diff --git a/SOURCES/opensc-0.20.0-CVE-2020-26570.patch b/SOURCES/opensc-0.20.0-CVE-2020-26570.patch
new file mode 100644
index 0000000..ad0320b
--- /dev/null
+++ b/SOURCES/opensc-0.20.0-CVE-2020-26570.patch
@@ -0,0 +1,31 @@
+commit 6903aebfddc466d966c7b865fae34572bf3ed23e
+Author: Frank Morgner <frankmorgner@gmail.com>
+Date:   Thu Jul 30 02:21:17 2020 +0200
+
+    Heap-buffer-overflow WRITE
+    
+    fixes https://oss-fuzz.com/testcase-detail/5088104168554496
+
+diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
+index a873aaa0..2fb32b8d 100644
+--- a/src/libopensc/pkcs15-oberthur.c
++++ b/src/libopensc/pkcs15-oberthur.c
+@@ -271,11 +271,15 @@ sc_oberthur_read_file(struct sc_pkcs15_card *p15card, const char *in_path,
+ 		rv = sc_read_binary(card, 0, *out, sz, 0);
+ 	}
+ 	else	{
+-		int rec;
+-		int offs = 0;
+-		int rec_len = file->record_length;
++		size_t rec;
++		size_t offs = 0;
++		size_t rec_len = file->record_length;
+ 
+ 		for (rec = 1; ; rec++)   {
++			if (rec > file->record_count) {
++				rv = 0;
++				break;
++			}
+ 			rv = sc_read_record(card, rec, *out + offs + 2, rec_len, SC_RECORD_BY_REC_NR);
+ 			if (rv == SC_ERROR_RECORD_NOT_FOUND)   {
+ 				rv = 0;
diff --git a/SOURCES/opensc-0.20.0-CVE-2020-26571.patch b/SOURCES/opensc-0.20.0-CVE-2020-26571.patch
new file mode 100644
index 0000000..b07ac05
--- /dev/null
+++ b/SOURCES/opensc-0.20.0-CVE-2020-26571.patch
@@ -0,0 +1,42 @@
+commit ed55fcd2996930bf58b9bb57e9ba7b1f3a753c43
+Author: Frank Morgner <frankmorgner@gmail.com>
+Date:   Mon May 18 17:25:32 2020 +0200
+
+    fixed invalid read
+    
+    fixes https://oss-fuzz.com/testcase-detail/5765246676631552
+
+diff --git a/src/libopensc/pkcs15-gemsafeGPK.c b/src/libopensc/pkcs15-gemsafeGPK.c
+index e13f3b87..4b80daf2 100644
+--- a/src/libopensc/pkcs15-gemsafeGPK.c
++++ b/src/libopensc/pkcs15-gemsafeGPK.c
+@@ -205,7 +205,7 @@ static int sc_pkcs15emu_gemsafeGPK_init(sc_pkcs15_card_t *p15card)
+ 
+ 	u8 sysrec[7];
+ 	int num_keyinfo = 0;
+-	keyinfo kinfo[8]; /* will loook for 8 keys */
++	keyinfo kinfo[9]; /* will look for 9 keys */
+ 	u8 modulus_buf[ 1 + 1024 / 8]; /* tag+modulus */
+ 	u8 *cp;
+ 	char buf[256];
+@@ -255,9 +255,9 @@ static int sc_pkcs15emu_gemsafeGPK_init(sc_pkcs15_card_t *p15card)
+ 
+ 	/* There may be more then one key in the directory. */
+ 	/* we need to find them so we can associate them with the */
+-	/* the certificate.  The files are 0007 to 000f */
