diff --git a/SOURCES/0145-certprofile-mod-correctly-authorise-config-update.patch b/SOURCES/0145-certprofile-mod-correctly-authorise-config-update.patch
new file mode 100644
index 0000000..729a5b9
--- /dev/null
+++ b/SOURCES/0145-certprofile-mod-correctly-authorise-config-update.patch
@@ -0,0 +1,43 @@
+From 8de62d5187f54b0e994c160a1d39dbece4615aa5 Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Tue, 15 Nov 2016 14:02:54 +1000
+Subject: [PATCH] certprofile-mod: correctly authorise config update
+
+Certificate profiles consist of an FreeIPA object, and a
+corresponding Dogtag configuration object.  When updating profile
+configuration, changes to the Dogtag configuration are not properly
+authorised, allowing unprivileged operators to modify (but not
+create or delete) profiles.  This could result in issuance of
+certificates with fraudulent subject naming information, improper
+key usage, or other badness.
+
+Update certprofile-mod to ensure that the operator has permission to
+modify FreeIPA certprofile objects before modifying the Dogtag
+configuration.
+
+https://fedorahosted.org/freeipa/ticket/6560
+
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipaserver/plugins/certprofile.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/ipaserver/plugins/certprofile.py b/ipaserver/plugins/certprofile.py
+index f4466077484591c8e941027fa8e4897602384f7c..2bd3311e3b729b768188d537bf7f675a0f9346c2 100644
+--- a/ipaserver/plugins/certprofile.py
++++ b/ipaserver/plugins/certprofile.py
+@@ -310,6 +310,11 @@ class certprofile_mod(LDAPUpdate):
+             raise errors.ProtectedEntryError(label='certprofile', key=keys[0],
+                 reason=_('Certificate profiles cannot be renamed'))
+         if 'file' in options:
++            # ensure operator has permission to update a certprofile
++            if not ldap.can_write(dn, 'ipacertprofilestoreissued'):
++                raise errors.ACIError(info=_(
++                    "Insufficient privilege to modify a certificate profile."))
++
+             with self.api.Backend.ra_certprofile as profile_api:
+                 profile_api.disable_profile(keys[0])
+                 try:
+-- 
+2.10.2
+
diff --git a/SOURCES/0146-password-policy-Add-explicit-default-password-policy.patch b/SOURCES/0146-password-policy-Add-explicit-default-password-policy.patch
new file mode 100644
index 0000000..9c4e4af
--- /dev/null
+++ b/SOURCES/0146-password-policy-Add-explicit-default-password-policy.patch
@@ -0,0 +1,192 @@
+From 016631a08b67bda3dc996b84061f863e0f5cdc7f Mon Sep 17 00:00:00 2001
+From: David Kupka <dkupka@redhat.com>
+Date: Thu, 29 Sep 2016 15:59:34 +0200
+Subject: [PATCH] password policy: Add explicit default password policy for
+ hosts and services
+
+Set explicitly krbPwdPolicyReference attribute to all hosts (entries in
+cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and
+Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's
+CoS so no attributes are really added.
+
+The default policies effectively disable any enforcement or lockout for hosts
+and services. Since hosts and services use keytabs passwords enforcements
+doesn't make much sense. Also the lockout policy could be used for easy and
+cheap DoS.
+
+https://fedorahosted.org/freeipa/ticket/6561
+
+Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
+---
+ install/updates/20-default_password_policy.update | 133 ++++++++++++++++++++++
+ install/updates/Makefile.am                       |   1 +
+ ipaserver/install/service.py                      |   1 +
+ 3 files changed, 135 insertions(+)
+ create mode 100644 install/updates/20-default_password_policy.update
+
+diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update
+new file mode 100644
+index 0000000000000000000000000000000000000000..b1f9754a98e9c4b9cb8558e96f7195ea87c2f1ce
+--- /dev/null
++++ b/install/updates/20-default_password_policy.update
+@@ -0,0 +1,133 @@
++# Default password policies for hosts, services and Kerberos services
++# Setting all attributes to zero effectively disables any password policy
++# We can do this because hosts and services uses keytabs instead of passwords
++
++# hosts
++dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
++default:objectClass: krbPwdPolicy
++default:objectClass: nsContainer
++default:objectClass: top
++default:cn: Default Host Password Policy
++default:krbMinPwdLife: 0
++default:krbPwdMinDiffChars: 0
++default:krbPwdMinLength: 0
++default:krbPwdHistoryLength: 0
++default:krbMaxPwdLife: 0
++default:krbPwdMaxFailure: 0
++default:krbPwdFailureCountInterval: 0
++default:krbPwdLockoutDuration: 0
++
++# services
++dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
++default:objectClass: krbPwdPolicy
++default:objectClass: nsContainer
++default:objectClass: top
++default:cn: Default Service Password Policy
++default:krbMinPwdLife: 0
++default:krbPwdMinDiffChars: 0
++default:krbPwdMinLength: 0
++default:krbPwdHistoryLength: 0
++default:krbMaxPwdLife: 0
++default:krbPwdMaxFailure: 0
++default:krbPwdFailureCountInterval: 0
++default:krbPwdLockoutDuration: 0
++
++# kerberos policy container
++# this is necessary to avoid mixing the Kerberos sevice password policy
++# with group-membership based user password policies
++dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
++default:objectClass: nsContainer
++default:objectClass: top
++default:cn: Kerberos Service Password Policy
++
++# kerberos services
++dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
++default:objectClass: krbPwdPolicy
++default:objectClass: nsContainer
++default:objectClass: top
++default:cn: Default Kerberos Service Password Policy
++default:krbMinPwdLife: 0
++default:krbPwdMinDiffChars: 0
++default:krbPwdMinLength: 0
++default:krbPwdHistoryLength: 0
++default:krbMaxPwdLife: 0
++default:krbPwdMaxFailure: 0
++default:krbPwdFailureCountInterval: 0
++default:krbPwdLockoutDuration: 0
++
++# default password policies for hosts, services and kerberos services
++# cosPriority is set intentionally to higher number than FreeIPA API allows
++# to set to ensure that these password policies have always lower priority
++# than any defined by user.
++
++# hosts
++dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
++default:objectclass: top
++default:objectclass: nsContainer
++default:cn: cosTemplates
++
++dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
++default:objectclass: top
++default:objectclass: cosTemplate
++default:objectclass: extensibleObject
++default:objectclass: krbContainer
++default:cn: Default Password Policy
++default:cosPriority: 10000000000
++default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
++
++dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX
