diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-5300.patch b/SOURCES/ntp-4.2.6p5-cve-2015-5300.patch
new file mode 100644
index 0000000..ebb7541
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2015-5300.patch
@@ -0,0 +1,11 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_loopfilter.c.allowpanic ntp-4.2.6p5/ntpd/ntp_loopfilter.c
+--- ntp-4.2.6p5/ntpd/ntp_loopfilter.c.allowpanic        2015-10-08 16:10:57.927295885 +0200
++++ ntp-4.2.6p5/ntpd/ntp_loopfilter.c   2015-10-08 16:11:00.501628644 +0200
+@@ -389,6 +389,7 @@ local_clock(
+			report_event(EVNT_CLOCKRESET, NULL, tbuf);
+			step_systime(fp_offset);
+			reinit_timer();
++			allow_panic = FALSE;
+			tc_counter = 0;
+			clock_jitter = LOGTOD(sys_precision);
+			rval = 2;
diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-7704.patch b/SOURCES/ntp-4.2.6p5-cve-2015-7704.patch
new file mode 100644
index 0000000..a3e0d27
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2015-7704.patch
@@ -0,0 +1,12 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.kodtest ntp-4.2.6p5/ntpd/ntp_proto.c
+--- ntp-4.2.6p5/ntpd/ntp_proto.c.kodtest	2015-09-24 18:20:19.121981664 +0200
++++ ntp-4.2.6p5/ntpd/ntp_proto.c	2015-09-24 18:20:54.596594166 +0200
+@@ -1165,7 +1165,7 @@ receive(
+ 	peer->ppoll = max(peer->minpoll, pkt->ppoll);
+ 	if (hismode == MODE_SERVER && hisleap == LEAP_NOTINSYNC &&
+ 	    hisstratum == STRATUM_UNSPEC && memcmp(&pkt->refid,
+-	    "RATE", 4) == 0) {
++	    "RATE", 4) == 0 && !(peer->flash & PKT_TEST_MASK)) {
+ 		peer->selbroken++;
+ 		report_event(PEVNT_RATE, peer, NULL);
+ 		if (pkt->ppoll > peer->minpoll)
diff --git a/SPECS/ntp.spec b/SPECS/ntp.spec
index 09aba15..cbc6171 100644
--- a/SPECS/ntp.spec
+++ b/SPECS/ntp.spec
@@ -1,7 +1,7 @@
 Summary: The NTP daemon and utilities
 Name: ntp
 Version: 4.2.6p5
-Release: 19%{?dist}.1
+Release: 19%{?dist}.3
 # primary license (COPYRIGHT) : MIT
 # ElectricFence/ (not used) : GPLv2
 # kernel/sys/ppsclock.h (not used) : BSD with advertising
@@ -97,6 +97,10 @@ Patch23: ntp-4.2.6p5-cve-2014-9293.patch
 Patch24: ntp-4.2.6p5-cve-2014-9295.patch
 # ntpbz #2670
 Patch25: ntp-4.2.6p5-cve-2014-9296.patch
+# ntpbz #2901
+Patch26: ntp-4.2.6p5-cve-2015-7704.patch
+# allow only one step larger than panic threshold with -g
+Patch27: ntp-4.2.6p5-cve-2015-5300.patch
 # ntpbz #2745
 Patch36: ntp-4.2.6p5-xleap.patch
 
@@ -179,7 +183,7 @@ This package contains NTP documentation in HTML format.
 # pool.ntp.org vendor zone which will be used in ntp.conf
 %if 0%{!?vendorzone:1}
 %{?fedora: %global vendorzone fedora.}
-%{?rhel: %global vendorzone centos.}
+%{?rhel: %global vendorzone rhel.}
 %endif
 
 %prep
@@ -212,6 +216,8 @@ This package contains NTP documentation in HTML format.
 %patch23 -p1 -b .cve-2014-9293
 %patch24 -p1 -b .cve-2014-9295
 %patch25 -p1 -b .cve-2014-9296
+%patch26 -p1 -b .cve-2015-7704
+%patch27 -p1 -b .cve-2015-5300
 %patch36 -p1 -b .xleap
 
 # ntpstat patches
@@ -424,8 +430,9 @@ popd
 %{ntpdocdir}/html
 
 %changelog
-* Tue Jun 23 2015 CentOS Sources <bugs@centos.org> - 4.2.6p5-19.el7.centos.1
-- rebrand vendorzone
+* Fri Oct 16 2015 Miroslav Lichvar <mlichvar@redhat.com> 4.2.6p5-19.el7_1.3
+- check origin timestamp before accepting KoD RATE packet (CVE-2015-7704)
+- allow only one step larger than panic threshold with -g (CVE-2015-5300)
 
 * Thu Apr 23 2015 Miroslav Lichvar <mlichvar@redhat.com> 4.2.6p5-19.el7_1.1
 - don't step clock for leap second with -x option (#1191122)