diff --git a/SOURCES/kvm-Drop-bogus-IPv6-messages.patch b/SOURCES/kvm-Drop-bogus-IPv6-messages.patch
new file mode 100644
index 0000000..b7f74b9
--- /dev/null
+++ b/SOURCES/kvm-Drop-bogus-IPv6-messages.patch
@@ -0,0 +1,53 @@
+From 4186ab1a803003e68d721fbb0095fa62cf671c4a Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Mon, 17 Aug 2020 21:06:08 +0000
+Subject: [PATCH] Drop bogus IPv6 messages
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Drop bogus IPv6 messages
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20200817220608.1142611-2-jmaloy@redhat.com>
+Patchwork-id: 98161
+O-Subject: [RHEL-AV-8.3.0 qemu-kvm PATCH 1/1] Drop bogus IPv6 messages
+Bugzilla: 1838092 1867075 1870421
+RH-Acked-by: Danilo de Paula <ddepaula@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+From: Ralf Haferkamp <rhafer@suse.com>
+
+Drop IPv6 message shorter than what's mentioned in the payload
+length header (+ the size of the IPv6 header). They're invalid an could
+lead to data leakage in icmp6_send_echoreply().
+
+(cherry picked from libslirp commit c7ede54cbd2e2b25385325600958ba0124e31cc0)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ slirp/ip6_input.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/slirp/ip6_input.c b/slirp/ip6_input.c
+index ac2e3ea882..deb3d6e086 100644
+--- a/slirp/ip6_input.c
++++ b/slirp/ip6_input.c
+@@ -49,6 +49,13 @@ void ip6_input(struct mbuf *m)
+         goto bad;
+     }
+ 
++    // Check if the message size is big enough to hold what's
++    // set in the payload length header. If not this is an invalid
++    // packet
++    if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) {
++        goto bad;
++    }
++
+     /* check ip_ttl for a correct ICMP reply */
+     if (ip6->ip_hl == 0) {
+         icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS);
+-- 
+2.27.0
+
diff --git a/SOURCES/kvm-usb-fix-setup_len-init-CVE-2020-14364.patch b/SOURCES/kvm-usb-fix-setup_len-init-CVE-2020-14364.patch
new file mode 100644
index 0000000..e5f9a89
--- /dev/null
+++ b/SOURCES/kvm-usb-fix-setup_len-init-CVE-2020-14364.patch
@@ -0,0 +1,102 @@
+From 300fc65923c004022621ea8fb50ce4cda96b7503 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Thu, 3 Sep 2020 15:27:13 -0400
+Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364)
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20200903152713.1420531-2-jmaloy@redhat.com>
+Patchwork-id: 98271
+O-Subject: [RHEL-8.3.0 qemu-kvm PATCH 1/1] usb: fix setup_len init (CVE-2020-14364)
+Bugzilla: 1869708
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+
+From: Gerd Hoffmann <kraxel@redhat.com>
+
+Store calculated setup_len in a local variable, verify it, and only
+write it to the struct (USBDevice->setup_len) in case it passed the
+sanity checks.
+
+This prevents other code (do_token_{in,out} functions specifically)
+from working with invalid USBDevice->setup_len values and overrunning
+the USBDevice->setup_buf[] buffer.
