diff --git a/0001-loader-Add-load_image_gzipped-function.patch b/0001-loader-Add-load_image_gzipped-function.patch
index a08a9cb..a442e24 100644
--- a/0001-loader-Add-load_image_gzipped-function.patch
+++ b/0001-loader-Add-load_image_gzipped-function.patch
@@ -1,4 +1,3 @@
-From 6665e04d68d58a93d75a51a0840534f3a0ad2402 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Tue, 19 Aug 2014 18:56:28 +0100
Subject: [PATCH] loader: Add load_image_gzipped function.
diff --git a/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch b/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch
index fbb3e38..3f3f637 100644
--- a/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch
+++ b/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch
@@ -1,4 +1,3 @@
-From f06e2812a6813c8c93fee50bd8beb5ae5d8cb871 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Tue, 19 Aug 2014 18:56:28 +0100
Subject: [PATCH] aarch64: Allow -kernel option to take a gzip-compressed
diff --git a/0003-block.curl-adding-timeout-option.patch b/0003-block.curl-adding-timeout-option.patch
index 82b144e..b003edf 100644
--- a/0003-block.curl-adding-timeout-option.patch
+++ b/0003-block.curl-adding-timeout-option.patch
@@ -1,4 +1,3 @@
-From 5331434dbb2a1959a8a8d153fd4553ae434cc464 Mon Sep 17 00:00:00 2001
From: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com>
Date: Wed, 13 Aug 2014 12:44:27 -0300
Subject: [PATCH] block.curl: adding 'timeout' option
diff --git a/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch b/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch
index 9cf999a..e58b6e4 100644
--- a/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch
+++ b/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch
@@ -1,4 +1,3 @@
-From 4b3a1a47188c5df308d51048a8a0de630c45d12c Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Fri, 29 Aug 2014 16:03:12 +0100
Subject: [PATCH] curl: Allow a cookie or cookies to be sent with http/https
diff --git a/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch b/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch
index ded64ae..b00a751 100644
--- a/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch
+++ b/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch
@@ -1,4 +1,3 @@
-From a1fd2da51b26f549d63000d3a81fbb70d7c40f4e Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Thu, 28 Aug 2014 09:04:21 +0100
Subject: [PATCH] curl: Don't deref NULL pointer in call to aio_poll.
diff --git a/0006-virtio-pci-enable-bus-master-for-old-guests.patch b/0006-virtio-pci-enable-bus-master-for-old-guests.patch
index 9a203f8..24f54e8 100644
--- a/0006-virtio-pci-enable-bus-master-for-old-guests.patch
+++ b/0006-virtio-pci-enable-bus-master-for-old-guests.patch
@@ -1,4 +1,3 @@
-From a9862ff2c205aa289b62abcb7ddd03c7630f5c7a Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 11 Sep 2014 18:45:33 +0200
Subject: [PATCH] virtio-pci: enable bus master for old guests
diff --git a/0007-virtio-pci-fix-migration-for-pci-bus-master.patch b/0007-virtio-pci-fix-migration-for-pci-bus-master.patch
index 5d37121..80e9c2e 100644
--- a/0007-virtio-pci-fix-migration-for-pci-bus-master.patch
+++ b/0007-virtio-pci-fix-migration-for-pci-bus-master.patch
@@ -1,4 +1,3 @@
-From 2c8d6826ebaf1bf846edd213f8fe8f95c0c300cb Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 11 Sep 2014 18:34:29 +0300
Subject: [PATCH] virtio-pci: fix migration for pci bus master
diff --git a/0008-Revert-virtio-pci-fix-migration-for-pci-bus-master.patch b/0008-Revert-virtio-pci-fix-migration-for-pci-bus-master.patch
index c1b0103..8aa58fe 100644
--- a/0008-Revert-virtio-pci-fix-migration-for-pci-bus-master.patch
+++ b/0008-Revert-virtio-pci-fix-migration-for-pci-bus-master.patch
@@ -1,4 +1,3 @@
-From 9d8b817bfe327873c009fa4621c0308e7f3bc5de Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Mon, 29 Sep 2014 11:27:32 +0300
Subject: [PATCH] Revert "virtio-pci: fix migration for pci bus master"
diff --git a/0009-vnc-sanitize-bits_per_pixel-from-the-client.patch b/0009-vnc-sanitize-bits_per_pixel-from-the-client.patch
new file mode 100644
index 0000000..a6caa18
--- /dev/null
+++ b/0009-vnc-sanitize-bits_per_pixel-from-the-client.patch
@@ -0,0 +1,45 @@
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Mon, 27 Oct 2014 12:41:44 +0100
+Subject: [PATCH] vnc: sanitize bits_per_pixel from the client
+
+bits_per_pixel that are less than 8 could result in accessing
+non-initialized buffers later in the code due to the expectation
+that bytes_per_pixel value that is used to initialize these buffers is
+never zero.
