diff --git a/SOURCES/libvirt-api-disallow-virConnect-HypervisorCPU-on-read-only-connections.patch b/SOURCES/libvirt-api-disallow-virConnect-HypervisorCPU-on-read-only-connections.patch
new file mode 100644
index 0000000..0f182be
--- /dev/null
+++ b/SOURCES/libvirt-api-disallow-virConnect-HypervisorCPU-on-read-only-connections.patch
@@ -0,0 +1,46 @@
+From 80850486e791a69a4cd58851617f321b84f7c178 Mon Sep 17 00:00:00 2001
+Message-Id: <80850486e791a69a4cd58851617f321b84f7c178@dist-git>
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Tue, 18 Jun 2019 13:30:02 +0200
+Subject: [PATCH] api: disallow virConnect*HypervisorCPU on read-only
+ connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+These APIs can be used to execute arbitrary emulators.
+Forbid them on read-only connections.
+
+Fixes: CVE-2019-10168
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Message-Id: <470651092e7d6a4ba5875cf8885fd3714d5ea189.1560857354.git.jtomko@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/libvirt-host.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libvirt-host.c b/src/libvirt-host.c
+index e20d6ee250..2978825d22 100644
+--- a/src/libvirt-host.c
++++ b/src/libvirt-host.c
+@@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnectPtr conn,
+ 
+     virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR);
+     virCheckNonNullArgGoto(xmlCPU, error);
++    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->connectCompareHypervisorCPU) {
+         int ret;
+@@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConnectPtr conn,
+ 
+     virCheckConnectReturn(conn, NULL);
+     virCheckNonNullArgGoto(xmlCPUs, error);
++    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->connectBaselineHypervisorCPU) {
+         char *cpu;
+-- 
+2.22.0
+
diff --git a/SOURCES/libvirt-api-disallow-virConnectGetDomainCapabilities-on-read-only-connections.patch b/SOURCES/libvirt-api-disallow-virConnectGetDomainCapabilities-on-read-only-connections.patch
new file mode 100644
index 0000000..b04e5f4
--- /dev/null
+++ b/SOURCES/libvirt-api-disallow-virConnectGetDomainCapabilities-on-read-only-connections.patch
@@ -0,0 +1,38 @@
+From b77317482326f31c796e16bda24c1eb344be2d21 Mon Sep 17 00:00:00 2001
+Message-Id: <b77317482326f31c796e16bda24c1eb344be2d21@dist-git>
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Tue, 18 Jun 2019 13:30:01 +0200
+Subject: [PATCH] api: disallow virConnectGetDomainCapabilities on read-only
+ connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This API can be used to execute arbitrary emulators.
+Forbid it on read-only connections.
+
+Fixes: CVE-2019-10167
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Message-Id: <eeefd7cf2afba696bed78582e086bfbd3ed23e00.1560857354.git.jtomko@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/libvirt-domain.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index 3855dfe0dd..a1c913bd86 100644
+--- a/src/libvirt-domain.c
++++ b/src/libvirt-domain.c
+@@ -11279,6 +11279,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn,
+     virResetLastError();
+ 
+     virCheckConnectReturn(conn, NULL);
++    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->connectGetDomainCapabilities) {
+         char *ret;
+-- 
+2.22.0
+
diff --git a/SOURCES/libvirt-api-disallow-virDomainManagedSaveDefineXML-on-read-only-connections.patch b/SOURCES/libvirt-api-disallow-virDomainManagedSaveDefineXML-on-read-only-connections.patch
new file mode 100644
index 0000000..461c8f6
--- /dev/null
+++ b/SOURCES/libvirt-api-disallow-virDomainManagedSaveDefineXML-on-read-only-connections.patch
@@ -0,0 +1,40 @@
+From 2f8042cc71d65391e702c48f4e5e9dd38811cf4a Mon Sep 17 00:00:00 2001
+Message-Id: <2f8042cc71d65391e702c48f4e5e9dd38811cf4a@dist-git>
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Tue, 18 Jun 2019 13:30:00 +0200
+Subject: [PATCH] api: disallow virDomainManagedSaveDefineXML on read-only
+ connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The virDomainManagedSaveDefineXML can be used to alter the domain's
+config used for managedsave or even execute arbitrary emulator binaries.
+Forbid it on read-only connections.
+
+Fixes: CVE-2019-10166
+Reported-by: Matthias Gerstner <mgerstner@suse.de>
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Message-Id: <352bf5e963a6482d426f97b0ef36ca019e69280b.1560857354.git.jtomko@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/libvirt-domain.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index 0ba85b9360..3855dfe0dd 100644
+--- a/src/libvirt-domain.c
++++ b/src/libvirt-domain.c
+@@ -9487,6 +9487,7 @@ virDomainManagedSaveDefineXML(virDomainPtr domain, const char *dxml,
+ 
+     virCheckDomainReturn(domain, -1);
+     conn = domain->conn;
++    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->domainManagedSaveDefineXML) {
+         int ret;
+-- 
+2.22.0
+
diff --git a/SOURCES/libvirt-api-disallow-virDomainSaveImageGetXMLDesc-on-read-only-connections.patch b/SOURCES/libvirt-api-disallow-virDomainSaveImageGetXMLDesc-on-read-only-connections.patch
new file mode 100644
index 0000000..f0ee792
--- /dev/null
+++ b/SOURCES/libvirt-api-disallow-virDomainSaveImageGetXMLDesc-on-read-only-connections.patch
@@ -0,0 +1,98 @@
+From d5b7ada5278e175d3174a6bcdc4338684ae4376e Mon Sep 17 00:00:00 2001
+Message-Id: <d5b7ada5278e175d3174a6bcdc4338684ae4376e@dist-git>
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Tue, 18 Jun 2019 13:29:59 +0200
+Subject: [PATCH] api: disallow virDomainSaveImageGetXMLDesc on read-only
+ connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The virDomainSaveImageGetXMLDesc API is taking a path parameter,
+which can point to any path on the system. This file will then be
+read and parsed by libvirtd running with root privileges.
+
+Forbid it on read-only connections.
+
+Fixes: CVE-2019-10161
+Reported-by: Matthias Gerstner <mgerstner@suse.de>
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+
+Conflicts:
+  src/libvirt-domain.c
+  src/remote/remote_protocol.x
+
+Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
+alias for VIR_DOMAIN_XML_SECURE is not backported.
+Just skip the commit since we now disallow the whole API on read-only
+connections, regardless of the flag.
+Message-Id: <4c14d609cd7b548459b9ef2f59728fa5c5e38268.1560857354.git.jtomko@redhat.com>
+
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/libvirt-domain.c         | 11 ++---------
+ src/qemu/qemu_driver.c       |  2 +-
+ src/remote/remote_protocol.x |  3 +--
+ 3 files changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index ad0ded9ee3..0ba85b9360 100644
+--- a/src/libvirt-domain.c
++++ b/src/libvirt-domain.c
+@@ -1073,9 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml,
+  * previously by virDomainSave() or virDomainSaveFlags().
+  *
+  * No security-sensitive data will be included unless @flags contains
+- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only
+- * connections.  For this API, @flags should not contain either
+- * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU.
++ * VIR_DOMAIN_XML_SECURE.
+  *
+  * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
+  * error.  The caller must free() the returned value.
+@@ -1091,12 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file,
+ 
+     virCheckConnectReturn(conn, NULL);
+     virCheckNonNullArgGoto(file, error);
+-
+-    if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
+-        virReportError(VIR_ERR_OPERATION_DENIED, "%s",
+-                       _("virDomainSaveImageGetXMLDesc with secure flag"));
+-        goto error;
+-    }
++    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->domainSaveImageGetXMLDesc) {
+         char *ret;
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 88c08f88ee..2da87992fd 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -6786,7 +6786,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path,
+     if (fd < 0)
+         goto cleanup;
+ 
+-    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)
++    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
+         goto cleanup;
+ 
+     ret = qemuDomainDefFormatXML(driver, def, flags);
+diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
+index 28c8febabd..52b92334fa 100644
+--- a/src/remote/remote_protocol.x
++++ b/src/remote/remote_protocol.x
+@@ -5226,8 +5226,7 @@ enum remote_procedure {
+     /**
+      * @generate: both
+      * @priority: high
+-     * @acl: domain:read
+-     * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
++     * @acl: domain:write
+      */
+     REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,
+ 
+-- 
+2.22.0
+
diff --git a/SPECS/libvirt.spec b/SPECS/libvirt.spec
index 59688f9..c4275ec 100644
--- a/SPECS/libvirt.spec
+++ b/SPECS/libvirt.spec
@@ -243,7 +243,7 @@
 Summary: Library providing a simple virtualization API
 Name: libvirt
 Version: 4.5.0
-Release: 23.2%{?dist}%{?extra_release}
+Release: 23.3%{?dist}%{?extra_release}
 License: LGPLv2+
 URL: https://libvirt.org/
 
