diff --git a/SOURCES/0001-don-t-echo-query-params-on-invalid-requests-to-redir.patch b/SOURCES/0001-don-t-echo-query-params-on-invalid-requests-to-redir.patch
new file mode 100644
index 0000000..3e9e0fe
--- /dev/null
+++ b/SOURCES/0001-don-t-echo-query-params-on-invalid-requests-to-redir.patch
@@ -0,0 +1,32 @@
+From d3973074a984f78af2267006625a11e672574dff Mon Sep 17 00:00:00 2001
+From: Hans Zandbelt <hzandbelt@pingidentity.com>
+Date: Thu, 19 Jan 2017 00:03:37 +0100
+Subject: [PATCH 1000/1002] don't echo query params on invalid requests to
+ redirect URI; closes #212
+
+thanks @LukasReschke; I'm sure there's some OWASP guideline that warns
+against this
+
+(cherry picked from commit 612e309bfffd6f9b8ad7cdccda3019fc0865f3b4)
+---
+ src/mod_auth_openidc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
+index 2db6108..a494238 100644
+--- a/src/mod_auth_openidc.c
++++ b/src/mod_auth_openidc.c
+@@ -2493,8 +2493,8 @@ int oidc_handle_redirect_uri_request(request_rec *r, oidc_cfg *c,
+ 	/* something went wrong */
+ 	return oidc_util_html_send_error(r, c->error_template, "Invalid Request",
+ 			apr_psprintf(r->pool,
+-					"The OpenID Connect callback URL received an invalid request: %s",
+-					r->args), HTTP_INTERNAL_SERVER_ERROR);
++					"The OpenID Connect callback URL received an invalid request"),
++					HTTP_INTERNAL_SERVER_ERROR);
+ }
+ 
+ /*
+-- 
+2.19.2
+
diff --git a/SOURCES/0002-Backport-security-fix-scrub-headers-on-OIDCUnAuthAct.patch b/SOURCES/0002-Backport-security-fix-scrub-headers-on-OIDCUnAuthAct.patch
new file mode 100644
index 0000000..3a41e67
--- /dev/null
+++ b/SOURCES/0002-Backport-security-fix-scrub-headers-on-OIDCUnAuthAct.patch
@@ -0,0 +1,84 @@
+From f1e8dec3e749eea3a54553e07b7a1994a4aaf5b9 Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jakub.hrozek@posteo.se>
+Date: Fri, 23 Nov 2018 15:38:42 +0100
+Subject: [PATCH 1001/1002] Backport security fix: scrub headers on
+ OIDCUnAuthAction pass; closes #222
+
+---
+ src/mod_auth_openidc.c | 46 ++++++++++++++++++++++++++++--------------
+ 1 file changed, 31 insertions(+), 15 deletions(-)
+
+diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
+index a494238..f00280f 100644
+--- a/src/mod_auth_openidc.c
++++ b/src/mod_auth_openidc.c
+@@ -133,6 +133,29 @@ static void oidc_scrub_request_headers(request_rec *r, const char *claim_prefix,
+ 	r->headers_in = clean_headers;
+ }
+ 
++static void oidc_scrub_headers(request_rec *r) {
++	oidc_cfg *cfg = ap_get_module_config(r->server->module_config,
++			&auth_openidc_module);
++
++	/* get a handle to the directory config */
++	oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
++			&auth_openidc_module);
++
++	if (cfg->scrub_request_headers != 0) {
++		/* scrub all headers starting with OIDC_ first */
++		oidc_scrub_request_headers(r, OIDC_DEFAULT_HEADER_PREFIX,
++				dir_cfg->authn_header);
++		/*
++		 * then see if the claim headers need to be removed on top of that
++		 * (i.e. the prefix does not start with the default OIDC_)
++		 */
++		if ((strstr(cfg->claim_prefix, OIDC_DEFAULT_HEADER_PREFIX)
++				!= cfg->claim_prefix)) {
++			oidc_scrub_request_headers(r, cfg->claim_prefix, NULL);
++		}
++	}
++}
++
+ #define OIDC_SHA1_LEN 20
+ 
+ /*
+@@ -988,21 +1011,7 @@ static int oidc_handle_existing_session(request_rec *r, oidc_cfg *cfg,
+ 	 * we're going to pass the information that we have to the application,
+ 	 * but first we need to scrub the headers that we're going to use for security reasons
+ 	 */
+-	if (cfg->scrub_request_headers != 0) {
+-
+-		/* scrub all headers starting with OIDC_ first */
+-		oidc_scrub_request_headers(r, OIDC_DEFAULT_HEADER_PREFIX,
+-				dir_cfg->authn_header);
+-
+-		/*
+-		 * then see if the claim headers need to be removed on top of that
+-		 * (i.e. the prefix does not start with the default OIDC_)
+-		 */
+-		if ((strstr(cfg->claim_prefix, OIDC_DEFAULT_HEADER_PREFIX)
+-				!= cfg->claim_prefix)) {
+-			oidc_scrub_request_headers(r, cfg->claim_prefix, NULL);
+-		}
+-	}
++	oidc_scrub_headers(r);
+ 
+ 	/* set the user authentication HTTP header if set and required */
+ 	if ((r->user != NULL) && (dir_cfg->authn_header != NULL))
+@@ -2560,6 +2569,13 @@ static int oidc_check_userid_openidc(request_rec *r, oidc_cfg *c) {
+ 		case RETURN401:
+ 			return HTTP_UNAUTHORIZED;
+ 		case PASS:
++			/*
++			 * we're not going to pass information about
++			 * an authenticated user to the application, *
++			 * but we do need to scrub the headers that
++			 * mod_auth_openidc would set for security reasons
++			 */
++			oidc_scrub_headers(r);
+ 			return OK;
+ 		case AUTHENTICATE:
+ 			/* if this is a Javascript path we won't redirect the user and create a state cookie */
+-- 
+2.19.2
+
diff --git a/SOURCES/0003-Backport-security-fix-scrub-headers-for-AuthType-oau.patch b/SOURCES/0003-Backport-security-fix-scrub-headers-for-AuthType-oau.patch
new file mode 100644
index 0000000..d984042
--- /dev/null
+++ b/SOURCES/0003-Backport-security-fix-scrub-headers-for-AuthType-oau.patch
@@ -0,0 +1,58 @@
+From 53bc62391d71418130edc0cb706f1aa5b0844c3a Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jakub.hrozek@posteo.se>
+Date: Fri, 23 Nov 2018 16:41:18 +0100
+Subject: [PATCH 1002/1002] Backport security fix: scrub headers for "AuthType
+ oauth20"
+
+---
+ src/mod_auth_openidc.c | 2 +-
+ src/mod_auth_openidc.h | 2 ++
+ src/oauth.c            | 6 ++++++
+ 3 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
+index f00280f..b504ecb 100644
+--- a/src/mod_auth_openidc.c
++++ b/src/mod_auth_openidc.c
+@@ -133,7 +133,7 @@ static void oidc_scrub_request_headers(request_rec *r, const char *claim_prefix,
+ 	r->headers_in = clean_headers;
+ }
+ 
+-static void oidc_scrub_headers(request_rec *r) {
++void oidc_scrub_headers(request_rec *r) {
+ 	oidc_cfg *cfg = ap_get_module_config(r->server->module_config,
+ 			&auth_openidc_module);
+ 
+diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
+index a92b81f..6f6bd92 100644
+--- a/src/mod_auth_openidc.h
++++ b/src/mod_auth_openidc.h
+@@ -373,6 +373,8 @@ void oidc_request_state_set(request_rec *r, const char *key, const char *value);
+ const char*oidc_request_state_get(request_rec *r, const char *key);
+ int oidc_handle_jwks(request_rec *r, oidc_cfg *c);
+ 
++void oidc_scrub_headers(request_rec *r);
++
+ // oidc_oauth
+ int oidc_oauth_check_userid(request_rec *r, oidc_cfg *c);
+ 
+diff --git a/src/oauth.c b/src/oauth.c
+index 218112b..279ee74 100644
+--- a/src/oauth.c
++++ b/src/oauth.c
+@@ -572,6 +572,12 @@ int oidc_oauth_check_userid(request_rec *r, oidc_cfg *c) {
+ 	oidc_dir_cfg *dir_cfg = ap_get_module_config(r->per_dir_config,
+ 			&auth_openidc_module);
+ 
++	/*
++	* we're going to pass the information that we have to the application,
++	* but first we need to scrub the headers that we're going to use for security reasons
++	*/
++	oidc_scrub_headers(r);
++
+ 	/* set the user authentication HTTP header if set and required */
+ 	if ((r->user != NULL) && (dir_cfg->authn_header != NULL)) {
+ 		oidc_debug(r, "setting authn header (%s) to: %s", dir_cfg->authn_header,
+-- 
+2.19.2
+
diff --git a/SPECS/mod_auth_openidc.spec b/SPECS/mod_auth_openidc.spec
index dd140ef..2c83c33 100644
--- a/SPECS/mod_auth_openidc.spec
+++ b/SPECS/mod_auth_openidc.spec
@@ -15,7 +15,7 @@
 
