +1,26 @@
+From 654dbd112ab7cbe0a162afaab645a971da62d433 Mon Sep 17 00:00:00 2001
+From: Petr Stodulka <pstodulk@redhat.com>
+Date: Wed, 17 May 2017 11:37:01 +0200
+Subject: [PATCH] Fix CVE-2017-8386
+
+See the commit 3ec804490 in upstream repository for more info.
+---
+ shell.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/shell.c b/shell.c
+index 1429870..72ed0fa 100644
+--- a/shell.c
++++ b/shell.c
+@@ -13,7 +13,7 @@ static int do_generic_cmd(const char *me, char *arg)
+ 	const char *my_argv[4];
+ 
+ 	setup_path();
+-	if (!arg || !(arg = sq_dequote(arg)))
++	if (!arg || !(arg = sq_dequote(arg)) || *arg == '-')
+ 		die("bad argument");
+ 	if (prefixcmp(me, "git-"))
+ 		die("bad command");
+-- 
+2.9.4
+
diff --git a/SPECS/git.spec b/SPECS/git.spec
index 4488665..1c5d51d 100644
--- a/SPECS/git.spec
+++ b/SPECS/git.spec
@@ -51,7 +51,7 @@
 
 Name:           git
 Version:        1.8.3.1
-Release:        6%{?dist}.1
+Release:        11%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
 Group:          Development/Tools
@@ -83,8 +83,12 @@ Patch9:         0003-transport-refactor-protocol-whitelist-code.patch
 Patch10:        0004-http-limit-redirection-to-protocol-whitelist.patch
 Patch11:        0005-http-limit-redirection-depth.patch
 
-#CVE
+Patch13:        0001-http-control-GSSAPI-credential-delegation.patch
+
+# CVE
 Patch12:        0001-Fix-CVE-2016-2315-CVE-2016-2324.patch
+Patch14:        0007-git-prompt.patch
+Patch15:        0008-Fix-CVE-2017-8386.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -334,6 +338,9 @@ Requires:       emacs-git = %{version}-%{release}
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
 
 %if %{use_prebuilt_docs}
 mkdir -p prebuilt_docs/{html,man}
@@ -659,9 +666,26 @@ rm -rf %{buildroot}
 # No files for you!
 
 %changelog
-* Fri Mar 18 2016 Petr Stodulka <pstodulk@redhat.com> - 1.8.3.1-6.1
+* Wed May 17 2017 Petr Stodulka <pstodulk@redhat.com> - 1.8.3.1-11
+- dissalow repo names beginning with dash
+  Resolves: CVE-2017-8386
+
+* Wed Mar 29 2017 Petr Stodulka <pstodulk@redhat.com> -1.8.3.1-10
+- do not put unsanitized branch names in $PS1
+  Resolves: CVE-2014-9938
+
+* Fri Feb 24 2017 Petr Stodulka <pstodulk@redhat.com> -1.8.3.1-9
+- add control of GSSAPI credential delegation to enable HTTP(S)-SSO
+  authentication
+  Resolves: #1369173
+
+* Sat Mar 19 2016 Petr Stodulka <pstodulk@redhat.com> - 1.8.3.1-8
+- remove needles check of xmalloc from previous patch
+  Resolves: #1318255
+
+* Fri Mar 18 2016 Petr Stodulka <pstodulk@redhat.com> - 1.8.3.1-7
 - fix heap overflow CVE-2016-2315 CVE-2016-2324
-  Resolves: #1318254
+  Resolves: #1318255
 
 * Wed Oct 28 2015 Petr Stodulka <pstodulk@redhat.com> - 1.8.3.1-6
 - fix arbitrary code execution via crafted URLs