diff --git a/SOURCES/0003-Fix-CVE-2017-8386.patch b/SOURCES/0003-Fix-CVE-2017-8386.patch
new file mode 100644
index 0000000..6005dc9
--- /dev/null
+++ b/SOURCES/0003-Fix-CVE-2017-8386.patch
@@ -0,0 +1,74 @@
+From 3ec804490a265f4c418a321428c12f3f18b7eff5 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Sat, 29 Apr 2017 08:36:44 -0400
+Subject: [PATCH] shell: disallow repo names beginning with dash
+
+When a remote server uses git-shell, the client side will
+connect to it like:
+
+  ssh server "git-upload-pack 'foo.git'"
+
+and we literally exec ("git-upload-pack", "foo.git"). In
+early versions of upload-pack and receive-pack, we took a
+repository argument and nothing else. But over time they
+learned to accept dashed options. If the user passes a
+repository name that starts with a dash, the results are
+confusing at best (we complain of a bogus option instead of
+a non-existent repository) and malicious at worst (the user
+can start an interactive pager via "--help").
+
+We could pass "--" to the sub-process to make sure the
+user's argument is interpreted as a branch name. I.e.:
+
+  git-upload-pack -- -foo.git
+
+But adding "--" automatically would make us inconsistent
+with a normal shell (i.e., when git-shell is not in use),
+where "-foo.git" would still be an error. For that case, the
+client would have to specify the "--", but they can't do so
+reliably, as existing versions of git-shell do not allow
+more than a single argument.
+
+The simplest thing is to simply disallow "-" at the start of
+the repo name argument. This hasn't worked either with or
+without git-shell since version 1.0.0, and nobody has
+complained.
+
+Note that this patch just applies to do_generic_cmd(), which
+runs upload-pack, receive-pack, and upload-archive. There
+are two other types of commands that git-shell runs:
+
+  - do_cvs_cmd(), but this already restricts the argument to
+    be the literal string "server"
+
+  - admin-provided commands in the git-shell-commands
+    directory. We'll pass along arbitrary arguments there,
+    so these commands could have similar problems. But these
+    commands might actually understand dashed arguments, so
+    we cannot just block them here. It's up to the writer of
+    the commands to make sure they are safe. With great
+    power comes great responsibility.
+
+Reported-by: Timo Schmid <tschmid@ernw.de>
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+---
+ shell.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/shell.c b/shell.c
+index ace62e4..c3bf8ec 100644
+--- a/shell.c
++++ b/shell.c
+@@ -13,7 +13,7 @@ static int do_generic_cmd(const char *me, char *arg)
+ 	const char *my_argv[4];
+ 
+ 	setup_path();
+-	if (!arg || !(arg = sq_dequote(arg)))
++	if (!arg || !(arg = sq_dequote(arg)) || *arg == '-')
+ 		die("bad argument");
+ 	if (!starts_with(me, "git-"))
+ 		die("bad command");
+-- 
+2.9.4
+
diff --git a/SOURCES/git-cve-2017-1000117.patch b/SOURCES/git-cve-2017-1000117.patch
new file mode 100644
index 0000000..8407276
--- /dev/null
+++ b/SOURCES/git-cve-2017-1000117.patch
@@ -0,0 +1,149 @@
+diff --git a/cache.h b/cache.h
+index 1a2cec0b8..b9fc3a8e3 100644
+--- a/cache.h
++++ b/cache.h
+@@ -991,6 +991,14 @@ char *strip_path_suffix(const char *path, const char *suffix);
+ int daemon_avoid_alias(const char *path);
+ extern int is_ntfs_dotgit(const char *name);
+ 
++/*
++ * Returns true iff "str" could be confused as a command-line option when
++ * passed to a sub-program like "ssh". Note that this has nothing to do with
++ * shell-quoting, which should be handled separately; we're assuming here that
++ * the string makes it verbatim to the sub-program.
++ */
++int looks_like_command_line_option(const char *str);
++
+ /**
+  * Return a newly allocated string with the evaluation of
+  * "$XDG_CONFIG_HOME/git/$filename" if $XDG_CONFIG_HOME is non-empty, otherwise
+diff --git a/connect.c b/connect.c
+index fd7ffe184..d77d39771 100644
+--- a/connect.c
++++ b/connect.c
+@@ -553,6 +553,11 @@ static struct child_process *git_proxy_connect(int fd[2], char *host)
+ 
+ 	get_host_and_port(&host, &port);
+ 
++	if (looks_like_command_line_option(host))
++		die("strange hostname '%s' blocked", host);
++	if (looks_like_command_line_option(port))
++		die("strange port '%s' blocked", port);
++
+ 	proxy = xmalloc(sizeof(*proxy));
+ 	child_process_init(proxy);
+ 	argv_array_push(&proxy->args, git_proxy_command);
+@@ -722,6 +727,9 @@ struct child_process *git_connect(int fd[2], const char *url,
+ 		conn = xmalloc(sizeof(*conn));
+ 		child_process_init(conn);
+ 
++		if (looks_like_command_line_option(path))
++			die("strange pathname '%s' blocked", path);
++
+ 		strbuf_addstr(&cmd, prog);
+ 		strbuf_addch(&cmd, ' ');
+ 		sq_quote_buf(&cmd, path);
+@@ -754,6 +762,9 @@ struct child_process *git_connect(int fd[2], const char *url,
+ 				return NULL;
+ 			}
+ 
++			if (looks_like_command_line_option(ssh_host))
++				die("strange hostname '%s' blocked", ssh_host);
++
+ 			ssh = getenv("GIT_SSH_COMMAND");
+ 			if (!ssh) {
+ 				const char *base;
+diff --git a/path.c b/path.c
+index 8b7e16812..b214ac3fe 100644
+--- a/path.c
++++ b/path.c
+@@ -1178,6 +1178,11 @@ int is_ntfs_dotgit(const char *name)
+ 		}
+ }
+ 
++int looks_like_command_line_option(const char *str)
++{
++	return str && str[0] == '-';
++}
++
+ char *xdg_config_home(const char *filename)
+ {
+ 	const char *home, *config_home;
+diff --git a/t/t5532-fetch-proxy.sh b/t/t5532-fetch-proxy.sh
+index 5531bd1af..d3b2651b6 100755
+--- a/t/t5532-fetch-proxy.sh
++++ b/t/t5532-fetch-proxy.sh
+@@ -40,4 +40,9 @@ test_expect_success 'fetch through proxy works' '
+ 	test_cmp expect actual
+ '
+ 
++test_expect_success 'funny hostnames are rejected before running proxy' '
++	test_must_fail git fetch git://-remote/repo.git 2>stderr &&
++	! grep "proxying for" stderr
++'
++
+ test_done
+diff --git a/t/t5810-proto-disable-local.sh b/t/t5810-proto-disable-local.sh
+index 563592d8a..c1ef99b85 100755
+--- a/t/t5810-proto-disable-local.sh
++++ b/t/t5810-proto-disable-local.sh
+@@ -11,4 +11,27 @@ test_expect_success 'setup repository to clone' '
+ test_proto "file://" file "file://$PWD"
+ test_proto "path" file .
+ 
++test_expect_success 'setup repo with dash' '
++	git init --bare repo.git &&
++	git push repo.git HEAD &&
++	mv repo.git "$PWD/-repo.git"
++'
++
++# This will fail even without our rejection because upload-pack will
++# complain about the bogus option. So let's make sure that GIT_TRACE
++# doesn't show us even running upload-pack.
++#
++# We must also be sure to use "fetch" and not "clone" here, as the latter
++# actually canonicalizes our input into an absolute path (which is fine
++# to allow).
++test_expect_success 'repo names starting with dash are rejected' '
++	rm -f trace.out &&
++	test_must_fail env GIT_TRACE="$PWD/trace.out" git fetch -- -repo.git &&
++	! grep upload-pack trace.out
++'
++
++test_expect_success 'full paths still work' '
++	git fetch "$PWD/-repo.git"
++'
++
+ test_done
+diff --git a/t/t5813-proto-disable-ssh.sh b/t/t5813-proto-disable-ssh.sh
+index a954ead8a..3f084ee30 100755
+--- a/t/t5813-proto-disable-ssh.sh
++++ b/t/t5813-proto-disable-ssh.sh
+@@ -17,4 +17,27 @@ test_proto "host:path" ssh "remote:repo.git"
+ test_proto "ssh://" ssh "ssh://remote$PWD/remote/repo.git"
+ test_proto "git+ssh://" ssh "git+ssh://remote$PWD/remote/repo.git"
+ 
++# Don't even bother setting up a "-remote" directory, as ssh would generally
++# complain about the bogus option rather than completing our request. Our
++# fake wrapper actually _can_ handle this case, but it's more robust to
++# simply confirm from its output that it did not run at all.
++test_expect_success 'hostnames starting with dash are rejected' '
++	test_must_fail git clone ssh://-remote/repo.git dash-host 2>stderr &&
++	! grep ^ssh: stderr
++'
++
++test_expect_success 'setup repo with dash' '
++	git init --bare remote/-repo.git &&
++	git push remote/-repo.git HEAD
++'
++
++test_expect_success 'repo names starting with dash are rejected' '
++	test_must_fail git clone remote:-repo.git dash-path 2>stderr &&
++	! grep ^ssh: stderr
++'
++
++test_expect_success 'full paths still work' '
++	git clone "remote:$PWD/remote/-repo.git" dash-path
++'
++
+ test_done
diff --git a/SPECS/git.spec b/SPECS/git.spec
index a41999c..ea2da9a 100644
--- a/SPECS/git.spec
+++ b/SPECS/git.spec
@@ -71,7 +71,7 @@
 
