diff --git a/SOURCES/0001-swtpm-Check-header-size-indicator-against-expected-s.patch b/SOURCES/0001-swtpm-Check-header-size-indicator-against-expected-s.patch
new file mode 100644
index 0000000..9a962c3
--- /dev/null
+++ b/SOURCES/0001-swtpm-Check-header-size-indicator-against-expected-s.patch
@@ -0,0 +1,54 @@
+From 9f740868fc36761de27df3935513bdebf8852d19 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Wed, 16 Feb 2022 11:17:47 -0500
+Subject: [PATCH] swtpm: Check header size indicator against expected size (CID
+ 375869)
+
+This fix addresses Coverity issue CID 375869.
+
+Check the header size indicated in the header of the state against the
+expected size and return an error code in case the header size indicator
+is different. There was only one header size so far since blobheader was
+introduced, so we don't need to deal with different sizes.
+
+Without this fix a specially craft header could have cause out-of-bounds
+accesses on the byte array containing the swtpm's state.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ src/swtpm/swtpm_nvstore.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/swtpm/swtpm_nvstore.c b/src/swtpm/swtpm_nvstore.c
+index 437088370e11..144d8975ec54 100644
+--- a/src/swtpm/swtpm_nvstore.c
++++ b/src/swtpm/swtpm_nvstore.c
+@@ -1075,6 +1075,7 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
+                         uint8_t *hdrversion, bool quiet)
+ {
+     blobheader *bh = (blobheader *)data;
++    uint16_t hdrsize;
+ 
+     if (length < sizeof(bh)) {
+         if (!quiet)
+@@ -1100,8 +1101,16 @@ SWTPM_NVRAM_CheckHeader(unsigned char *data, uint32_t length,
+         return TPM_BAD_VERSION;
+     }
+ 
++    hdrsize = ntohs(bh->hdrsize);
++    if (hdrsize != sizeof(blobheader)) {
++        logprintf(STDERR_FILENO,
++                  "bad header size: %u != %zu\n",
++                  hdrsize, sizeof(blobheader));
++        return TPM_BAD_DATASIZE;
++    }
++
+     *hdrversion = bh->version;
+-    *dataoffset = ntohs(bh->hdrsize);
++    *dataoffset = hdrsize;
+     *hdrflags = ntohs(bh->flags);
+ 
+     return TPM_SUCCESS;
+-- 
+2.34.1.428.gdcc0cd074f0c
+
diff --git a/SOURCES/0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch b/SOURCES/0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch
index 7a5aed3..815608d 100644
--- a/SOURCES/0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch
+++ b/SOURCES/0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch
@@ -1,4 +1,4 @@
-From 12c1bfab1f21fdc28039219a1a159a900ca97283 Mon Sep 17 00:00:00 2001
+From a39c3792ba5677f25fea903b9f1a43740a5f2c0c Mon Sep 17 00:00:00 2001
 From: Stefan Berger <stefanb@linux.ibm.com>
 Date: Wed, 8 Jun 2022 09:19:07 -0400
 Subject: [PATCH] swtpm: Disable OpenSSL FIPS mode to avoid libtpms failures
@@ -25,7 +25,7 @@ Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
  create mode 100644 src/swtpm/fips.h
 
 diff --git a/configure.ac b/configure.ac
-index ad3054e5c7e3..30288c7a24ac 100644
+index ad3054e..30288c7 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -156,6 +156,15 @@ openssl)
@@ -45,7 +45,7 @@ index ad3054e5c7e3..30288c7a24ac 100644
  esac
  