+
+To fix this check that bits_per_pixel from the client is one of the
+values that the rfb protocol specification allows.
+
+This is CVE-2014-7815.
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+
+[ kraxel: apply codestyle fix ]
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit e6908bfe8e07f2b452e78e677da1b45b1c0f6829)
+---
+ ui/vnc.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index f8d9b7d..87e34ae 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs,
+ return;
+ }
+
++ switch (bits_per_pixel) {
++ case 8:
++ case 16:
++ case 32:
++ break;
++ default:
++ vnc_client_error(vs);
++ return;
++ }
++
+ vs->client_pf.rmax = red_max;
+ vs->client_pf.rbits = hweight_long(red_max);
+ vs->client_pf.rshift = red_shift;
diff --git a/0010-vmware-vga-CVE-2014-3689-turn-off-hw-accel.patch b/0010-vmware-vga-CVE-2014-3689-turn-off-hw-accel.patch
new file mode 100644
index 0000000..31915be
--- /dev/null
+++ b/0010-vmware-vga-CVE-2014-3689-turn-off-hw-accel.patch
@@ -0,0 +1,34 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 29 Oct 2014 12:56:06 +0100
+Subject: [PATCH] vmware-vga: CVE-2014-3689: turn off hw accel
+
+Quick & easy stopgap for CVE-2014-3689: We just compile out the
+hardware acceleration functions which lack sanity checks. Thankfully
+we have capability bits for them (SVGA_CAP_RECT_COPY and
+SVGA_CAP_RECT_FILL), so guests should deal just fine, in theory.
+
+Subsequent patches will add the missing checks and re-enable the
+hardware acceleration emulation.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Don Koch <dkoch@verizon.com>
+---
+ hw/display/vmware_vga.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index 591b645..4a4229b 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -29,8 +29,10 @@
+ #include "hw/pci/pci.h"
+
+ #undef VERBOSE
++#if 0
+ #define HW_RECT_ACCEL
+ #define HW_FILL_ACCEL
++#endif
+ #define HW_MOUSE_ACCEL
+
+ #include "vga_int.h"
diff --git a/0011-vmware-vga-add-vmsvga_verify_rect.patch b/0011-vmware-vga-add-vmsvga_verify_rect.patch
new file mode 100644
index 0000000..a48878c
--- /dev/null
+++ b/0011-vmware-vga-add-vmsvga_verify_rect.patch
@@ -0,0 +1,79 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 29 Oct 2014 12:56:07 +0100
+Subject: [PATCH] vmware-vga: add vmsvga_verify_rect
+
+Add verification function for rectangles, returning
+true if verification passes and false otherwise.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Don Koch <dkoch@verizon.com>
+---
+ hw/display/vmware_vga.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 52 insertions(+), 1 deletion(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index 4a4229b..f0e487f 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -294,8 +294,59 @@ enum {
+ SVGA_CURSOR_ON_RESTORE_TO_FB = 3,
+ };
+
++static inline bool vmsvga_verify_rect(DisplaySurface *surface,
++ const char *name,
++ int x, int y, int w, int h)
++{
++ if (x < 0) {
++ fprintf(stderr, "%s: x was < 0 (%d)\n", name, x);
++ return false;
++ }
++ if (x > SVGA_MAX_WIDTH) {
++ fprintf(stderr, "%s: x was > %d (%d)\n", name, SVGA_MAX_WIDTH, x);
++ return false;
++ }
++ if (w < 0) {
++ fprintf(stderr, "%s: w was < 0 (%d)\n", name, w);
++ return false;
++ }
++ if (w > SVGA_MAX_WIDTH) {
++ fprintf(stderr, "%s: w was > %d (%d)\n", name, SVGA_MAX_WIDTH, w);
