diff --git a/SOURCES/libxml2-2.9.1-CVE-2019-19956.patch b/SOURCES/libxml2-2.9.1-CVE-2019-19956.patch
new file mode 100644
index 0000000..5bfb5d5
--- /dev/null
+++ b/SOURCES/libxml2-2.9.1-CVE-2019-19956.patch
@@ -0,0 +1,33 @@
+From 5a02583c7e683896d84878bd90641d8d9b0d0549 Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Wed, 7 Aug 2019 17:39:17 +0800
+Subject: [PATCH] Fix memory leak in xmlParseBalancedChunkMemoryRecover
+
+When doc is NULL, namespace created in xmlTreeEnsureXMLDecl
+is bind to newDoc->oldNs, in this case, set newDoc->oldNs to
+NULL and free newDoc will cause a memory leak.
+
+Found with libFuzzer.
+
+Closes #82.
+---
+ parser.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index 1ce1ccf1..26d9f4e3 100644
+--- a/parser.c
++++ b/parser.c
+@@ -13894,7 +13894,8 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax,
+     xmlFreeParserCtxt(ctxt);
+     newDoc->intSubset = NULL;
+     newDoc->extSubset = NULL;
+-    newDoc->oldNs = NULL;
++    if(doc != NULL)
++	newDoc->oldNs = NULL;
+     xmlFreeDoc(newDoc);
+ 
+     return(ret);
+-- 
+2.24.1
+
diff --git a/SOURCES/libxml2-2.9.1-CVE-2019-20388.patch b/SOURCES/libxml2-2.9.1-CVE-2019-20388.patch
new file mode 100644
index 0000000..a6f4082
--- /dev/null
+++ b/SOURCES/libxml2-2.9.1-CVE-2019-20388.patch
@@ -0,0 +1,33 @@
+From 7ffcd44d7e6c46704f8af0321d9314cd26e0e18a Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Tue, 20 Aug 2019 16:33:06 +0800
+Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream
+
+When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun
+alloc a new schema for ctxt->schema and set vctxt->xsiAssemble
+to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize
+vctxt->xsiAssemble to 0 again which cause the alloced schema
+can not be freed anymore.
+
+Found with libFuzzer.
+
+Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
+---
+ xmlschemas.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 301c8449..39d92182 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) {
+     vctxt->nberrors = 0;
+     vctxt->depth = -1;
+     vctxt->skipDepth = -1;
+-    vctxt->xsiAssemble = 0;
+     vctxt->hasKeyrefs = 0;
+ #ifdef ENABLE_IDC_NODE_TABLES_TEST
+     vctxt->createIDCNodeTables = 1;
+-- 
+2.24.2
+
diff --git a/SOURCES/libxml2-2.9.1-CVE-2020-7595.patch b/SOURCES/libxml2-2.9.1-CVE-2020-7595.patch
new file mode 100644
index 0000000..c1b996f
--- /dev/null
+++ b/SOURCES/libxml2-2.9.1-CVE-2020-7595.patch
@@ -0,0 +1,32 @@
+From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Thu, 12 Dec 2019 17:30:55 +0800
+Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities
+
+When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef
+return NULL which cause a infinite loop in xmlStringLenDecodeEntities
+
+Found with libFuzzer.
+
+Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
+---
+ parser.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index d1c31963..a34bb6cd 100644
+--- a/parser.c
++++ b/parser.c
+@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
+     else
+         c = 0;
+     while ((c != 0) && (c != end) && /* non input consuming loop */
+-	   (c != end2) && (c != end3)) {
++           (c != end2) && (c != end3) &&
++           (ctxt->instate != XML_PARSER_EOF)) {
+ 
+ 	if (c == 0) break;
+         if ((c == '&') && (str[1] == '#')) {
+-- 
+2.24.2
+
diff --git a/SOURCES/libxml2-2.9.1-xsd-any.patch b/SOURCES/libxml2-2.9.1-xsd-any.patch
new file mode 100644
index 0000000..5a14deb
--- /dev/null
+++ b/SOURCES/libxml2-2.9.1-xsd-any.patch
@@ -0,0 +1,85 @@
+From e8c9cd5c7a0d2ea95edf08b13af3baabce62dd63 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 16 Sep 2019 15:36:02 +0200
+Subject: [PATCH] Fix Schema determinism check of ##other namespaces
+
+Non-compound (##local) and compound string atoms are always disjoint
+regardless of whether the compound atom is negated (##other).
+
+Closes #40.
+---
+ result/schemas/issue40_0_0     |  1 +
+ result/schemas/issue40_0_0.err |  0
+ test/schemas/issue40_0.xml     |  3 +++
+ test/schemas/issue40_0.xsd     | 10 ++++++++++
+ xmlregexp.c                    | 15 ++++++++++++---
