diff --git a/SOURCES/glibc-rh1213603.patch b/SOURCES/glibc-rh1213603.patch
new file mode 100644
index 0000000..3b14dbd
--- /dev/null
+++ b/SOURCES/glibc-rh1213603.patch
@@ -0,0 +1,41 @@
+commit 31d0a4fa646db8b8c97ce24e0ec0a7b73de4fca1
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Sat Jun 11 12:12:56 2016 +0200
+
+    nss_db: Fix initialization of iteration position [BZ #20237]
+    
+    When get*ent is called without a preceding set*ent, we need
+    to set the initial iteration position in get*ent.
+    
+    Reproducer: Add “services: db files” to /etc/nsswitch.conf, then run
+    “perl -e getservent”.  It will segfault before this change, and exit
+    silently after it.
+
+Index: b/nss/nss_db/db-XXX.c
+===================================================================
+--- a/nss/nss_db/db-XXX.c
++++ b/nss/nss_db/db-XXX.c
+@@ -76,7 +76,7 @@ CONCAT(_nss_db_set,ENTNAME) (int stayope
+       keep_db |= stayopen;
+ 
+       /* Reset the sequential index.  */
+-      entidx  = (const char *) state.header + state.header->valstroffset;
++      entidx  = NULL;
+     }
+ 
+   __libc_lock_unlock (lock);
+@@ -249,8 +249,14 @@ CONCAT(_nss_db_get,ENTNAME_r) (struct ST
+ 	  H_ERRNO_SET (NETDB_INTERNAL);
+ 	  goto out;
+ 	}
++      entidx = NULL;
+     }
+ 
++  /* Start from the beginning if freshly initialized or reset
++     requested by set*ent.  */
++  if (entidx == NULL)
++    entidx = (const char *) state.header + state.header->valstroffset;
++
+   status = NSS_STATUS_UNAVAIL;
+   if (state.header != MAP_FAILED)
+     {
diff --git a/SOURCES/glibc-rh1318890.patch b/SOURCES/glibc-rh1318890.patch
new file mode 100644
index 0000000..f091765
--- /dev/null
+++ b/SOURCES/glibc-rh1318890.patch
@@ -0,0 +1,36 @@
+commit a6033052d08027f745867e5e346852da1959226c
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Tue Mar 29 11:27:32 2016 +0200
+
+    nss_db: Propagate ERANGE error if parse_line fails [BZ #19837]
+    
+    Reproducer (needs to run as root):
+    
+    perl -e \
+      'print "large:x:999:" . join(",", map {"user$_"} (1 .. 135))."\n"' \
+      >> /etc/group
+    cd /var/db
+    make
+    getent -s db group
+    
+    After the fix, the last command should list the "large" group.
+    
+    The magic number 135 has been chosen so that the line is shorter than
+    1024 bytes, but the pointers required to encode the member array will
+    cross the threshold, triggering the bug.
+
+Index: b/nss/nss_db/db-XXX.c
+===================================================================
+--- a/nss/nss_db/db-XXX.c
++++ b/nss/nss_db/db-XXX.c
+@@ -284,8 +284,8 @@ CONCAT(_nss_db_get,ENTNAME_r) (struct ST
+ 	    }
+ 	  if (err < 0)
+ 	    {
+-	      H_ERRNO_SET (HOST_NOT_FOUND);
+-	      status = NSS_STATUS_NOTFOUND;
++	      H_ERRNO_SET (NETDB_INTERNAL);
++	      status = NSS_STATUS_TRYAGAIN;
+ 	      break;
+ 	    }
+ 
diff --git a/SOURCES/glibc-rh1366569.patch b/SOURCES/glibc-rh1366569.patch
new file mode 100644
index 0000000..c69b733
--- /dev/null
+++ b/SOURCES/glibc-rh1366569.patch
@@ -0,0 +1,16 @@
+Do not set initgroups.  The commented-out setting reflects the
+glibc default (derived from group).
+
+Index: b/releng/nsswitch.conf
+===================================================================
+--- a/releng/nsswitch.conf
++++ b/releng/nsswitch.conf
+@@ -33,7 +33,7 @@
+ passwd:     files sss
+ shadow:     files sss
+ group:      files sss
+-initgroups: files
++#initgroups: files sss
+ 
+ #hosts:     db files nisplus nis dns
+ hosts:      files dns
diff --git a/SOURCES/glibc-rh1370630.patch b/SOURCES/glibc-rh1370630.patch
new file mode 100644
index 0000000..30d3d4f
--- /dev/null
+++ b/SOURCES/glibc-rh1370630.patch
@@ -0,0 +1,65 @@
+commit 4969890247d7d6a548f17641ed5a18f4b713d211
+Author: Alexandre Oliva <aoliva@redhat.com>
+Date:   Fri Nov 21 03:29:56 2014 -0200
+
+    BZ#14498: fix infinite loop in nss_db_getservbyname
+    
+    nss_db uses nss_files code for services, but a continue on protocol
+    mismatch that doesn't affect nss_files skipped the code that advanced
+    to the next db entry.  Any one of these changes would suffice to fix
+    it, but fixing both makes them both safer to reuse elsewhere.
