diff --git a/0003-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch b/0003-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch
new file mode 100644
index 0000000..518faf7
--- /dev/null
+++ b/0003-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch
@@ -0,0 +1,90 @@
+From: P J P <ppandit@redhat.com>
+Date: Tue, 15 Dec 2015 12:27:54 +0530
+Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device
+
+Vmxnet3 device emulator does not check if the device is active
+before activating it, also it did not free the transmit & receive
+buffers while deactivating the device, thus resulting in memory
+leakage on the host. This patch fixes both these issues to avoid
+host memory leakage.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit aa4a3dce1c88ed51b616806b8214b7c8428b7470)
+---
+ hw/net/vmxnet3.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
+index 37373e5..2b4aad7 100644
+--- a/hw/net/vmxnet3.c
++++ b/hw/net/vmxnet3.c
+@@ -1194,8 +1194,13 @@ static void vmxnet3_reset_mac(VMXNET3State *s)
+ 
+ static void vmxnet3_deactivate_device(VMXNET3State *s)
+ {
+-    VMW_CBPRN("Deactivating vmxnet3...");
+-    s->device_active = false;
++    if (s->device_active) {
++        VMW_CBPRN("Deactivating vmxnet3...");
++        vmxnet_tx_pkt_reset(s->tx_pkt);
++        vmxnet_tx_pkt_uninit(s->tx_pkt);
++        vmxnet_rx_pkt_uninit(s->rx_pkt);
++        s->device_active = false;
++    }
+ }
+ 
+ static void vmxnet3_reset(VMXNET3State *s)
+@@ -1204,7 +1209,6 @@ static void vmxnet3_reset(VMXNET3State *s)
+ 
+     vmxnet3_deactivate_device(s);
+     vmxnet3_reset_interrupt_states(s);
+-    vmxnet_tx_pkt_reset(s->tx_pkt);
+     s->drv_shmem = 0;
+     s->tx_sop = true;
+     s->skip_current_tx_pkt = false;
+@@ -1431,6 +1435,12 @@ static void vmxnet3_activate_device(VMXNET3State *s)
+         return;
+     }
+ 
++    /* Verify if device is active */
++    if (s->device_active) {
++        VMW_CFPRN("Vmxnet3 device is active");
++        return;
++    }
++
+     vmxnet3_adjust_by_guest_type(s);
+     vmxnet3_update_features(s);
+     vmxnet3_update_pm_state(s);
+@@ -1627,7 +1637,7 @@ static void vmxnet3_handle_command(VMXNET3State *s, uint64_t cmd)
+         break;
+ 
+     case VMXNET3_CMD_QUIESCE_DEV:
+-        VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device");
++        VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device");
+         vmxnet3_deactivate_device(s);
+         break;
+ 
+@@ -1741,7 +1751,7 @@ vmxnet3_io_bar1_write(void *opaque,
+          * shared address only after we get the high part
+          */
+         if (val == 0) {
+-            s->device_active = false;
++            vmxnet3_deactivate_device(s);
+         }
+         s->temp_shared_guest_driver_memory = val;
+         s->drv_shmem = 0;
+@@ -2021,9 +2031,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VMXNET3State *s)
+ static void vmxnet3_net_uninit(VMXNET3State *s)
+ {
+     g_free(s->mcast_list);
+-    vmxnet_tx_pkt_reset(s->tx_pkt);
+-    vmxnet_tx_pkt_uninit(s->tx_pkt);
+-    vmxnet_rx_pkt_uninit(s->rx_pkt);
++    vmxnet3_deactivate_device(s);
+     qemu_del_nic(s->nic);
+ }
+ 
diff --git a/0004-i386-avoid-null-pointer-dereference.patch b/0004-i386-avoid-null-pointer-dereference.patch
new file mode 100644
index 0000000..17b2c5c
--- /dev/null
+++ b/0004-i386-avoid-null-pointer-dereference.patch
@@ -0,0 +1,62 @@
+From: P J P <ppandit@redhat.com>
+Date: Fri, 18 Dec 2015 11:35:07 +0530
+Subject: [PATCH] i386: avoid null pointer dereference
+
+    Hello,
+
+A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It
+occurs while doing I/O port write operations via hmp interface. In that,
+'current_cpu' remains null as it is not called from cpu_exec loop, which
+results in the said issue.
+
+Below is a proposed (tested)patch to fix this issue; Does it look okay?
+
+===
+From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 18 Dec 2015 11:16:07 +0530
+Subject: [PATCH] i386: avoid null pointer dereference
+
+When I/O port write operation is called from hmp interface,
+'current_cpu' remains null, as it is not called from cpu_exec()
+loop. This leads to a null pointer dereference in vapic_write
+routine. Add check to avoid it.