+
+Fixes: CVE-2020-14364
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Tested-by: Gonglei <arei.gonglei@huawei.com>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Message-id: 20200825053636.29648-1-kraxel@redhat.com
+(cherry picked from commit b946434f2659a182afc17e155be6791ebfb302eb)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/usb/core.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/hw/usb/core.c b/hw/usb/core.c
+index 07b67fbbd7..e816eded2d 100644
+--- a/hw/usb/core.c
++++ b/hw/usb/core.c
+@@ -130,6 +130,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream)
+ static void do_token_setup(USBDevice *s, USBPacket *p)
+ {
+     int request, value, index;
++    unsigned int setup_len;
+ 
+     if (p->iov.size != 8) {
+         p->status = USB_RET_STALL;
+@@ -139,14 +140,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
+     usb_packet_copy(p, s->setup_buf, p->iov.size);
+     s->setup_index = 0;
+     p->actual_length = 0;
+-    s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
+-    if (s->setup_len > sizeof(s->data_buf)) {
++    setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
++    if (setup_len > sizeof(s->data_buf)) {
+         fprintf(stderr,
+                 "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+-                s->setup_len, sizeof(s->data_buf));
++                setup_len, sizeof(s->data_buf));
+         p->status = USB_RET_STALL;
+         return;
+     }
++    s->setup_len = setup_len;
+ 
+     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
+@@ -260,26 +262,28 @@ static void do_token_out(USBDevice *s, USBPacket *p)
+ static void do_parameter(USBDevice *s, USBPacket *p)
+ {
+     int i, request, value, index;
++    unsigned int setup_len;
+ 
+     for (i = 0; i < 8; i++) {
+         s->setup_buf[i] = p->parameter >> (i*8);
+     }
+ 
+     s->setup_state = SETUP_STATE_PARAM;
+-    s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
+     s->setup_index = 0;
+ 
+     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
+     index   = (s->setup_buf[5] << 8) | s->setup_buf[4];
+ 
+-    if (s->setup_len > sizeof(s->data_buf)) {
++    setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
++    if (setup_len > sizeof(s->data_buf)) {
+         fprintf(stderr,
+                 "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+-                s->setup_len, sizeof(s->data_buf));
++                setup_len, sizeof(s->data_buf));
+         p->status = USB_RET_STALL;
+         return;
+     }
++    s->setup_len = setup_len;
+ 
+     if (p->pid == USB_TOKEN_OUT) {
+         usb_packet_copy(p, s->data_buf, s->setup_len);
+-- 
+2.27.0
+
diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec
index 66e0eff..35f33a3 100644
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@@ -67,7 +67,7 @@ Obsoletes: %1-rhev
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 2.12.0
-Release: 99%{?dist}.2
+Release: 99%{?dist}.4
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 15
 License: GPLv2 and GPLv2+ and CC-BY
@@ -1892,6 +1892,12 @@ Patch926: kvm-tcp_emu-fix-unsafe-snprintf-usages.patch
 Patch927: kvm-vnc-add-magic-cookie-to-VncState.patch
 # For bz#1816763 - CVE-2019-20382 virt:rhel/qemu-kvm: QEMU: vnc: memory leakage upon disconnect [rhel-8]
 Patch928: kvm-vnc-fix-memory-leak-when-vnc-disconnect.patch
+# For bz#1838092 - CVE-2020-10756 virt:8.2/qemu-kvm: QEMU: slirp: networking out-of-bounds read information disclosure vulnerability [rhel-av-8]
+# For bz#1867075 - CVE-2020-10756 virt:8.3/qemu-kvm: QEMU: slirp: networking out-of-bounds read information disclosure vulnerability [rhel-av-8]
+# For bz#1870421 - CVE-2020-10756 virt:rhel/qemu-kvm: QEMU: slirp: networking out-of-bounds read information disclosure vulnerability [rhel-8.2.0.z]
+Patch929: kvm-Drop-bogus-IPv6-messages.patch
+# For bz#1869708 - CVE-2020-14364 qemu-kvm: QEMU: usb: out-of-bounds r/w access issue while processing usb packets [rhel-8.2.0.z]
+Patch930: kvm-usb-fix-setup_len-init-CVE-2020-14364.patch
 
 BuildRequires: zlib-devel
 BuildRequires: glib2-devel
@@ -2778,6 +2784,20 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
 
 
 %changelog
+* Wed Sep 09 2020 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 2.12.0-99.el8_2.4
+- kvm-usb-fix-setup_len-init-CVE-2020-14364.patch [bz#1869708]
+- Resolves: bz#1869708
+  (CVE-2020-14364 qemu-kvm: QEMU: usb: out-of-bounds r/w access issue while processing usb packets [rhel-8.2.0.z])
+
+* Thu Aug 27 2020 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 2.12.0-99.el8_2.3
+- kvm-Drop-bogus-IPv6-messages.patch [bz#1838092 bz#1867075 bz#1870421]
+- Resolves: bz#1838092
+  (CVE-2020-10756 virt:8.2/qemu-kvm: QEMU: slirp: networking out-of-bounds read information disclosure vulnerability [rhel-av-8])
+- Resolves: bz#1867075
+  (CVE-2020-10756 virt:8.3/qemu-kvm: QEMU: slirp: networking out-of-bounds read information disclosure vulnerability [rhel-av-8])
+- Resolves: bz#1870421
+  (CVE-2020-10756 virt:rhel/qemu-kvm: QEMU: slirp: networking out-of-bounds read information disclosure vulnerability [rhel-8.2.0.z])
+
 * Mon Jun 01 2020 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 2.12.0-99.el8_2.2
 - kvm-vnc-add-magic-cookie-to-VncState.patch [bz#1816763]
 - kvm-vnc-fix-memory-leak-when-vnc-disconnect.patch [bz#1816763]