 Name:		mod_auth_openidc
 Version:	1.8.8
-Release:	3%{?dist}
+Release:	5%{?dist}
 Summary:	OpenID Connect auth module for Apache HTTP Server
 
 Group:		System Environment/Daemons
@@ -24,6 +24,9 @@ URL:		https://github.com/pingidentity/mod_auth_openidc
 Source0:	https://github.com/pingidentity/mod_auth_openidc/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 
 Patch0: decrypt_aesgcm.patch
+Patch1: 0001-don-t-echo-query-params-on-invalid-requests-to-redir.patch
+Patch2: 0002-Backport-security-fix-scrub-headers-on-OIDCUnAuthAct.patch
+Patch3: 0003-Backport-security-fix-scrub-headers-for-AuthType-oau.patch
 
 BuildRequires:	httpd-devel
 BuildRequires:	openssl-devel
@@ -42,6 +45,9 @@ an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
 %prep
 %setup -q
 %patch0 -p1 -b decrypt_aesgcm
+%patch1 -p1 -b echo_req
+%patch2 -p1 -b scrub_headers
+%patch3 -p1 -b scrub_headers_oauth
 
 %build
 # workaround rpm-buildroot-usage
@@ -93,6 +99,15 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache
 %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache
 
 %changelog
+* Tue Jan 29 2019 Jakub Hrozek <jhrozek@redhat.com> - 1.8.8-5
+- Resolves: rhbz#1626297 - CVE-2017-6413 mod_auth_openidc: OIDC_CLAIM and
+                           OIDCAuthNHeader not skipped in an "AuthType oauth20"
+                           configuration [rhel-7]
+
+* Tue Jan 29 2019 Jakub Hrozek <jhrozek@redhat.com> - 1.8.8-4
+- Resolves: rhbz#1626299 - CVE-2017-6059 mod_auth_openidc: Shows
+                           user-supplied content on error pages [rhel-7]
+
 * Thu Mar 31 2016 John Dennis <jdennis@redhat.com> - 1.8.8-3
 - fix unit test failure caused by apr_jwe_decrypt_content_aesgcm()
   failing to null terminate decrypted string