+
+Reported-by: Ling Liu <liuling-it@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <alpine.LFD.2.20.1512181129320.9805@wniryva>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: P J P <ppandit@redhat.com>
+(cherry picked from commit 4c1396cb576c9b14425558b73de1584c7a9735d7)
+---
+ hw/i386/kvmvapic.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
+index c6d34b2..f0922da 100644
+--- a/hw/i386/kvmvapic.c
++++ b/hw/i386/kvmvapic.c
+@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *s)
+ static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
+                         unsigned int size)
+ {
+-    CPUState *cs = current_cpu;
+-    X86CPU *cpu = X86_CPU(cs);
+-    CPUX86State *env = &cpu->env;
+-    hwaddr rom_paddr;
+     VAPICROMState *s = opaque;
++    X86CPU *cpu;
++    CPUX86State *env;
++    hwaddr rom_paddr;
+ 
+-    cpu_synchronize_state(cs);
++    if (!current_cpu) {
++        return;
++    }
++
++    cpu_synchronize_state(current_cpu);
++    cpu = X86_CPU(current_cpu);
++    env = &cpu->env;
+ 
+     /*
+      * The VAPIC supports two PIO-based hypercalls, both via port 0x7E.
diff --git a/0005-scsi-initialise-info-object-with-appropriate-size.patch b/0005-scsi-initialise-info-object-with-appropriate-size.patch
new file mode 100644
index 0000000..2d5605c
--- /dev/null
+++ b/0005-scsi-initialise-info-object-with-appropriate-size.patch
@@ -0,0 +1,32 @@
+From: P J P <ppandit@redhat.com>
+Date: Mon, 21 Dec 2015 15:13:13 +0530
+Subject: [PATCH] scsi: initialise info object with appropriate size
+
+While processing controller 'CTRL_GET_INFO' command, the routine
+'megasas_ctrl_get_info' overflows the '&info' object size. Use its
+appropriate size to null initialise it.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <alpine.LFD.2.20.1512211501420.22471@wniryva>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: P J P <ppandit@redhat.com>
+(cherry picked from commit 36fef36b91f7ec0435215860f1458b5342ce2811)
+---
+ hw/scsi/megasas.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index d7dc667..576f56c 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
+     BusChild *kid;
+     int num_pd_disks = 0;
+ 
+-    memset(&info, 0x0, cmd->iov_size);
++    memset(&info, 0x0, dcmd_size);
+     if (cmd->iov_size < dcmd_size) {
+         trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size,
+                                             dcmd_size);
diff --git a/0006-net-rocker-fix-an-incorrect-array-bounds-check.patch b/0006-net-rocker-fix-an-incorrect-array-bounds-check.patch
new file mode 100644
index 0000000..6701693
--- /dev/null
+++ b/0006-net-rocker-fix-an-incorrect-array-bounds-check.patch
@@ -0,0 +1,44 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 28 Dec 2015 16:24:08 +0530
+Subject: [PATCH] net: rocker: fix an incorrect array bounds check
+
+While processing transmit(tx) descriptors in 'tx_consume' routine
+the switch emulator suffers from an off-by-one error, if a
+descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16)
+fragments. Fix an incorrect bounds check to avoid it.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit 007cd223de527b5f41278f2d886c1a4beb3e67aa)
+---
+ hw/net/rocker/rocker.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
+index c57f1a6..2e77e50 100644
+--- a/hw/net/rocker/rocker.c
++++ b/hw/net/rocker/rocker.c
+@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info)
+         frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]);
+         frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]);
+ 
++        if (iovcnt >= ROCKER_TX_FRAGS_MAX) {
++            goto err_too_many_frags;
++        }
+         iov[iovcnt].iov_len = frag_len;
+         iov[iovcnt].iov_base = g_malloc(frag_len);
+         if (!iov[iovcnt].iov_base) {
+@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info)
+             err = -ROCKER_ENXIO;
+             goto err_bad_io;
+         }
+-
+-        if (++iovcnt > ROCKER_TX_FRAGS_MAX) {
+-            goto err_too_many_frags;
+-        }
++        iovcnt++;
+     }
+ 
+     if (iovcnt) {
diff --git a/0007-net-ne2000-fix-bounds-check-in-ioport-operations.patch b/0007-net-ne2000-fix-bounds-check-in-ioport-operations.patch
new file mode 100644
index 0000000..fcd93bc
--- /dev/null
+++ b/0007-net-ne2000-fix-bounds-check-in-ioport-operations.patch
@@ -0,0 +1,45 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 31 Dec 2015 17:05:27 +0530
+Subject: [PATCH] net: ne2000: fix bounds check in ioport operations
+
+While doing ioport r/w operations, ne2000 device emulation suffers
+from OOB r/w errors. Update respective array bounds check to avoid
+OOB access.