++default:description: Default Password Policy for Hosts
++default:objectClass: top
++default:objectClass: ldapsubentry
++default:objectClass: cosSuperDefinition
++default:objectClass: cosPointerDefinition
++default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
++default:cosAttribute: krbPwdPolicyReference default
++
++# services
++dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
++default:objectclass: top
++default:objectclass: nsContainer
++default:cn: cosTemplates
++
++dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
++default:objectclass: top
++default:objectclass: cosTemplate
++default:objectclass: extensibleObject
++default:objectclass: krbContainer
++default:cn: Default Password Policy
++default:cosPriority: 10000000000
++default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
++
++dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX
++default:description: Default Password Policy for Services
++default:objectClass: top
++default:objectClass: ldapsubentry
++default:objectClass: cosSuperDefinition
++default:objectClass: cosPointerDefinition
++default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
++default:cosAttribute: krbPwdPolicyReference default
++
++# kerberos services
++dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
++default:objectclass: top
++default:objectclass: nsContainer
++default:cn: cosTemplates
++
++dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
++default:objectclass: top
++default:objectclass: cosTemplate
++default:objectclass: extensibleObject
++default:objectclass: krbContainer
++default:cn: Default Password Policy
++default:cosPriority: 10000000000
++default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
++
++dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
++default:description: Default Password Policy for Kerberos Services
++default:objectClass: top
++default:objectClass: ldapsubentry
++default:objectClass: cosSuperDefinition
++default:objectClass: cosPointerDefinition
++default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
++default:cosAttribute: krbPwdPolicyReference default
+diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
+index 455fd209d171888dc94a7f708dc5fa1743f62bf4..310ae39c3b659cbe897380f572824acb26009574 100644
+--- a/install/updates/Makefile.am
++++ b/install/updates/Makefile.am
+@@ -23,6 +23,7 @@ app_DATA =				\
+ 	20-winsync_index.update		\
+ 	20-idoverride_index.update	\
+ 	20-uuid.update  \
++	20-default_password_policy.update \
+ 	21-replicas_container.update	\
+ 	21-ca_renewal_container.update	\
+ 	21-certstore_container.update	\
+diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
+index 057cd3d4b512513a4e3a8f228dc5f07f31fd84e0..6bb2e76f64ac11abc426c70c645cfb042be474c2 100644
+--- a/ipaserver/install/service.py
++++ b/ipaserver/install/service.py
+@@ -252,6 +252,7 @@ class Service(object):
+             # There is no service in the wrong location, nothing to do.
+             # This can happen when installing a replica
+             return None
++        entry.pop('krbpwdpolicyreference', None)  # don't copy virtual attr
+         newdn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix)
+         hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix)
+         self.admin_conn.delete_entry(entry)
+-- 
+2.10.2
+
diff --git a/SOURCES/0147-ipa-kdb-search-for-password-policies-globally.patch b/SOURCES/0147-ipa-kdb-search-for-password-policies-globally.patch
new file mode 100644
index 0000000..96cc471
--- /dev/null
+++ b/SOURCES/0147-ipa-kdb-search-for-password-policies-globally.patch
@@ -0,0 +1,38 @@
+From a90a67fc7c4ef114e5f5336d868009fd0caa956b Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 15 Dec 2016 16:30:00 +0200
+Subject: [PATCH] ipa-kdb: search for password policies globally
+
+With the CoS templates now used to create additional password policies
+per object type that are placed under the object subtrees, DAL driver
+needs to search for the policies in the whole tree.
+
+Individual policies referenced by the krbPwdPolicyReference attribute
+are always searched by their full DN and with the base scope. However,
+when KDC asks a DAL driver to return a password policy by name, we don't
+have any specific base to search. The original code did search by the
+realm subtree.
+
+Fixes https://fedorahosted.org/freeipa/ticket/6561
+
+Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
+index 076314a12840881a340763ab5693131aaccafec6..0c810af98f7a37b76afc4ca40b29441d9793f12f 100644
+--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
++++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
+@@ -163,7 +163,7 @@ krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name,
+     }
+ 
+     kerr = ipadb_simple_search(ipactx,
+-                               ipactx->realm_base, LDAP_SCOPE_SUBTREE,
++                               ipactx->base, LDAP_SCOPE_SUBTREE,
+                                src_filter, std_pwdpolicy_attrs, &res);
+     if (kerr) {
+         goto done;
+-- 
+2.10.2
+
diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch
deleted file mode 100644
index 673cd2f..0000000
--- a/SOURCES/ipa-centos-branding.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001
-From: Jim Perrin <jperrin@centos.org>
-Date: Wed, 11 Mar 2015 10:37:03 -0500
-Subject: [PATCH] update for new ntp server method
-
----
- ipaplatform/base/paths.py        | 1 +
- ipaserver/install/ntpinstance.py | 2 ++
- 2 files changed, 3 insertions(+)
-
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index af50262..5090062 100644
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -99,6 +99,7 @@ class BasePathNamespace(object):
-     PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/"
-     PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
-     ETC_REDHAT_RELEASE = "/etc/redhat-release"
-+    ETC_CENTOS_RELEASE = "/etc/centos-release"
-     RESOLV_CONF = "/etc/resolv.conf"
-     SAMBA_KEYTAB = "/etc/samba/samba.keytab"
-     SMB_CONF = "/etc/samba/smb.conf"
-diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py
-index c653525..4b0578b 100644
---- a/ipaserver/install/ntpinstance.py
-+++ b/ipaserver/install/ntpinstance.py
-@@ -44,6 +44,8 @@ class NTPInstance(service.Service):
-         os = ""
-         if ipautil.file_exists(paths.ETC_FEDORA_RELEASE):
-             os = "fedora"
-+        elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE):
-+            os = "centos"
-         elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
-             os = "rhel"
- 
--- 
-1.8.3.1
-
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index d46d747..ab32d78 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -43,7 +43,7 @@
 