+ 5 files changed, 26 insertions(+), 3 deletions(-)
+ create mode 100644 result/schemas/issue40_0_0
+ create mode 100644 result/schemas/issue40_0_0.err
+ create mode 100644 test/schemas/issue40_0.xml
+ create mode 100644 test/schemas/issue40_0.xsd
+
+diff --git a/result/schemas/issue40_0_0 b/result/schemas/issue40_0_0
+new file mode 100644
+index 00000000..73c9e696
+--- /dev/null
++++ b/result/schemas/issue40_0_0
+@@ -0,0 +1 @@
++./test/schemas/issue40_0.xml validates
+diff --git a/result/schemas/issue40_0_0.err b/result/schemas/issue40_0_0.err
+new file mode 100644
+index 00000000..e69de29b
+diff --git a/test/schemas/issue40_0.xml b/test/schemas/issue40_0.xml
+new file mode 100644
+index 00000000..86cff1d0
+--- /dev/null
++++ b/test/schemas/issue40_0.xml
+@@ -0,0 +1,3 @@
++<a:aaa xmlns:a="aaa_ns">
++  <x/>
++</a:aaa>
+diff --git a/test/schemas/issue40_0.xsd b/test/schemas/issue40_0.xsd
+new file mode 100644
+index 00000000..a7eff55b
+--- /dev/null
++++ b/test/schemas/issue40_0.xsd
+@@ -0,0 +1,10 @@
++<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" targetNamespace="aaa_ns" xmlns="http://www.w3.org/1999/XSL/Transform">
++	<xsd:element name="aaa">
++		<xsd:complexType>
++			<xsd:choice>
++				<xsd:any namespace="##other" processContents="skip" />
++				<xsd:any namespace="##local" processContents="skip" />
++			</xsd:choice>
++		</xsd:complexType>
++	</xsd:element>
++</xsd:schema>
+diff --git a/xmlregexp.c b/xmlregexp.c
+index 1e8bf934..10969177 100644
+--- a/xmlregexp.c
++++ b/xmlregexp.c
+@@ -2528,9 +2528,18 @@ xmlFACompareAtoms(xmlRegAtomPtr atom1, xmlRegAtomPtr atom2, int deep) {
+         case XML_REGEXP_STRING:
+             if (!deep)
+                 ret = (atom1->valuep != atom2->valuep);
+-            else
+-                ret = xmlRegStrEqualWildcard((xmlChar *)atom1->valuep,
+-                                             (xmlChar *)atom2->valuep);
++            else {
++                xmlChar *val1 = (xmlChar *)atom1->valuep;
++                xmlChar *val2 = (xmlChar *)atom2->valuep;
++                int compound1 = (xmlStrchr(val1, '|') != NULL);
++                int compound2 = (xmlStrchr(val2, '|') != NULL);
++
++                /* Ignore negative match flag for ##other namespaces */
++                if (compound1 != compound2)
++                    return(0);
++
++                ret = xmlRegStrEqualWildcard(val1, val2);
++            }
+ 	    break;
+         case XML_REGEXP_EPSILON:
+ 	    goto not_determinist;
+-- 
+2.24.2
+
diff --git a/SPECS/libxml2.spec b/SPECS/libxml2.spec
index b262772..f2cc2e4 100644
--- a/SPECS/libxml2.spec
+++ b/SPECS/libxml2.spec
@@ -4,7 +4,7 @@
 Summary: Library providing XML and HTML support
 Name: libxml2
 Version: 2.9.1
-Release: 6%{?dist}%{?extra_release}.4
+Release: 6%{?dist}%{?extra_release}.5
 License: MIT
 Group: Development/Libraries
 Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
@@ -66,6 +66,14 @@ patch143: libxml2-2.9.1-CVE-2016-5131.patch
 patch144: libxml2-2.9.1-CVE-2017-18258.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1622715
 patch145: libxml2-2.9.1-CVE-2018-14567.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1793000
+patch146: libxml2-2.9.1-CVE-2019-19956.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1810057
+patch147: libxml2-2.9.1-CVE-2019-20388.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1810073
+patch148: libxml2-2.9.1-CVE-2020-7595.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1812145
+patch149: libxml2-2.9.1-xsd-any.patch
 
 
 %description
@@ -175,6 +183,10 @@ at parse time or later once the document has been modified.
 %patch143 -p1
 %patch144 -p1
 %patch145 -p1
+%patch146 -p1
+%patch147 -p1
+%patch148 -p1
+%patch149 -p1
 
 %build
 %configure
@@ -257,6 +269,12 @@ rm -fr %{buildroot}
 %doc doc/python.html
 
 %changelog
+* Wed Apr 22 2020 David King <dking@redhat.com> - 2.9.1-6.5
+- Fix CVE-2019-19956 (#1793000)
+- Fix CVE-2019-20388 (#1810057)
+- Fix CVE-2020-7595 (#1810073)
+- Fix xsd:any schema validation (#1812145)
+
 * Fri Nov 01 2019 David King <dking@redhat.com> - 2.9.1-6.4
 - Fix CVE-2015-8035 (#1595697)
 - Fix CVE-2018-14404 (#1602817)