+
+Reported-by: Ling Liu <liuling-it@360.cn>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit aa7f9966dfdff500bbbf1956d9e115b1fa8987a6)
+---
+ hw/net/ne2000.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
+index 010f9ef..a3dffff 100644
+--- a/hw/net/ne2000.c
++++ b/hw/net/ne2000.c
+@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr,
+                                      uint32_t val)
+ {
+     addr &= ~1; /* XXX: check exact behaviour if not even */
+-    if (addr < 32 ||
+-        (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
++    if (addr < 32
++        || (addr >= NE2000_PMEM_START
++            && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
+         stl_le_p(s->mem + addr, val);
+     }
+ }
+@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr)
+ static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr)
+ {
+     addr &= ~1; /* XXX: check exact behaviour if not even */
+-    if (addr < 32 ||
+-        (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
++    if (addr < 32
++        || (addr >= NE2000_PMEM_START
++            && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
+         return ldl_le_p(s->mem + addr);
+     } else {
+         return 0xffffffff;
diff --git a/0008-ide-ahci-reset-ncq-object-to-unused-on-error.patch b/0008-ide-ahci-reset-ncq-object-to-unused-on-error.patch
new file mode 100644
index 0000000..865e17a
--- /dev/null
+++ b/0008-ide-ahci-reset-ncq-object-to-unused-on-error.patch
@@ -0,0 +1,36 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 11 Jan 2016 14:10:42 -0500
+Subject: [PATCH] ide: ahci: reset ncq object to unused on error
+
+When processing NCQ commands, AHCI device emulation prepares a
+NCQ transfer object; To which an aio control block(aiocb) object
+is assigned in 'execute_ncq_command'. In case, when the NCQ
+command is invalid, the 'aiocb' object is not assigned, and NCQ
+transfer object is left as 'used'. This leads to a use after
+free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'.
+Reset NCQ transfer object to 'unused' to avoid it.
+
+[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js]
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: John Snow <jsnow@redhat.com>
+Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com
+Signed-off-by: John Snow <jsnow@redhat.com>
+(cherry picked from commit 4ab0359a8ae182a7ac5c99609667273167703fab)
+---
+ hw/ide/ahci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
+index dd1912e..17f1cbd 100644
+--- a/hw/ide/ahci.c
++++ b/hw/ide/ahci.c
+@@ -910,6 +910,7 @@ static void ncq_err(NCQTransferState *ncq_tfs)
+     ide_state->error = ABRT_ERR;
+     ide_state->status = READY_STAT | ERR_STAT;
+     ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag);
++    ncq_tfs->used = 0;
+ }
+ 
+ static void ncq_finish(NCQTransferState *ncq_tfs)
diff --git a/kvm.conf b/kvm.conf
index 594b2f1..84885e9 100644
--- a/kvm.conf
+++ b/kvm.conf
@@ -7,6 +7,5 @@
 ### Set these options to enable nested virtualization
 ###
 
-#option kvm_intel nested=1
-#option kvm_amd nested=1
-
+#options kvm_intel nested=1
+#options kvm_amd nested=1
diff --git a/qemu.spec b/qemu.spec
index aa553e2..f6895dc 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -40,7 +40,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 2.5.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
 Group: Development/Tools
@@ -75,6 +75,19 @@ Source20: kvm.conf
 Patch0001: 0001-virtio-9p-use-accessor-to-get-thread_pool.patch
 # CVE-2015-8558: DoS by infinite loop in ehci_advance_state (bz #1291309)
 Patch0002: 0002-ehci-make-idt-processing-more-robust.patch
+# CVE-2015-8567: net: vmxnet3: host memory leakage (bz #1289818)
+Patch0003: 0003-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch
+# CVE-2016-1922: i386: avoid null pointer dereference (bz #1292766)
+Patch0004: 0004-i386-avoid-null-pointer-dereference.patch
+# CVE-2015-8613: buffer overflow in megasas_ctrl_get_info (bz #1284008)
+Patch0005: 0005-scsi-initialise-info-object-with-appropriate-size.patch
+# CVE-2015-8701: Buffer overflow in tx_consume in rocker.c (bz #1293720)
+Patch0006: 0006-net-rocker-fix-an-incorrect-array-bounds-check.patch
+# CVE-2015-8743: ne2000: OOB memory access in ioport r/w functions (bz
+# #1294787)
+Patch0007: 0007-net-ne2000-fix-bounds-check-in-ioport-operations.patch
+# CVE-2016-1568: Use-after-free vulnerability in ahci (bz #1297023)
+Patch0008: 0008-ide-ahci-reset-ncq-object-to-unused-on-error.patch
 
 BuildRequires: SDL2-devel
 BuildRequires: zlib-devel
@@ -1169,6 +1182,16 @@ getent passwd qemu >/dev/null || \
 
 
 %changelog
+* Wed Jan 20 2016 Cole Robinson <crobinso@redhat.com> - 2:2.5.0-4
+- CVE-2015-8567: net: vmxnet3: host memory leakage (bz #1289818)
+- CVE-2016-1922: i386: avoid null pointer dereference (bz #1292766)
+- CVE-2015-8613: buffer overflow in megasas_ctrl_get_info (bz #1284008)
+- CVE-2015-8701: Buffer overflow in tx_consume in rocker.c (bz #1293720)
+- CVE-2015-8743: ne2000: OOB memory access in ioport r/w functions (bz
+  #1294787)
+- CVE-2016-1568: Use-after-free vulnerability in ahci (bz #1297023)
+- Fix modules.d/kvm.conf example syntax (bz #1298823)
+
 * Sat Jan 09 2016 Cole Robinson <crobinso@redhat.com> - 2:2.5.0-3
 - Fix virtio 9p thread pool usage
 - CVE-2015-8558: DoS by infinite loop in ehci_advance_state (bz #1291309)