++	/* the certificate.  The files are 0007 to 000F */
+ 
+-	for (i = 7; i < 16; i++) {
++	for (i = 0x7; i <= 0xF; i++) {
+ 		path.value[0] = 0x00;
+ 		path.value[1] = i;
+ 		path.len = 2;	
+@@ -297,7 +297,7 @@ static int sc_pkcs15emu_gemsafeGPK_init(sc_pkcs15_card_t *p15card)
+ 		while (j--) 
+ 			*cp++ =  modulus_buf[j + 1];
+ 		num_keyinfo++;
+-	} 
++	}
+ 
+ 	/* Get the gemsafe data with the cert */
+ 	 sc_format_path("3F000200004", &path);
diff --git a/SOURCES/opensc-0.20.0-CVE-2020-26572.patch b/SOURCES/opensc-0.20.0-CVE-2020-26572.patch
new file mode 100644
index 0000000..91a1249
--- /dev/null
+++ b/SOURCES/opensc-0.20.0-CVE-2020-26572.patch
@@ -0,0 +1,21 @@
+commit 9d294de90d1cc66956389856e60b6944b27b4817
+Author: Frank Morgner <frankmorgner@gmail.com>
+Date:   Thu Jun 4 10:04:10 2020 +0200
+
+    prevent out of bounds write
+    
+    fixes https://oss-fuzz.com/testcase-detail/5226571123392512
+
+diff --git a/src/libopensc/card-tcos.c b/src/libopensc/card-tcos.c
+index 673c2493..e88c80bd 100644
+--- a/src/libopensc/card-tcos.c
++++ b/src/libopensc/card-tcos.c
+@@ -623,6 +623,8 @@ static int tcos_decipher(sc_card_t *card, const u8 * crgram, size_t crgram_len,
+ 	apdu.data = sbuf;
+ 	apdu.lc = apdu.datalen = crgram_len+1;
+ 	sbuf[0] = tcos3 ? 0x00 : ((data->pad_flags & SC_ALGORITHM_RSA_PAD_PKCS1) ? 0x81 : 0x02);
++	if (sizeof sbuf - 1 < crgram_len)
++		return SC_ERROR_INVALID_ARGUMENTS;
+ 	memcpy(sbuf+1, crgram, crgram_len);
+ 
+ 	r = sc_transmit_apdu(card, &apdu);
diff --git a/SOURCES/opensc-0.20.0-cac-pin-change.patch b/SOURCES/opensc-0.20.0-cac-pin-change.patch
new file mode 100644
index 0000000..3163caf
--- /dev/null
+++ b/SOURCES/opensc-0.20.0-cac-pin-change.patch
@@ -0,0 +1,102 @@
+diff --git a/src/libopensc/card-cac.c b/src/libopensc/card-cac.c
+index 099923e5..61e69c88 100644
+--- a/src/libopensc/card-cac.c
++++ b/src/libopensc/card-cac.c
+@@ -1793,7 +1793,7 @@ static int cac_find_and_initialize(sc_card_t *card, int initialize)
+ 		}
+ 		r = cac_process_ACA(card, priv);
+ 		if (r == SC_SUCCESS) {
+-			card->type = SC_CARD_TYPE_CAC_II;
++			card->type = SC_CARD_TYPE_CAC_ALT_HID;
+ 			card->drv_data = priv;
+ 			return r;
+ 		}
+@@ -1869,6 +1869,8 @@ static int cac_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data, int *tries
+ 	 * FIPS 201 4.1.6.1 (numeric only) and * FIPS 140-2
+ 	 * (6 character minimum) requirements.