 Name:           %{?scl_prefix}git
 Version:        2.9.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
 Group:          Development/Tools
@@ -115,6 +115,10 @@ Patch4:         0001-http-control-GSSAPI-credential-delegation.patch
 Patch5:         0001-Add-test-for-ls-tree-with-broken-symlink-under-refs-.patch
 Patch6:         0002-resolve_ref_unsafe-limit-the-number-of-stat_ref-retr.patch
 
+# CVE
+Patch7:         0003-Fix-CVE-2017-8386.patch
+Patch8:         git-cve-2017-1000117.patch
+
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{use_prebuilt_docs} && ! 0%{?_without_docs}
@@ -454,6 +458,8 @@ rm -rf "$gpghome" # Cleanup tmp gpg home dir
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
+%patch8 -p1
 
 %if %{use_prebuilt_docs}
 mkdir -p prebuilt_docs/{html,man}
@@ -864,6 +870,11 @@ rm -rf %{buildroot}
 # No files for you!
 
 %changelog
+* Fri Aug 11 2017 Petr Stodulka <pstodulk@redhat.com> - 2.9.3-3
+- prevent command injection via malicious ssh URLs
+- dissalow repo names beginning with dash
+  Resolves: CVE-2017-8386 CVE-2017-1000117
+
 * Fri Oct 14 2016 Petr Stodulka <pstodulk@redhat.com> - 2.9.3-2
 - fix infinite loop of "git ls-tree" on broken symlink
   Resolves: #1204191