diff --git a/SOURCES/memcached-CVE-2011-4971.patch b/SOURCES/memcached-CVE-2011-4971.patch
new file mode 100644
index 0000000..ec69ae9
--- /dev/null
+++ b/SOURCES/memcached-CVE-2011-4971.patch
@@ -0,0 +1,53 @@
+commit 6695ccbc525c36d693aaa3e8337b36aa0c784424
+Author: Huzaifa Sidhpurwala <huzaifas@redhat.com>
+Date: Sun Dec 8 17:33:15 2013 -0800
+
+ Fix segfault on specially crafted packet.
+
+diff --git a/memcached.c b/memcached.c
+index b6ed7c9..f3b9939 100644
+--- a/memcached.c
++++ b/memcached.c
+@@ -3872,6 +3872,16 @@ static void drive_machine(conn *c) {
+ complete_nread(c);
+ break;
+ }
++
++ /* Check if rbytes < 0, to prevent crash */
++ if (c->rlbytes < 0) {
++ if (settings.verbose) {
++ fprintf(stderr, "Invalid rlbytes to read: len %d\n", c->rlbytes);
++ }
++ conn_set_state(c, conn_closing);
++ break;
++ }
++
+ /* first check if we have leftovers in the conn_read buffer */
+ if (c->rbytes > 0) {
+ int tocopy = c->rbytes > c->rlbytes ? c->rlbytes : c->rbytes;
+diff --git a/t/issue_192.t b/t/issue_192.t
+new file mode 100644
+index 0000000..c58e206
+--- /dev/null
++++ b/t/issue_192.t
+@@ -0,0 +1,20 @@
++#!/usr/bin/perl
++
++use strict;
++use Test::More tests => 2;
++use FindBin qw($Bin);
++use lib "$Bin/lib";
++use MemcachedTest;
++
++my $server = new_memcached();
++my $sock = $server->sock;
++
++ok($server->new_sock, "opened new socket");
++
++print $sock "\x80\x12\x00\x01\x08\x00\x00\x00\xff\xff\xff\xe8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x01\x00\x00\x00\x00\x00\x00\x00\x00\x000\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
++
++sleep 0.5;
++ok($server->new_sock, "failed to open new socket");
++
++
++
diff --git a/SOURCES/memcached-CVE-2013-0179_7290_7291.patch b/SOURCES/memcached-CVE-2013-0179_7290_7291.patch
new file mode 100644
index 0000000..e02366d
--- /dev/null
+++ b/SOURCES/memcached-CVE-2013-0179_7290_7291.patch
@@ -0,0 +1,77 @@
+commit 0f605245cf3f37c2efe4e225237ad17256ea2a34
+Author: Jeremy Sowden <jeremy.sowden@gmail.com>
+Date: Wed Jan 9 15:43:41 2013 +0000
+
+ Fix buffer-overrun when logging key to delete in binary protocol.
+
+diff --git a/memcached.c b/memcached.c
+index 3a79fba..f7a140c 100644
+--- a/memcached.c
++++ b/memcached.c
+@@ -2190,7 +2190,12 @@ static void process_bin_delete(conn *c) {
+ assert(c != NULL);
+
+ if (settings.verbose > 1) {
+- fprintf(stderr, "Deleting %s\n", key);
++ int ii;
++ fprintf(stderr, "Deleting ");
++ for (ii = 0; ii < nkey; ++ii) {
++ fprintf(stderr, "%c", key[ii]);
++ }
++ fprintf(stderr, "\n");
+ }
+
+ if (settings.detail_enabled) {
+commit fbe823d9a61b5149cd6e3b5e17bd28dd3b8dd760
+Author: dormando <dormando@rydia.net>
+Date: Fri Dec 20 13:25:43 2013 -0800
+
+ fix potential unbounded key prints
+
+ item key isn't necessarily null terminated. user submitted a patch for one,
+ this clears two more.
+
+diff --git a/items.c b/items.c
+index d70400c..65b1a24 100644
+--- a/items.c
++++ b/items.c
+@@ -537,12 +537,16 @@ item *do_item_get(const char *key, const size_t nkey, const uint32_t hv) {
+ int was_found = 0;
+
+ if (settings.verbose > 2) {
++ int ii;
+ if (it == NULL) {
+- fprintf(stderr, "> NOT FOUND %s", key);
++ fprintf(stderr, "> NOT FOUND ");
+ } else {
+- fprintf(stderr, "> FOUND KEY %s", ITEM_key(it));
++ fprintf(stderr, "> FOUND KEY ");
+ was_found++;
+ }
++ for (ii = 0; ii < nkey; ++ii) {
++ fprintf(stderr, "%c", key[ii]);
++ }
+ }
+
+ if (it != NULL) {
+diff --git a/memcached.c b/memcached.c
+index f7a140c..6486ff2 100644
+--- a/memcached.c
++++ b/memcached.c
+@@ -2856,8 +2856,14 @@ static inline void process_get_command(conn *c, token_t *tokens, size_t ntokens,
+ }
+
+
+- if (settings.verbose > 1)
+- fprintf(stderr, ">%d sending key %s\n", c->sfd, ITEM_key(it));
++ if (settings.verbose > 1) {
++ int ii;
++ fprintf(stderr, ">%d sending key ", c->sfd);
++ for (ii = 0; ii < it->nkey; ++ii) {
++ fprintf(stderr, "%c", key[ii]);
++ }
++ fprintf(stderr, "\n");
++ }
+
+ /* item_get() has incremented it->refcount for us */
+ pthread_mutex_lock(&c->thread->stats.mutex);
diff --git a/SPECS/memcached.spec b/SPECS/memcached.spec
index 9a0f422..ef4747e 100644
--- a/SPECS/memcached.spec
+++ b/SPECS/memcached.spec
@@ -3,7 +3,7 @@
Name: memcached
Version: 1.4.15
-Release: 5%{?dist}
+Release: 9%{?dist}
Epoch: 0
Summary: High Performance, Distributed Memory Object Cache
@@ -17,6 +17,8 @@ Source1: memcached.service
# Patches
Patch001: memcached-manpages.patch
+Patch002: memcached-CVE-2011-4971.patch
+Patch003: memcached-CVE-2013-0179_7290_7291.patch
# Fixes
@@ -54,6 +56,8 @@ access to the memcached binary include files.
%prep
%setup -q
%patch001 -p1 -b .manpages
+%patch002 -p1 -b .CVE-2011-4971
+%patch003 -p1 -b .CVE-2013-0179_7290_7291
%build
# compile with full RELRO
@@ -153,6 +157,18 @@ exit 0
%{_includedir}/memcached/*
%changelog
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 01.4.15-9
+- Mass rebuild 2014-01-24
+
+* Tue Jan 14 2014 Miroslav Lichvar <mlichvar@redhat.com> - 0:1.4.15-8
+- fix unbound key printing (CVE-2013-0179, CVE-2013-7290, CVE-2013-7291)
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 01.4.15-7
+- Mass rebuild 2013-12-27
+
+* Thu Dec 12 2013 Miroslav Lichvar <mlichvar@redhat.com> - 0:1.4.15-6
+- fix segfault on specially crafted packet (#988739, CVE-2011-4971)
+
* Mon Jul 08 2013 Miroslav Lichvar <mlichvar@redhat.com> - 0:1.4.15-5
- update memcached man page
- add memcached-tool man page