+    
+    for  ChangeLog
+    
+    	[BZ #14498]
+    	* NEWS: Fixed.
+    	* nss/nss_db/db-XXX.c (_nss_db_get##name##_r): Update hidx
+    	after parsing line but before break_if_match.
+    	* nss/nss_files/files-service (DB_LOOKUP): Don't "continue;"
+    	if there is a protocol mismatch.
+
+Index: b/nss/nss_db/db-XXX.c
+===================================================================
+--- a/nss/nss_db/db-XXX.c
++++ b/nss/nss_db/db-XXX.c
+@@ -190,6 +190,12 @@ enum nss_status								      \
+       char *p = memcpy (buffer, valstr, len);				      \
+ 									      \
+       int err = parse_line (p, result, data, buflen, errnop EXTRA_ARGS);      \
++									      \
++      /* Advance before break_if_match, lest it uses continue to skip
++	 to the next entry.  */						      \
++      if ((hidx += hval2) >= header->dbs[i].hashsize)			      \
++	hidx -= header->dbs[i].hashsize;				      \
++									      \
+       if (err > 0)							      \
+ 	{								      \
+ 	  status = NSS_STATUS_SUCCESS;					      \
+@@ -202,9 +208,6 @@ enum nss_status								      \
+ 	  status = NSS_STATUS_TRYAGAIN;					      \
+ 	  break;							      \
+ 	}								      \
+-									      \
+-      if ((hidx += hval2) >= header->dbs[i].hashsize)			      \
+-	hidx -= header->dbs[i].hashsize;				      \
+     }									      \
+ 									      \
+   if (status == NSS_STATUS_NOTFOUND)					      \
+Index: b/nss/nss_files/files-service.c
+===================================================================
+--- a/nss/nss_files/files-service.c
++++ b/nss/nss_files/files-service.c
+@@ -44,8 +44,11 @@ DB_LOOKUP (servbyname, ':',
+ 	   {
+ 	     /* Must match both protocol (if specified) and name.  */
+ 	     if (proto != NULL && strcmp (result->s_proto, proto))
+-	       continue;
+-	     LOOKUP_NAME (s_name, s_aliases)
++	       /* A continue statement here breaks nss_db, because it
++		bypasses advancing to the next db entry, and it
++		doesn't make nss_files any more efficient.  */;
++	     else
++	       LOOKUP_NAME (s_name, s_aliases)
+ 	   },
+ 	   const char *name, const char *proto)
+ 
diff --git a/SPECS/glibc.spec b/SPECS/glibc.spec
index c7c7c57..eb8e8d5 100644
--- a/SPECS/glibc.spec
+++ b/SPECS/glibc.spec
@@ -1,6 +1,6 @@
 %define glibcsrcdir glibc-2.17-c758a686
 %define glibcversion 2.17
-%define glibcrelease 157%{?dist}
+%define glibcrelease 157%{?dist}.1
 ##############################################################################
 # We support the following options:
 # --with/--without,
@@ -997,6 +997,14 @@ Patch2071: glibc-rh1335925-2.patch
 Patch2072: glibc-rh1335925-3.patch
 Patch2073: glibc-rh1335925-4.patch
 
+# Do not set initgroups in default nsswitch.conf
+Patch2074: glibc-rh1366569.patch
+
+# Various nss_db fixes
+Patch2075: glibc-rh1318890.patch
+Patch2076: glibc-rh1213603.patch
+Patch2077: glibc-rh1370630.patch
+
 ##############################################################################
 # End of glibc patches.
 ##############################################################################
@@ -1605,6 +1613,10 @@ package or when debugging this package.
 %patch2071 -p1
 %patch2072 -p1
 %patch2073 -p1
+%patch2074 -p1
+%patch2075 -p1
+%patch2076 -p1
+%patch2077 -p1
 # Rebase of microbenchmarks.
 %patch1607 -p1
 %patch1609 -p1
@@ -2939,6 +2951,12 @@ rm -f *.filelist*
 %endif
 
 %changelog
+* Thu Oct 27 2016 Carlos O'Donell <carlos@redhat.com> - 2.17-157.1
+- Do not set initgroups in default nsswitch.conf (#1388638)
+- nss_db: Request larger buffers for long group entries (#1388637)
+- nss_db: Fix get*ent crash without preceding set*ent (#1388635)
+- nss_db: Fix endless loop in services database processing (#1388639)
+
 * Thu Aug 11 2016 Florian Weimer <fweimer@redhat.com> - 2.17-157
 - Rebuild with updated binutils (#1268008)