++ return false;
++ }
++ if (x + w > surface_width(surface)) {
++ fprintf(stderr, "%s: width was > %d (x: %d, w: %d)\n",
++ name, surface_width(surface), x, w);
++ return false;
++ }
++
++ if (y < 0) {
++ fprintf(stderr, "%s: y was < 0 (%d)\n", name, y);
++ return false;
++ }
++ if (y > SVGA_MAX_HEIGHT) {
++ fprintf(stderr, "%s: y was > %d (%d)\n", name, SVGA_MAX_HEIGHT, y);
++ return false;
++ }
++ if (h < 0) {
++ fprintf(stderr, "%s: h was < 0 (%d)\n", name, h);
++ return false;
++ }
++ if (h > SVGA_MAX_HEIGHT) {
++ fprintf(stderr, "%s: h was > %d (%d)\n", name, SVGA_MAX_HEIGHT, h);
++ return false;
++ }
++ if (y + h > surface_height(surface)) {
++ fprintf(stderr, "%s: update height > %d (y: %d, h: %d)\n",
++ name, surface_height(surface), y, h);
++ return false;
++ }
++
++ return true;
++}
++
+ static inline void vmsvga_update_rect(struct vmsvga_state_s *s,
+- int x, int y, int w, int h)
++ int x, int y, int w, int h)
+ {
+ DisplaySurface *surface = qemu_console_surface(s->vga.con);
+ int line;
diff --git a/0012-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_update_r.patch b/0012-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_update_r.patch
new file mode 100644
index 0000000..0605011
--- /dev/null
+++ b/0012-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_update_r.patch
@@ -0,0 +1,61 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 29 Oct 2014 12:56:08 +0100
+Subject: [PATCH] vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect
+
+Switch vmsvga_update_rect over to use vmsvga_verify_rect. Slight change
+in behavior: We don't try to automatically fixup rectangles any more.
+In case we find invalid update requests we'll do a full-screen update
+instead.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Don Koch <dkoch@verizon.com>
+---
+ hw/display/vmware_vga.c | 32 ++++----------------------------
+ 1 file changed, 4 insertions(+), 28 deletions(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index f0e487f..718746e 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -356,36 +356,12 @@ static inline void vmsvga_update_rect(struct vmsvga_state_s *s,
+ uint8_t *src;
+ uint8_t *dst;
+
+- if (x < 0) {
+- fprintf(stderr, "%s: update x was < 0 (%d)\n", __func__, x);
+- w += x;
++ if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) {
++ /* go for a fullscreen update as fallback */
+ x = 0;
+- }
+- if (w < 0) {
+- fprintf(stderr, "%s: update w was < 0 (%d)\n", __func__, w);
+- w = 0;
+- }
+- if (x + w > surface_width(surface)) {
+- fprintf(stderr, "%s: update width too large x: %d, w: %d\n",
+- __func__, x, w);
+- x = MIN(x, surface_width(surface));
+- w = surface_width(surface) - x;
+- }
+-
+- if (y < 0) {
+- fprintf(stderr, "%s: update y was < 0 (%d)\n", __func__, y);
+- h += y;
+ y = 0;
+- }
+- if (h < 0) {
+- fprintf(stderr, "%s: update h was < 0 (%d)\n", __func__, h);
+- h = 0;
+- }
+- if (y + h > surface_height(surface)) {
+- fprintf(stderr, "%s: update height too large y: %d, h: %d\n",
+- __func__, y, h);
+- y = MIN(y, surface_height(surface));
+- h = surface_height(surface) - y;
++ w = surface_width(surface);
++ h = surface_height(surface);
+ }
+
+ bypl = surface_stride(surface);