 Name:           ipa
 Version:        4.4.0
-Release:        14%{?dist}
+Release:        14%{?dist}.1.1
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -51,10 +51,10 @@ License:        GPLv3+
 URL:            http://www.freeipa.org/
 Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
 # RHEL spec file only: START: Change branding to IPA and Identity-Management
-#Source1:        header-logo.png
-#Source2:        login-screen-background.jpg
-#Source3:        login-screen-logo.png
-#Source4:        product-name.png
+Source1:        header-logo.png
+Source2:        login-screen-background.jpg
+Source3:        login-screen-logo.png
+Source4:        product-name.png
 # RHEL spec file only: END: Change branding to IPA and Identity-Management
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -203,6 +203,9 @@ Patch0141:      0141-WebUI-services-without-canonical-name-are-shown-corr.patch
 Patch0142:      0142-Fix-missing-file-that-fails-DL1-replica-installation.patch
 Patch0143:      0143-trustdomain-del-fix-the-way-how-subdomain-is-searche.patch
 Patch0144:      0144-spec-file-bump-minimal-required-version-of-389-ds-ba.patch
+Patch0145:      0145-certprofile-mod-correctly-authorise-config-update.patch
+Patch0146:      0146-password-policy-Add-explicit-default-password-policy.patch
+Patch0147:      0147-ipa-kdb-search-for-password-policies-globally.patch
 
