diff --git a/SOURCES/0113-SBUS-defer-deallocation-of-sbus_watch_ctx.patch b/SOURCES/0113-SBUS-defer-deallocation-of-sbus_watch_ctx.patch
new file mode 100644
index 0000000..eacb658
--- /dev/null
+++ b/SOURCES/0113-SBUS-defer-deallocation-of-sbus_watch_ctx.patch
@@ -0,0 +1,89 @@
+From f845355e32127c5e8f2bf700cdaa5b8721804232 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Fri, 8 Nov 2019 20:01:50 +0100
+Subject: [PATCH] SBUS: defer deallocation of sbus_watch_ctx
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The following flow was causing use-after-free error:
+  tevent_common_invoke_fd_handler(RW) -> sbus_watch_handler(RW) ->
+  dbus_watch_handle(R) -> ...libdbus detects connection is closed... ->
+  sbus_remove_watch() -> talloc_free(watch) ->
+  ... get back to libdbus and back to sbus_watch_handler() ->
+  "if (watch->dbus_write_watch) dbus_watch_handle(W)" => use-after-free
+
+To resolve an issue schedule deallocation of watch as immediate event.
+
+Resolves: https://pagure.io/SSSD/sssd/issue/2660
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/sbus/sssd_dbus_common.c  | 24 +++++++++++++++++++++++-
+ src/sbus/sssd_dbus_private.h |  1 +
+ 2 files changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/src/sbus/sssd_dbus_common.c b/src/sbus/sssd_dbus_common.c
+index 50100320a..dbdcae9ec 100644
+--- a/src/sbus/sssd_dbus_common.c
++++ b/src/sbus/sssd_dbus_common.c
+@@ -133,6 +133,12 @@ dbus_bool_t sbus_add_watch(DBusWatch *dbus_watch, void *data)
+             DEBUG(SSSDBG_FATAL_FAILURE, "Out of Memory!\n");
+             return FALSE;
+         }
++        watch->im_event = tevent_create_immediate(watch);
++        if (watch->im_event == NULL) {
++            DEBUG(SSSDBG_CRIT_FAILURE, "Out of Memory!\n");
++            talloc_free(watch);
++            return FALSE;
++        }
+         watch->conn = conn;
+         watch->fd = fd;
+     }
+@@ -243,6 +249,13 @@ void sbus_toggle_watch(DBusWatch *dbus_watch, void *data)
+            enabled?"enabled":"disabled");
+ }
+ 
++static void free_sbus_watch(struct tevent_context *ev,
++                            struct tevent_immediate *im,
++                            void *data)
++{
++    struct sbus_watch_ctx *w = talloc_get_type(data, struct sbus_watch_ctx);
++    talloc_free(w); /* this will free attached 'im' as well */
++}
+ /*
+  * sbus_remove_watch
+  * Hook for D-BUS to remove file descriptor-based events
+@@ -274,7 +287,16 @@ void sbus_remove_watch(DBusWatch *dbus_watch, void *data)
+         watch->dbus_write_watch = NULL;
+     }
+     if (!watch->dbus_read_watch && !watch->dbus_write_watch) {
+-        talloc_free(watch);
++        /* libdus doesn't need this watch{fd} anymore, so associated
++         * tevent_fd should be removed from monitoring at the spot.
++         */
++        talloc_zfree(watch->fde);
++        /* watch itself can't be freed yet as it still may be referenced
++         * in the current context (for example in sbus_watch_handler())
++         * so instead schedule immediate event to delete it.
++         */
++        tevent_schedule_immediate(watch->im_event, watch->conn->ev,
++                                  free_sbus_watch, watch);
+     }
+ }
+ 
+diff --git a/src/sbus/sssd_dbus_private.h b/src/sbus/sssd_dbus_private.h
+index a3d4bae16..92649f113 100644
+--- a/src/sbus/sssd_dbus_private.h
++++ b/src/sbus/sssd_dbus_private.h
+@@ -88,6 +88,7 @@ struct sbus_watch_ctx {
+ 
+     struct tevent_fd *fde;
+     int fd;
++    struct tevent_immediate *im_event;
+ 
+     DBusWatch *dbus_read_watch;
+     DBusWatch *dbus_write_watch;
+-- 
+2.21.1
+
diff --git a/SOURCES/0114-memberof-keep-memberOf-attribute-for-nested-member.patch b/SOURCES/0114-memberof-keep-memberOf-attribute-for-nested-member.patch
new file mode 100644
index 0000000..7f5ea75
--- /dev/null
+++ b/SOURCES/0114-memberof-keep-memberOf-attribute-for-nested-member.patch
@@ -0,0 +1,50 @@
+From 9a7c044dcd17b23127ddda25ff9cddc9c67fe4ca Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Mon, 19 Mar 2018 12:47:17 +0100
+Subject: [PATCH] memberof: keep memberOf attribute for nested member
+
+If we have a member that is both direct and nested member,
+memberOf attribute was removed if the direct membership
+was deleted.
+
+1)
+user ----------> groupB -> groupC
+     -> groupA /
+
+2)
+user -> groupA -> groupB -> groupC
+
+If we remove user->groupB from 1), we get 2) but groupB was still
+removed from user memberOf attribute.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3636
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 1f5d139d103328b6e4be7dc8368abdd39a91d3a6)
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/ldb_modules/memberof.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/src/ldb_modules/memberof.c b/src/ldb_modules/memberof.c
+index 5e1ff95a8..dae51938b 100644
+--- a/src/ldb_modules/memberof.c
++++ b/src/ldb_modules/memberof.c
+@@ -2055,11 +2055,7 @@ static int mbof_del_anc_callback(struct ldb_request *req,
+                     talloc_free(valdn);
+                     continue;
+                 }
+-                /* do not re-add the original deleted entry by mistake */
+-                if (ldb_dn_compare(valdn, del_ctx->first->entry_dn) == 0) {
+-                    talloc_free(valdn);
+-                    continue;
+-                }
++
+                 new_list->dns = talloc_realloc(new_list,
+                                                new_list->dns,
+                                                struct ldb_dn *,
+-- 
+2.21.1
+
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index 63d1c9c..d83ce6c 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -48,7 +48,7 @@
 