diff --git a/0013-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_copy_rec.patch b/0013-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_copy_rec.patch
new file mode 100644
index 0000000..a101aca
--- /dev/null
+++ b/0013-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_copy_rec.patch
@@ -0,0 +1,75 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 29 Oct 2014 12:56:09 +0100
+Subject: [PATCH] vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect
+
+Add verification to vmsvga_copy_rect, re-enable HW_RECT_ACCEL.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Don Koch <dkoch@verizon.com>
+---
+ hw/display/vmware_vga.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index 718746e..c2e0a43 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -29,8 +29,8 @@
+ #include "hw/pci/pci.h"
+
+ #undef VERBOSE
+-#if 0
+ #define HW_RECT_ACCEL
++#if 0
+ #define HW_FILL_ACCEL
+ #endif
+ #define HW_MOUSE_ACCEL
+@@ -406,7 +406,7 @@ static inline void vmsvga_update_rect_flush(struct vmsvga_state_s *s)
+ }
+
+ #ifdef HW_RECT_ACCEL
+-static inline void vmsvga_copy_rect(struct vmsvga_state_s *s,
++static inline int vmsvga_copy_rect(struct vmsvga_state_s *s,
+ int x0, int y0, int x1, int y1, int w, int h)
+ {
+ DisplaySurface *surface = qemu_console_surface(s->vga.con);
+@@ -417,6 +417,13 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s,
+ int line = h;
+ uint8_t *ptr[2];
+
++ if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/src", x0, y0, w, h)) {
++ return -1;
++ }
++ if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/dst", x1, y1, w, h)) {
++ return -1;
++ }
++
+ if (y1 > y0) {
+ ptr[0] = vram + bypp * x0 + bypl * (y0 + h - 1);
+ ptr[1] = vram + bypp * x1 + bypl * (y1 + h - 1);
+@@ -432,6 +439,7 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s,
+ }
+
+ vmsvga_update_rect_delayed(s, x1, y1, w, h);
++ return 0;
+ }
+ #endif
+
+@@ -625,12 +633,12 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
+ width = vmsvga_fifo_read(s);
+ height = vmsvga_fifo_read(s);
+ #ifdef HW_RECT_ACCEL
+- vmsvga_copy_rect(s, x, y, dx, dy, width, height);
+- break;
+-#else
++ if (vmsvga_copy_rect(s, x, y, dx, dy, width, height) == 0) {
++ break;
++ }
++#endif
+ args = 0;
+ goto badcmd;
+-#endif
+
+ case SVGA_CMD_DEFINE_CURSOR:
+ len -= 8;
diff --git a/0014-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_fill_rec.patch b/0014-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_fill_rec.patch
new file mode 100644
index 0000000..efd5ae3
--- /dev/null
+++ b/0014-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_fill_rec.patch
@@ -0,0 +1,72 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 29 Oct 2014 12:56:10 +0100
+Subject: [PATCH] vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect
+
+Add verification to vmsvga_fill_rect, re-enable HW_FILL_ACCEL.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Don Koch <dkoch@verizon.com>
+---
+ hw/display/vmware_vga.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index c2e0a43..d44e3e8 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -30,9 +30,7 @@
+
+ #undef VERBOSE
+ #define HW_RECT_ACCEL
+-#if 0
+ #define HW_FILL_ACCEL
+-#endif
+ #define HW_MOUSE_ACCEL
+
+ #include "vga_int.h"
+@@ -444,7 +442,7 @@ static inline int vmsvga_copy_rect(struct vmsvga_state_s *s,
+ #endif
+
+ #ifdef HW_FILL_ACCEL
