diff --git a/SOURCES/0001-libssh2-1.8.0-CVE-2019-3855.patch b/SOURCES/0001-libssh2-1.8.0-CVE-2019-3855.patch
new file mode 100644
index 0000000..ac66df3
--- /dev/null
+++ b/SOURCES/0001-libssh2-1.8.0-CVE-2019-3855.patch
@@ -0,0 +1,33 @@
+From db657a96ca37d87cceff14db66645ba17024803c Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 19 Mar 2019 13:16:53 +0100
+Subject: [PATCH] Resolves: CVE-2019-3855 - fix integer overflow in transport read
+
+... resulting in out of bounds write
+
+Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3855.patch
+---
+ src/transport.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/transport.c b/src/transport.c
+index 8725da0..5349284 100644
+--- a/src/transport.c
++++ b/src/transport.c
+@@ -430,8 +430,12 @@ int _libssh2_transport_read(LIBSSH2_SESSION * session)
+              * and we can extract packet and padding length from it
+              */
+             p->packet_length = _libssh2_ntohu32(block);
+-            if (p->packet_length < 1)
++            if(p->packet_length < 1) {
+                 return LIBSSH2_ERROR_DECRYPT;
++            }
++            else if(p->packet_length > LIBSSH2_PACKET_MAXPAYLOAD) {
++                return LIBSSH2_ERROR_OUT_OF_BOUNDARY;
++            }
+ 
+             p->padding_length = block[4];
+ 
+-- 
+2.17.2
+
diff --git a/SOURCES/0002-libssh2-1.8.0-CVE-2019-3856.patch b/SOURCES/0002-libssh2-1.8.0-CVE-2019-3856.patch
new file mode 100644
index 0000000..076f08b
--- /dev/null
+++ b/SOURCES/0002-libssh2-1.8.0-CVE-2019-3856.patch
@@ -0,0 +1,44 @@
+From cc573aafb6f4b24bce9b82f308e92b9723a73024 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 19 Mar 2019 13:22:24 +0100
+Subject: [PATCH] Resolves: CVE-2019-3856 - fix integer overflow in keyboard
+ interactive handling
+
+... resulting in out of bounds write
+
+Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3856.patch
+
+I believe that:
+
+    `(session->userauth_kybd_num_prompts && session->userauth_kybd_num_prompts > 100)`
+
+... can be simplified as:
+
+    `(session->userauth_kybd_num_prompts > 100)`
+
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/userauth.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/userauth.c b/src/userauth.c
+index cdfa25e..3946cf9 100644
+--- a/src/userauth.c
++++ b/src/userauth.c
+@@ -1498,6 +1498,13 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session,
+             /* int       num-prompts */
+             session->userauth_kybd_num_prompts = _libssh2_ntohu32(s);
+             s += 4;
++            if(session->userauth_kybd_num_prompts && 
++               session->userauth_kybd_num_prompts > 100) {
++               _libssh2_error(session, LIBSSH2_ERROR_OUT_OF_BOUNDARY,
++                              "Too many replies for "
++                              "keyboard-interactive prompts");
++               goto cleanup;
++            }
+ 
+             if(session->userauth_kybd_num_prompts) {
+                 session->userauth_kybd_prompts =
+-- 
+2.17.2
+
diff --git a/SOURCES/0003-libssh2-1.8.0-CVE-2019-3857.patch b/SOURCES/0003-libssh2-1.8.0-CVE-2019-3857.patch
new file mode 100644
index 0000000..fc14251
--- /dev/null
+++ b/SOURCES/0003-libssh2-1.8.0-CVE-2019-3857.patch
@@ -0,0 +1,124 @@
+From cbd8d5c44701f97eccd6602e3d745fc37a8d7ff4 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 19 Mar 2019 13:29:35 +0100
+Subject: [PATCH 1/2] Resolves: CVE-2019-3857 - fix integer overflow in SSH
+ packet processing channel
+
+... resulting in out of bounds write
+
+Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3857.patch
+---
+ include/libssh2.h | 12 ++++++++++++
+ src/packet.c      | 11 +++++++++--
+ 2 files changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/include/libssh2.h b/include/libssh2.h