 diff --git a/src/swtpm/Makefile.am b/src/swtpm/Makefile.am
-index 5454a6f7b747..2a659500a17f 100644
+index 5454a6f..2a65950 100644
 --- a/src/swtpm/Makefile.am
 +++ b/src/swtpm/Makefile.am
 @@ -11,6 +11,7 @@ noinst_HEADERS = \
@@ -65,7 +65,7 @@ index 5454a6f7b747..2a659500a17f 100644
  	logging.c \
  	mainloop.c \
 diff --git a/src/swtpm/cuse_tpm.c b/src/swtpm/cuse_tpm.c
-index 9dbc00df2825..3026e26fffb3 100644
+index 9dbc00d..3026e26 100644
 --- a/src/swtpm/cuse_tpm.c
 +++ b/src/swtpm/cuse_tpm.c
 @@ -1695,6 +1695,11 @@ int swtpm_cuse_main(int argc, char **argv, const char *prgname, const char *ifac
@@ -82,7 +82,7 @@ index 9dbc00df2825..3026e26fffb3 100644
          goto exit;
 diff --git a/src/swtpm/fips.c b/src/swtpm/fips.c
 new file mode 100644
-index 000000000000..eeb2a0ca4187
+index 0000000..eeb2a0c
 --- /dev/null
 +++ b/src/swtpm/fips.c
 @@ -0,0 +1,100 @@
@@ -188,7 +188,7 @@ index 000000000000..eeb2a0ca4187
 +#endif
 diff --git a/src/swtpm/fips.h b/src/swtpm/fips.h
 new file mode 100644
-index 000000000000..14d4e9fe926d
+index 0000000..14d4e9f
 --- /dev/null
 +++ b/src/swtpm/fips.h
 @@ -0,0 +1,43 @@
@@ -236,7 +236,7 @@ index 000000000000..14d4e9fe926d
 +
 +#endif /* _SWTPM_UTILS_H_ */
 diff --git a/src/swtpm/swtpm.c b/src/swtpm/swtpm.c
-index 722a7432f251..e618c567b1d2 100644
+index 722a743..e618c56 100644
 --- a/src/swtpm/swtpm.c
 +++ b/src/swtpm/swtpm.c
 @@ -521,6 +521,9 @@ int swtpm_main(int argc, char **argv, const char *prgname, const char *iface)
@@ -250,7 +250,7 @@ index 722a7432f251..e618c567b1d2 100644
  
  error_seccomp_profile:
 diff --git a/src/swtpm/swtpm_chardev.c b/src/swtpm/swtpm_chardev.c
-index 9710927ec626..ab6d8fd417c6 100644
+index 9710927..ab6d8fd 100644
 --- a/src/swtpm/swtpm_chardev.c
 +++ b/src/swtpm/swtpm_chardev.c
 @@ -573,6 +573,9 @@ int swtpm_chardev_main(int argc, char **argv, const char *prgname, const char *i
@@ -264,7 +264,7 @@ index 9710927ec626..ab6d8fd417c6 100644
  
  error_seccomp_profile:
 diff --git a/src/swtpm/utils.h b/src/swtpm/utils.h
-index 75024425d4b0..b8acd895a2ac 100644
+index 7502442..b8acd89 100644
 --- a/src/swtpm/utils.h
 +++ b/src/swtpm/utils.h
 @@ -71,4 +71,6 @@ ssize_t writev_full(int fd, const struct iovec *iov, int iovcnt);
@@ -275,5 +275,5 @@ index 75024425d4b0..b8acd895a2ac 100644
 +
  #endif /* _SWTPM_UTILS_H_ */
 -- 
-2.36.0.44.g0f828332d5ac
+2.36.1
 
diff --git a/SPECS/swtpm.spec b/SPECS/swtpm.spec
index d010097..181a689 100644
--- a/SPECS/swtpm.spec
+++ b/SPECS/swtpm.spec
@@ -12,13 +12,14 @@
 Summary: TPM Emulator
 Name:           swtpm
 Version:        0.7.0
-Release:        3.%{gitdate}git%{gitshortcommit}%{?dist}
+Release:        4.%{gitdate}git%{gitshortcommit}%{?dist}
 License:        BSD
 Url:            http://github.com/stefanberger/swtpm
 Source0:        %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz
-Patch0001:      0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch
-Patch0002:      0001-swtpm_localca-Test-for-available-issuercert-before-c.patch
 ExcludeArch:    i686
+Patch0001:      0001-swtpm-Check-header-size-indicator-against-expected-s.patch
+Patch0002:      0001-swtpm-Disable-OpenSSL-FIPS-mode-to-avoid-libtpms-fai.patch
+Patch0003:      0001-swtpm_localca-Test-for-available-issuercert-before-c.patch
 
 BuildRequires: make
 BuildRequires:  git-core
@@ -181,13 +182,17 @@ fi
 %{_datadir}/swtpm/swtpm-create-tpmca
 
 %changelog
-* Mon Jul 18 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-3.20211109gitb79fd91
+* Mon Jul 18 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-4.20211109gitb79fd91
 - swtpm_localca: Test for available issuercert before creating CA
-  Resolves: rhbz#2109987
+  Resolves: rhbz#2100508
 
-* Thu Jun 09 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-2.20211109gitb79fd91
-- Disable FIPS mode.
-  Resolves: rhbz#2109568
+* Mon Jun 20 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-3.20211109gitb79fd91
+- Disable OpenSSL FIPS mode to avoid libtpms failures
+  Resolves: rhbz#2097947
+
+* Mon Feb 21 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-2.20211109gitb79fd91
+- Add fix for CVE-2022-23645.
+  Resolves: rhbz#2056517
 
 * Tue Jan 04 2022 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.7.0-1.20211109gitb79fd91
 - Rebase to 0.7.0, disable TPM 1.2.