diff --git a/openssh-8.4p1-debian-compat.patch b/openssh-8.4p1-debian-compat.patch
new file mode 100644
index 0000000..0af1d3d
--- /dev/null
+++ b/openssh-8.4p1-debian-compat.patch
@@ -0,0 +1,57 @@
+--- compat.h.orig	2020-10-05 10:09:02.953505129 -0700
++++ compat.h	2020-10-05 10:10:17.587733113 -0700
+@@ -34,7 +34,7 @@
+ 
+ #define SSH_BUG_UTF8TTYMODE	0x00000001
+ #define SSH_BUG_SIGTYPE		0x00000002
+-/* #define unused		0x00000004 */
++#define SSH_BUG_SIGTYPE74	0x00000004
+ /* #define unused		0x00000008 */
+ #define SSH_OLD_SESSIONID	0x00000010
+ /* #define unused		0x00000020 */
+--- compat.c.orig	2020-10-05 10:25:02.088720562 -0700
++++ compat.c	2020-10-05 10:13:11.637282492 -0700
+@@ -65,11 +65,12 @@
+ 		{ "OpenSSH_6.5*,"
+ 		  "OpenSSH_6.6*",	SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD|
+ 					SSH_BUG_SIGTYPE},
++		{ "OpenSSH_7.4*",	SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE|
++		  			SSH_BUG_SIGTYPE74},
+ 		{ "OpenSSH_7.0*,"
+ 		  "OpenSSH_7.1*,"
+ 		  "OpenSSH_7.2*,"
+ 		  "OpenSSH_7.3*,"
+-		  "OpenSSH_7.4*,"
+ 		  "OpenSSH_7.5*,"
+ 		  "OpenSSH_7.6*,"
+ 		  "OpenSSH_7.7*",	SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE},
+--- sshconnect2.c.orig	2020-09-26 07:26:37.618010545 -0700
++++ sshconnect2.c	2020-10-05 10:47:22.116315148 -0700
+@@ -1305,6 +1305,26 @@
+ 			break;
+ 	}
+ 	free(oallowed);
++	/*
++	 * OpenSSH 7.4 supports SHA2 sig types, but fails to indicate its
++	 * support.  For that release, check the local policy against the
++	 * SHA2 signature types.
++	 */
++	if (alg == NULL &&
++	    (key->type == KEY_RSA && (datafellows & SSH_BUG_SIGTYPE74))) {
++		oallowed = allowed = xstrdup(options.pubkey_key_types);
++		while ((cp = strsep(&allowed, ",")) != NULL) {
++			if (sshkey_type_from_name(cp) != key->type)
++				continue;
++			tmp = match_list(sshkey_sigalg_by_name(cp), "rsa-sha2-256,rsa-sha2-512", NULL);
++			if (tmp != NULL)
++				alg = xstrdup(cp);
++			free(tmp);
++			if (alg != NULL)
++				break;
++		}
++		free(oallowed);
++	}
+ 	return alg;
+ }
+ 
+
diff --git a/openssh-8.4p1-sandbox-seccomp.patch b/openssh-8.4p1-sandbox-seccomp.patch
new file mode 100644
index 0000000..ac4ee61
--- /dev/null
+++ b/openssh-8.4p1-sandbox-seccomp.patch
@@ -0,0 +1,14 @@
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index e0768c06..5065ae7e 100644
+--- a/sandbox-seccomp-filter.c
++++ b/sandbox-seccomp-filter.c
+@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_pselect6
+ 	SC_ALLOW(__NR_pselect6),
+ #endif
++#ifdef __NR_pselect6_time64
++	SC_ALLOW(__NR_pselect6_time64),
++#endif
+ #ifdef __NR_read
+ 	SC_ALLOW(__NR_read),
+ #endif
diff --git a/openssh.spec b/openssh.spec
index df39c02..feba23f 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -51,7 +51,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.4p1
-%global openssh_rel 2
+%global openssh_rel 3
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 1
 
@@ -197,6 +197,10 @@ Patch965: openssh-8.2p1-visibility.patch
 # Do not break X11 without IPv6
 Patch966: openssh-8.2p1-x11-without-ipv6.patch
 Patch967: openssh-8.4p1-ssh-copy-id.patch
+# https://bugzilla.mindrot.org/show_bug.cgi?id=3232
+Patch968: openssh-8.4p1-sandbox-seccomp.patch
+# https://bugzilla.mindrot.org/show_bug.cgi?id=3213
+Patch969: openssh-8.4p1-debian-compat.patch
 
 License: BSD
 Requires: /sbin/nologin
@@ -381,6 +385,8 @@ popd
 %patch965 -p1 -b .visibility
 %patch966 -p1 -b .x11-ipv6
 %patch967 -p1 -b .ssh-copy-id
+%patch968 -p1 -b .seccomp
+%patch969 -p0 -b .debian
 
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race
@@ -663,6 +669,10 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Thu Nov 19 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-3 + 0.10.4-1
+- Unbreak seccomp filter on arm (#1897712)
+- Add a workaround for Debian's broken OpenSSH (#1881301)
+
 * Tue Oct 06 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-2 + 0.10.4-1
 - Unbreak ssh-copy-id after a release (#1884231)
 - Remove misleading comment from sysconfig