+index 34d2842..e25c380 100644
+--- a/include/libssh2.h
++++ b/include/libssh2.h
+@@ -71,6 +71,18 @@
+ */
+ #define LIBSSH2_VERSION_NUM 0x010403
+ 
++#ifndef SIZE_MAX
++#if _WIN64
++#define SIZE_MAX 0xFFFFFFFFFFFFFFFF
++#else
++#define SIZE_MAX 0xFFFFFFFF
++#endif
++#endif
++
++#ifndef UINT_MAX
++#define UINT_MAX 0xFFFFFFFF
++#endif
++
+ /*
+  * This is the date and time when the full source package was created. The
+  * timestamp is not stored in the source code repo, as the timestamp is
+diff --git a/src/packet.c b/src/packet.c
+index 5f1feb8..aa10633 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -814,8 +814,15 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                         /* set signal name (without SIG prefix) */
+                         uint32_t namelen =
+                             _libssh2_ntohu32(data + 9 + sizeof("exit-signal"));
+-                        channelp->exit_signal =
+-                            LIBSSH2_ALLOC(session, namelen + 1);
++
++                        if(namelen <= UINT_MAX - 1) {
++                            channelp->exit_signal =
++                                LIBSSH2_ALLOC(session, namelen + 1);
++                        }
++                        else {
++                            channelp->exit_signal = NULL;
++                        }
++
+                         if (!channelp->exit_signal)
+                             rc = _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
+                                                 "memory for signal name");
+-- 
+2.17.2
+
+
+From 0708c71871976ccf6d45fd0971a079d271413f92 Mon Sep 17 00:00:00 2001
+From: Michael Buckley <michael@buckleyisms.com>
+Date: Mon, 18 Mar 2019 15:07:12 -0700
+Subject: [PATCH 2/2] Move fallback SIZE_MAX and UINT_MAX to libssh2_priv.h
+
+Upstream-commit: 31d0b1a8530b959bd12c2074dc6e883e1eda8207
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ include/libssh2.h  | 12 ------------
+ src/libssh2_priv.h | 12 ++++++++++++
+ 2 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/include/libssh2.h b/include/libssh2.h
+index e25c380..34d2842 100644
+--- a/include/libssh2.h
++++ b/include/libssh2.h
+@@ -71,18 +71,6 @@
+ */
+ #define LIBSSH2_VERSION_NUM 0x010403
+ 
+-#ifndef SIZE_MAX
+-#if _WIN64
+-#define SIZE_MAX 0xFFFFFFFFFFFFFFFF
+-#else
+-#define SIZE_MAX 0xFFFFFFFF
+-#endif
+-#endif
+-
+-#ifndef UINT_MAX
+-#define UINT_MAX 0xFFFFFFFF
+-#endif
+-
+ /*
+  * This is the date and time when the full source package was created. The
+  * timestamp is not stored in the source code repo, as the timestamp is
+diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h
+index b4296a2..bb5d1a5 100644
+--- a/src/libssh2_priv.h
++++ b/src/libssh2_priv.h
+@@ -144,6 +144,18 @@ static inline int writev(int sock, struct iovec *iov, int nvecs)
+ 
+ #endif
+ 
++#ifndef SIZE_MAX
++#if _WIN64
++#define SIZE_MAX 0xFFFFFFFFFFFFFFFF
++#else
++#define SIZE_MAX 0xFFFFFFFF
++#endif
++#endif
++
++#ifndef UINT_MAX
++#define UINT_MAX 0xFFFFFFFF
++#endif
++
+ /* RFC4253 section 6.1 Maximum Packet Length says:
+  *
+  * "All implementations MUST be able to process packets with
+-- 
+2.17.2
+
diff --git a/SOURCES/0009-libssh2-1.8.0-CVE-2019-3863.patch b/SOURCES/0009-libssh2-1.8.0-CVE-2019-3863.patch
new file mode 100644
index 0000000..db3ab3c
--- /dev/null
+++ b/SOURCES/0009-libssh2-1.8.0-CVE-2019-3863.patch
@@ -0,0 +1,40 @@
+From 9ed3c716b63c77e9b52f71f2dae5464ade6143df Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 19 Mar 2019 13:47:41 +0100
+Subject: [PATCH] Resolves: CVE-2019-3863 - fix integer overflow in user
+ authenticate keyboard interactive
+
+... that allows out-of-bounds writes
+
+Upstream-Patch: https://libssh2.org/1.8.0-CVE/CVE-2019-3863.patch
+---