 Name: sssd
 Version: 1.16.4
-Release: 37%{?dist}.1
+Release: 37%{?dist}.3
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -169,6 +169,8 @@ Patch0109: 0109-ad-set-min-and-max-ssf-for-ldaps.patch
 Patch0110: 0110-LDAP-failover-does-not-work-on-non-responsive-ldaps.patch
 Patch0111: 0111-Add-TCP-level-timeout-to-LDAP-services.patch
 Patch0112: 0112-sss_sockets-pass-pointer-instead-of-integer.patch
+Patch0113: 0113-SBUS-defer-deallocation-of-sbus_watch_ctx.patch
+Patch0114: 0114-memberof-keep-memberOf-attribute-for-nested-member.patch
 
 #This patch should not be removed in RHEL-7
 Patch999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec
@@ -1328,13 +1330,22 @@ systemctl try-restart sssd >/dev/null 2>&1 || :
 }
 
 %changelog
+* Fri Mar 27 2020 Alexey Tikhonov <atikhono@redhat.com> - 1.16.4-37.3
+- Resolves: rhbz#1817380 - Removing an IPA sub-group should NOT remove the members
+                           from indirect parent that also belong to other subgroups
+                           [rhel-7.8.z]
+
+* Mon Mar 23 2020 Alexey Tikhonov <atikhono@redhat.com> - 1.16.4-37.2
+- Resolves: rhbz#1816031 - SSSD is crashing: dbus_watch_handle() is invoked
+                           with corrupted 'watch' value [rhel-7.8.z]
+
 * Wed Mar 18 2020 Michal Židek <mzidek@redhat.com> - 1.16.4-37.1
 - Resolves: rhbz#1801208 - id command taking 1+ minute for returning user
                            information [rhel-7.8.z]
                          - Also updates spec file to not replace
                            /pam.d/sssd-shadowutils on update
 
-* Tue Jan 15 2020 Michal Židek <mzidek@redhat.com> - 1.16.4-37
+* Wed Jan 15 2020 Michal Židek <mzidek@redhat.com> - 1.16.4-37
 - Resolves: rhbz#1784620 - Force LDAPS over 636 with AD Access Provider
 - just bumping the version to fix generated dates in man pages