+ 	 */
++	sc_apdu_t apdu;
++	u8  sbuf[SC_MAX_APDU_BUFFER_SIZE];
+ 	struct sc_card_driver *iso_drv = sc_get_iso7816_driver();
+ 
+ 	if (data->cmd == SC_PIN_CMD_CHANGE) {
+@@ -1881,6 +1883,18 @@ static int cac_pin_cmd(sc_card_t *card, struct sc_pin_cmd_data *data, int *tries
+ 				return SC_ERROR_INVALID_DATA;
+ 			}
+ 		}
++
++		/* We can change the PIN of Giesecke & Devrient CAC ALT tokens
++		 * with a bit non-standard APDU */
++		if (card->type == SC_CARD_TYPE_CAC_ALT_HID) {
++			int r = 0;
++			r = iso7816_build_pin_apdu(card, &apdu, data, sbuf, sizeof(sbuf));
++			if (r < 0)
++				return r;
++			/* it requires P1 = 0x01 completely against the ISO specs */
++			apdu.p1 = 0x01;
++			data->apdu = &apdu;
++		}
+ 	}
+ 
+ 	return  iso_drv->ops->pin_cmd(card, data, tries_left);
+diff --git a/src/libopensc/cards.h b/src/libopensc/cards.h
+index 0ec25a46..16846d15 100644
+--- a/src/libopensc/cards.h
++++ b/src/libopensc/cards.h
+@@ -244,6 +244,7 @@ enum {
+ 	SC_CARD_TYPE_CAC_GENERIC,
+ 	SC_CARD_TYPE_CAC_I,
+ 	SC_CARD_TYPE_CAC_II,
++	SC_CARD_TYPE_CAC_ALT_HID,
+ 
+ 	/* nPA cards */
+ 	SC_CARD_TYPE_NPA = 34000,
+diff --git a/src/libopensc/iso7816.c b/src/libopensc/iso7816.c
+index b1a0e88f..d41613b2 100644
+--- a/src/libopensc/iso7816.c
++++ b/src/libopensc/iso7816.c
+@@ -1017,7 +1017,7 @@ iso7816_decipher(struct sc_card *card,
+ }
+ 
+ 
+-static int
++int
+ iso7816_build_pin_apdu(struct sc_card *card, struct sc_apdu *apdu,
+ 		struct sc_pin_cmd_data *data, u8 *buf, size_t buf_len)
+ {
+diff --git a/src/libopensc/opensc.h b/src/libopensc/opensc.h
+index b519c5d5..8ebf9fbd 100644
+--- a/src/libopensc/opensc.h
++++ b/src/libopensc/opensc.h
+@@ -1664,6 +1664,19 @@ int iso7816_update_binary_sfid(sc_card_t *card, unsigned char sfid,
+  * */
+ int iso7816_logout(sc_card_t *card, unsigned char pin_reference);
+ 
++/*
++ * @brief Format PIN APDU for modifiction by card driver
++ *
++ * @param[in] card           card
++ * @param[in] apdu           apdu structure to update with PIN APDU
++ * @param[in] data           pin command data to set into the APDU
++ * @param[in] buf            buffer for APDU data field
++ * @param[in] buf_len        maximum buffer length
++ */
++int
++iso7816_build_pin_apdu(struct sc_card *card, struct sc_apdu *apdu,
++		struct sc_pin_cmd_data *data, u8 *buf, size_t buf_len);
++
+ #ifdef __cplusplus
+ }
+ #endif
+diff --git a/src/libopensc/pkcs15-cac.c b/src/libopensc/pkcs15-cac.c
+index ccb27994..05056ea9 100644
+--- a/src/libopensc/pkcs15-cac.c
++++ b/src/libopensc/pkcs15-cac.c
+@@ -79,6 +79,7 @@ static const char * cac_get_name(int type)
+     switch (type) {
+     case SC_CARD_TYPE_CAC_I: return ("CAC I");
+     case SC_CARD_TYPE_CAC_II: return ("CAC II");
++    case SC_CARD_TYPE_CAC_ALT_HID: return ("CAC ALT HID");
+     default: break;
+     }
+     return ("CAC");
diff --git a/SOURCES/opensc-0.20.0-label-padding.patch b/SOURCES/opensc-0.20.0-label-padding.patch
new file mode 100644
index 0000000..4cf26b8
--- /dev/null