 Patch1001:      1001-Hide-pkinit-functionality-from-production-version.patch
 Patch1002:      1002-Remove-pkinit-plugin.patch
@@ -214,7 +217,6 @@ Patch1007:      1007-Do-not-build-tests.patch
 Patch1008:      1008-RCUE.patch
 Patch1009:      1009-Revert-Increased-mod_wsgi-socket-timeout.patch
 Patch1010:      1010-WebUI-add-API-browser-is-tech-preview-warning.patch
-Patch1011:      ipa-centos-branding.patch
 # RHEL spec file only: END
 
 %if ! %{ONLY_CLIENT}
@@ -794,10 +796,10 @@ for p in %patches ; do
 done
 
 # Red Hat's Identity Management branding
-#cp %SOURCE1 install/ui/images/header-logo.png
-#cp %SOURCE2 install/ui/images/login-screen-background.jpg
-#cp %SOURCE3 install/ui/images/login-screen-logo.png
-#cp %SOURCE4 install/ui/images/product-name.png
+cp %SOURCE1 install/ui/images/header-logo.png
+cp %SOURCE2 install/ui/images/login-screen-background.jpg
+cp %SOURCE3 install/ui/images/login-screen-logo.png
+cp %SOURCE4 install/ui/images/product-name.png
 # RHEL spec file only: END
 
 
@@ -1533,8 +1535,20 @@ fi
 
 
 %changelog
-* Tue Dec 06 2016 CentOS Sources <bugs@centos.org> - 4.4.0-14.el7.centos
-- Roll in CentOS Branding
+* Fri Dec 16 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.1.1
+- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services
+  by abusing password policy
+  - ipa-kdb: search for password policies globally
+- Renamed patches 1011 and 1012 to 0146 and 0145, as they were merged upstream
+
+* Mon Dec 12 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.1
+- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services
+  by abusing password policy
+  - password policy: Add explicit default password policy for hosts and
+    services
+- Resolves: #1395311 CVE-2016-9575 ipa: Insufficient permission check in
+  certprofile-mod
+  - certprofile-mod: correctly authorise config update
 
 * Tue Nov  1 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14
 - Resolves: #1378353 Replica install fails with old IPA master sometimes during