diff --git a/SOURCES/libvncserver-0.9.11-libvncclient-cursor-limit-width-height-input-values.patch b/SOURCES/libvncserver-0.9.11-libvncclient-cursor-limit-width-height-input-values.patch
new file mode 100644
index 0000000..87edf44
--- /dev/null
+++ b/SOURCES/libvncserver-0.9.11-libvncclient-cursor-limit-width-height-input-values.patch
@@ -0,0 +1,44 @@
+From 54220248886b5001fbbb9fa73c4e1a2cb9413fed Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Sun, 17 Nov 2019 17:18:35 +0100
+Subject: [PATCH] libvncclient/cursor: limit width/height input values
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Avoids a possible heap overflow reported by Pavel Cheremushkin
+<Pavel.Cheremushkin@kaspersky.com>.
+
+re #275
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ libvncclient/cursor.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libvncclient/cursor.c b/libvncclient/cursor.c
+index 67f45726..40ffb3b0 100644
+--- a/libvncclient/cursor.c
++++ b/libvncclient/cursor.c
+@@ -28,6 +28,8 @@
+ #define OPER_SAVE     0
+ #define OPER_RESTORE  1
+ 
++#define MAX_CURSOR_SIZE 1024
++
+ #define RGB24_TO_PIXEL(bpp,r,g,b)                                       \
+    ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255             \
+     << client->format.redShift |                                              \
+@@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h
+   if (width * height == 0)
+     return TRUE;
+ 
++  if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE)
++    return FALSE;
++
+   /* Allocate memory for pixel data and temporary mask data. */
+   if(client->rcSource)
+     free(client->rcSource);
+-- 
+2.21.1
+
diff --git a/SPECS/libvncserver.spec b/SPECS/libvncserver.spec
index 3c619a7..707fcde 100644
--- a/SPECS/libvncserver.spec
+++ b/SPECS/libvncserver.spec
@@ -1,7 +1,7 @@
 Summary:    Library to make writing a VNC server easy
 Name:       libvncserver
 Version:    0.9.11
-Release:    9%{?dist}
+Release:    9%{?dist}.2
 
 # NOTE: --with-filetransfer => GPLv2
 License:    GPLv2+
@@ -33,6 +33,10 @@ Patch105:     libvncserver-0.9.11-Limit-client-cut-text-length-to-1-MB.patch
 # <https://github.com/LibVNC/libvncserver/issues/276>
 # fixed in upstream after 0.9.12
 Patch106:     libvncserver-0.9.11-Fix-CVE-2018-15127-Heap-out-of-bounds-write-in-rfbse.patch
+# Fix CVE-2019-15690 (an integer overflow in HandleCursorShape() in a client),
+# bug #1814342, <https://github.com/LibVNC/libvncserver/issues/275>,
+# in upstream after 0.9.12
+Patch107:     libvncserver-0.9.11-libvncclient-cursor-limit-width-height-input-values.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -102,6 +106,7 @@ developing applications that use %{name}.
 %patch104 -p1
 %patch105 -p1
 %patch106 -p1
+%patch107 -p1
 
 # Fix encoding
 for file in ChangeLog ; do
@@ -161,6 +166,13 @@ make -C test test ||:
 
 
 %changelog
+* Wed Mar 18 2020 Petr Pisar <ppisar@redhat.com> - 0.9.11-9.2
+- Enable gating (bug #1681199)
+
+* Wed Mar 18 2020 Petr Pisar <ppisar@redhat.com> - 0.9.11-9.1
+- Fix CVE-2019-15690 (an integer overflow in HandleCursorShape() in a client)
+  (bug #1814342)
+
 * Thu Jan 10 2019 Petr Pisar <ppisar@redhat.com> - 0.9.11-9
 - Fix CVE-2018-15127 (Heap out-of-bounds write in
   rfbserver.c:rfbProcessFileTransferReadBuffer()) (bug #1662997)