+++ b/SOURCES/opensc-0.20.0-label-padding.patch
@@ -0,0 +1,24 @@
+commit 8d4af9eb0b799f22b25783e8e1b7af329b5a917b
+Author: Frank Morgner <frankmorgner@gmail.com>
+Date:   Fri Jan 31 12:15:53 2020 +0100
+
+    pkcs11: fixed right padding of token label with ' '
+    
+    fixes https://github.com/OpenSC/OpenSC/issues/1922
+
+diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c
+index e94eeeff..a1951c2e 100644
+--- a/src/pkcs11/framework-pkcs15.c
++++ b/src/pkcs11/framework-pkcs15.c
+@@ -1122,9 +1122,10 @@ pkcs15_init_slot(struct sc_pkcs15_card *p15card, struct sc_pkcs11_slot *slot,
+ 							max_tokeninfo_len);
+ 					slot->token_info.label[max_tokeninfo_len]           = ' ';
+ 					slot->token_info.label[max_tokeninfo_len+1]         = '(';
+-					slot->token_info.label[max_tokeninfo_len+2+pin_len] = ')';
+ 					strcpy_bp(slot->token_info.label+max_tokeninfo_len+2,
+ 							auth->label, pin_len);
++					strcpy_bp(slot->token_info.label+max_tokeninfo_len+2+pin_len,
++							")", 32 - max_tokeninfo_len-2-pin_len);
+ 				}
+ 			} else {
+ 				/* PIN label is empty or just says non-useful "PIN",
diff --git a/SPECS/opensc.spec b/SPECS/opensc.spec
index dd17e23..8291b4f 100644
--- a/SPECS/opensc.spec
+++ b/SPECS/opensc.spec
@@ -3,7 +3,7 @@
 
 Name:           opensc
 Version:        0.20.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Smart card library and applications
 
 Group:          System Environment/Libraries
@@ -16,6 +16,17 @@ Patch6:         opensc-0.19.0-pinpad.patch
 Patch8:         opensc-0.19.0-idprime.patch
 # https://github.com/OpenSC/OpenSC/pull/1987
 Patch9:         opensc-0.20.0-cardos.patch
+# https://github.com/OpenSC/OpenSC/pull/2129
+Patch10:        opensc-0.20.0-cac-pin-change.patch
+# https://github.com/OpenSC/OpenSC/commit/6903aebf
+Patch11:        opensc-0.20.0-CVE-2020-26570.patch
+# https://github.com/OpenSC/OpenSC/commit/ed55fcd2
+Patch12:        opensc-0.20.0-CVE-2020-26571.patch
+# https://github.com/OpenSC/OpenSC/commit/9d294de9
+Patch13:        opensc-0.20.0-CVE-2020-26572.patch
+# https://github.com/OpenSC/OpenSC/commit/8d4af9eb
+Patch14:        opensc-0.20.0-label-padding.patch
+
 
 BuildRequires:  pcsc-lite-devel
 BuildRequires:  readline-devel
@@ -47,6 +58,11 @@ every software/card that does so, too.
 %patch6 -p1 -b .pinpad
 %patch8 -p1 -b .idprime
 %patch9 -p1 -b .cardos
+%patch10 -p1 -b .cac-pin-change
+%patch11 -p1 -b .CVE-2020-26570
+%patch12 -p1 -b .CVE-2020-26571
+%patch13 -p1 -b .CVE-2020-26572
+%patch14 -p1 -b .padding
 
 cp -p src/pkcs15init/README ./README.pkcs15init
 cp -p src/scconf/README.scconf .
@@ -205,6 +221,11 @@ fi
 
 
 %changelog
+* Tue Oct 20 2020 Jakub Jelen <jjelen@redhat.com> - 0.20.0-3
+- Support PIN change for HID Alt tokens (#1830901)
+- Fix CVE-2020-26570, CVE-2020-26571 and CVE-2020-26572
+- Fix right padding of token labels of some cards (#1877973)
+
 * Wed May 27 2020 Jakub Jelen <jjelen@redhat.com> - 0.20.0-2
 - Unbreak different CardOS 5 configurations supporting raw RSA (#1830856)