diff --git a/SOURCES/openldap-ITS-9383-remove-assert-in-certificateListValidate.patch b/SOURCES/openldap-ITS-9383-remove-assert-in-certificateListValidate.patch
new file mode 100644
index 0000000..4e863d6
--- /dev/null
+++ b/SOURCES/openldap-ITS-9383-remove-assert-in-certificateListValidate.patch
@@ -0,0 +1,26 @@
+From 67670f4544e28fb09eb7319c39f404e1d3229e65 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 2 Nov 2020 13:12:10 +0000
+Subject: [PATCH] ITS#9383 remove assert in certificateListValidate
+
+---
+ servers/slapd/schema_init.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
+index ea0d67aa62..28f9e71a16 100644
+--- a/servers/slapd/schema_init.c
++++ b/servers/slapd/schema_init.c
+@@ -371,8 +371,7 @@ certificateListValidate( Syntax *syntax, struct berval *in )
+ 	/* Optional version */
+ 	if ( tag == LBER_INTEGER ) {
+ 		tag = ber_get_int( ber, &version );
+-		assert( tag == LBER_INTEGER );
+-		if ( version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX;
++		if ( tag != LBER_INTEGER || version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX;
+ 	}
+ 	tag = ber_skip_tag( ber, &len );	/* Signature Algorithm */
+ 	if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
+-- 
+GitLab
+
diff --git a/SOURCES/openldap-ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch b/SOURCES/openldap-ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch
new file mode 100644
index 0000000..4480922
--- /dev/null
+++ b/SOURCES/openldap-ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch
@@ -0,0 +1,27 @@
+From bdb0d459187522a6063df13871b82ba8dcc6efe2 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 2 Nov 2020 16:01:14 +0000
+Subject: [PATCH] ITS#9384 remove assert in obsolete csnNormalize23()
+
+---
+ servers/slapd/schema_init.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
+index 5812bc4b66..ea0d67aa62 100644
+--- a/servers/slapd/schema_init.c
++++ b/servers/slapd/schema_init.c
+@@ -5327,8 +5327,8 @@ csnNormalize23(
+ 	}
+ 	*ptr = '\0';
+ 
+-	assert( ptr == &bv.bv_val[bv.bv_len] );
+-	if ( csnValidate( syntax, &bv ) != LDAP_SUCCESS ) {
++	if ( ptr != &bv.bv_val[bv.bv_len] ||
++		csnValidate( syntax, &bv ) != LDAP_SUCCESS ) {
+ 		return LDAP_INVALID_SYNTAX;
+ 	}
+ 
+-- 
+GitLab
+
diff --git a/SPECS/openldap.spec b/SPECS/openldap.spec
index 81dcc70..4a9b3df 100644
--- a/SPECS/openldap.spec
+++ b/SPECS/openldap.spec
@@ -5,7 +5,7 @@
 
 Name: openldap
 Version: 2.4.44
-Release: 24%{?dist}
+Release: 25%{?dist}
 Summary: LDAP support libraries
 Group: System Environment/Daemons
 License: OpenLDAP
@@ -58,6 +58,8 @@ Patch37: openldap-ITS8655-fix-double-free-on-paged-search-with-pagesize-0.patch
 Patch38: openldap-ITS8720-back-ldap-starttls-timeout.patch
 Patch39: openldap-ITS-9202-limit-depth-of-nested-filters.patch
 Patch40: openldap-ITS-9370-check-for-equality-rule-on-old_rdn.patch
+Patch41: openldap-ITS-9383-remove-assert-in-certificateListValidate.patch
+Patch42: openldap-ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch
 
 # fixes for DH and ECDH
 Patch50: openldap-openssl-its7506-fix-DH-params-1.patch
@@ -190,6 +192,8 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
 %patch38 -p1
 %patch39 -p1
 %patch40 -p1
+%patch41 -p1
+%patch42 -p1
 %patch50 -p1
 %patch51 -p1
 %patch52 -p1
@@ -681,6 +685,10 @@ exit 0
 %{_mandir}/man3/*
 
 %changelog
+* Wed Jan 19 2022 Simon Pichugin <spichugi@redhat.com> - 2.4.44-25
+- Fix CVE-2020-25709 openldap: assertion failure in Certificate List syntax validation (#2040539)
+- Fix CVE-2020-25710 openldap: assertion failure in CSN normalization with invalid input (#2040538)
+
 * Wed Aug  4 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.44-24
 - CLDAP ldap_result hangs if nobody listens on the port (#1989919)