+ src/userauth.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/src/userauth.c b/src/userauth.c
+index 3946cf9..ee924c5 100644
+--- a/src/userauth.c
++++ b/src/userauth.c
+@@ -1578,8 +1578,17 @@ userauth_keyboard_interactive(LIBSSH2_SESSION * session,
+ 
+             for(i = 0; i != session->userauth_kybd_num_prompts; ++i) {
+                 /* string    response[1] (ISO-10646 UTF-8) */
+-                session->userauth_kybd_packet_len +=
+-                    4 + session->userauth_kybd_responses[i].length;
++                 if(session->userauth_kybd_responses[i].length <=
++                   (SIZE_MAX - 4 - session->userauth_kybd_packet_len) ) {
++                    session->userauth_kybd_packet_len +=
++                        4 + session->userauth_kybd_responses[i].length;
++                }
++                else {
++                    _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
++                                   "Unable to allocate memory for keyboard-"
++                                   "interactive response packet");
++                    goto cleanup;
++                }
+             }
+ 
+             /* A new userauth_kybd_data area is to be allocated, free the
+-- 
+2.17.2
+
diff --git a/SPECS/libssh2.spec b/SPECS/libssh2.spec
index 671a235..acb202d 100644
--- a/SPECS/libssh2.spec
+++ b/SPECS/libssh2.spec
@@ -12,7 +12,7 @@
 
 Name:		libssh2
 Version:	1.4.3
-Release:	12%{?dist}
+Release:	12%{?dist}.2
 Summary:	A library implementing the SSH2 protocol
 Group:		System Environment/Libraries
 License:	BSD
@@ -32,6 +32,19 @@ Patch10:	0010-Set-default-window-size-to-2MB.patch
 Patch11:	0011-channel_receive_window_adjust-store-windows-size-alw.patch
 Patch12:	0012-libssh2_agent_init-init-fd-to-LIBSSH2_INVALID_SOCKET.patch
 Patch13:	0013-kex-bail-out-on-rubbish-in-the-incoming-packet.patch
+
+# fix integer overflow in transport read resulting in out of bounds write (CVE-2019-3855)
+Patch201:   0001-libssh2-1.8.0-CVE-2019-3855.patch
+
+# fix integer overflow in keyboard interactive handling resulting in out of bounds write (CVE-2019-3856)
+Patch202:   0002-libssh2-1.8.0-CVE-2019-3856.patch
+
+# fix integer overflow in SSH packet processing channel resulting in out of bounds write (CVE-2019-3857)
+Patch203:   0003-libssh2-1.8.0-CVE-2019-3857.patch
+
+# fix integer overflow in keyboard interactive handling that allows out-of-bounds writes (CVE-2019-3863)
+Patch209:   0009-libssh2-1.8.0-CVE-2019-3863.patch
+
 Patch14:	0014-libssh2-1.4.3-scp-remote-exec.patch
 Patch15:	0015-libssh2-1.4.3-debug-msgs.patch
 Patch101:	0101-libssh2-1.4.3-CVE-2016-0787.patch
@@ -116,6 +129,12 @@ sed -i s/4711/47%{?__isa_bits}/ tests/ssh2.{c,sh}
 # use secrects of the appropriate length in Diffie-Hellman (CVE-2016-0787)
 %patch101 -p1
 
+# rhel-7.6.z patches
+%patch201 -p1
+%patch202 -p1
+%patch203 -p1
+%patch209 -p1
+
 # scp: send valid commands for remote execution (#1489733)
 %patch14 -p1
 
@@ -188,6 +207,15 @@ rm -rf %{buildroot}
 %{_libdir}/pkgconfig/libssh2.pc
 
 %changelog
+* Wed Mar 20 2019 Kamil Dudka <kdudka@redhat.com> 1.4.3-12.el7_6.2
+- sanitize public header file (detected by rpmdiff)
+
+* Tue Mar 19 2019 Kamil Dudka <kdudka@redhat.com> 1.4.3-12.el7_6.1
+- fix integer overflow in keyboard interactive handling that allows out-of-bounds writes (CVE-2019-3863)
+- fix integer overflow in SSH packet processing channel resulting in out of bounds write (CVE-2019-3857)
+- fix integer overflow in keyboard interactive handling resulting in out of bounds write (CVE-2019-3856)
+- fix integer overflow in transport read resulting in out of bounds write (CVE-2019-3855)
+
 * Tue Sep 26 2017 Kamil Dudka <kdudka@redhat.com> 1.4.3-12
 - session: avoid printing misleading debug messages (#1503294)
 - scp: send valid commands for remote execution (#1489733)