+-static inline void vmsvga_fill_rect(struct vmsvga_state_s *s,
++static inline int vmsvga_fill_rect(struct vmsvga_state_s *s,
+ uint32_t c, int x, int y, int w, int h)
+ {
+ DisplaySurface *surface = qemu_console_surface(s->vga.con);
+@@ -457,6 +455,10 @@ static inline void vmsvga_fill_rect(struct vmsvga_state_s *s,
+ uint8_t *src;
+ uint8_t col[4];
+
++ if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) {
++ return -1;
++ }
++
+ col[0] = c;
+ col[1] = c >> 8;
+ col[2] = c >> 16;
+@@ -481,6 +483,7 @@ static inline void vmsvga_fill_rect(struct vmsvga_state_s *s,
+ }
+
+ vmsvga_update_rect_delayed(s, x, y, w, h);
++ return 0;
+ }
+ #endif
+
+@@ -613,12 +616,12 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
+ width = vmsvga_fifo_read(s);
+ height = vmsvga_fifo_read(s);
+ #ifdef HW_FILL_ACCEL
+- vmsvga_fill_rect(s, colour, x, y, width, height);
+- break;
+-#else
++ if (vmsvga_fill_rect(s, colour, x, y, width, height) == 0) {
++ break;
++ }
++#endif
+ args = 0;
+ goto badcmd;
+-#endif
+
+ case SVGA_CMD_RECT_COPY:
+ len -= 7;
diff --git a/qemu.spec b/qemu.spec
index ede4e63..89d34f3 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -152,7 +152,7 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 2.1.2
-Release: 5%{?dist}
+Release: 6%{?dist}
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
Group: Development/Tools
@@ -204,6 +204,16 @@ Patch0006: 0006-virtio-pci-enable-bus-master-for-old-guests.patch
Patch0007: 0007-virtio-pci-fix-migration-for-pci-bus-master.patch
# Fix PPC virtio regression (bz #1144490)
Patch0008: 0008-Revert-virtio-pci-fix-migration-for-pci-bus-master.patch
+# CVE-2014-7815 vnc: insufficient bits_per_pixel from the client
+# sanitization (bz #1157647, bz #1157641)
+Patch0009: 0009-vnc-sanitize-bits_per_pixel-from-the-client.patch
+# CVE-2014-3689 vmware_vga: insufficient parameter validation in
+# rectangle functions (bz #1153038, bz #1153035)
+Patch0010: 0010-vmware-vga-CVE-2014-3689-turn-off-hw-accel.patch
+Patch0011: 0011-vmware-vga-add-vmsvga_verify_rect.patch
+Patch0012: 0012-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_update_r.patch
+Patch0013: 0013-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_copy_rec.patch
+Patch0014: 0014-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_fill_rec.patch
BuildRequires: SDL2-devel
BuildRequires: zlib-devel
@@ -742,6 +752,16 @@ CAC emulation development files.
%patch0007 -p1
# Fix PPC virtio regression (bz #1144490)
%patch0008 -p1
+# CVE-2014-7815 vnc: insufficient bits_per_pixel from the client
+# sanitization (bz #1157647, bz #1157641)
+%patch0009 -p1
+# CVE-2014-3689 vmware_vga: insufficient parameter validation in
+# rectangle functions (bz #1153038, bz #1153035)
+%patch0010 -p1
+%patch0011 -p1
+%patch0012 -p1
+%patch0013 -p1
+%patch0014 -p1
%build
@@ -1521,6 +1541,12 @@ getent passwd qemu >/dev/null || \
%endif
%changelog
+* Wed Oct 29 2014 Cole Robinson <crobinso@redhat.com> - 2:2.1.2-6
+- CVE-2014-7815 vnc: insufficient bits_per_pixel from the client sanitization
+ (bz #1157647, bz #1157641)
+- CVE-2014-3689 vmware_vga: insufficient parameter validation in rectangle
+ functions (bz #1153038, bz #1153035)
+
* Fri Oct 24 2014 Danel P. Berrange <berrange@redhat.com> - 2:2.1.2-5
- Fix dep on numactl-devel to be build time not install time