@@ -455,6 +455,10 @@ Patch199: libvirt-cpu_map-Define-md-clear-CPUID-bit.patch
 Patch200: libvirt-admin-reject-clients-unless-their-UID-matches-the-current-UID.patch
 Patch201: libvirt-locking-restrict-sockets-to-mode-0600.patch
 Patch202: libvirt-logging-restrict-sockets-to-mode-0600.patch
+Patch203: libvirt-api-disallow-virDomainSaveImageGetXMLDesc-on-read-only-connections.patch
+Patch204: libvirt-api-disallow-virDomainManagedSaveDefineXML-on-read-only-connections.patch
+Patch205: libvirt-api-disallow-virConnectGetDomainCapabilities-on-read-only-connections.patch
+Patch206: libvirt-api-disallow-virConnect-HypervisorCPU-on-read-only-connections.patch
 
 Requires: libvirt-daemon = %{version}-%{release}
 Requires: libvirt-daemon-config-network = %{version}-%{release}
@@ -2366,6 +2370,12 @@ exit 0
 
 
 %changelog
+* Tue Jun 18 2019 Jiri Denemark <jdenemar@redhat.com> - 4.5.0-23.3.el8
+- api: disallow virDomainSaveImageGetXMLDesc on read-only connections (CVE-2019-10161)
+- api: disallow virDomainManagedSaveDefineXML on read-only connections (CVE-2019-10166)
+- api: disallow virConnectGetDomainCapabilities on read-only connections (CVE-2019-10167)
+- api: disallow virConnect*HypervisorCPU on read-only connections (CVE-2019-10168)
+
 * Thu May 16 2019 Jiri Denemark <jdenemar@redhat.com> - 4.5.0-23.2.el8
 - admin: reject clients unless their UID matches the current UID (CVE-2019-10132)
 - locking: restrict sockets to mode 0600 (CVE-2019-10132)