diff --git a/xen.glibc.fix.patch b/xen.glibc.fix.patch
new file mode 100644
index 0000000..23690c4
--- /dev/null
+++ b/xen.glibc.fix.patch
@@ -0,0 +1,57 @@
+--- xen-4.6.1/tools/libfsimage/common/fsimage_plugin.c.orig	2016-02-09 14:44:19.000000000 +0000
++++ xen-4.6.1/tools/libfsimage/common/fsimage_plugin.c	2016-03-28 20:22:39.943920923 +0100
+@@ -122,7 +122,6 @@
+ static int load_plugins(void)
+ {
+ 	const char *fsdir = getenv("FSIMAGE_FSDIR");
+-	struct dirent *dp = NULL;
+ 	struct dirent *dpp;
+ 	DIR *dir = NULL;
+ 	char *tmp = NULL;
+@@ -139,15 +138,10 @@
+ 	if ((tmp = malloc(name_max + 1)) == NULL)
+ 		goto fail;
+ 
+-	if ((dp = malloc(sizeof (struct dirent) + name_max + 1)) == NULL)
+-		goto fail;
+-
+ 	if ((dir = opendir(fsdir)) == NULL)
+ 		goto fail;
+ 
+-	bzero(dp, sizeof (struct dirent) + name_max + 1);
+-
+-	while (readdir_r(dir, dp, &dpp) == 0 && dpp != NULL) {
++	while ((dpp = readdir(dir)) != NULL) {
+ 		if (strcmp(dpp->d_name, ".") == 0)
+ 			continue;
+ 		if (strcmp(dpp->d_name, "..") == 0)
+@@ -167,7 +161,6 @@
+ 	if (dir != NULL)
+ 		(void) closedir(dir);
+ 	free(tmp);
+-	free(dp);
+ 	errno = err;
+ 	return (ret);
+ }
+--- xen-4.6.1/tools/libxl/libxl_utils.c.orig	2016-02-09 14:44:19.000000000 +0000
++++ xen-4.6.1/tools/libxl/libxl_utils.c	2016-03-28 20:42:48.893044921 +0100
+@@ -471,18 +471,10 @@
+         goto out;
+     }
+ 
+-    size_t need = offsetof(struct dirent, d_name) +
+-        pathconf(dirpath, _PC_NAME_MAX) + 1;
+-    struct dirent *de_buf = libxl__zalloc(gc, need);
+     struct dirent *de;
+ 
+     for (;;) {
+-        int r = readdir_r(d, de_buf, &de);
+-        if (r) {
+-            LOGE(ERROR, "failed to readdir %s for removal", dirpath);
+-            rc = ERROR_FAIL;
+-            break;
+-        }
++        de = readdir(d);
+         if (!de)
+             break;
+ 
diff --git a/xen.spec b/xen.spec
index c10850d..5e81884 100644
--- a/xen.spec
+++ b/xen.spec
@@ -51,7 +51,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.6.1
-Release: 3%{?dist}
+Release: 4%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -132,6 +132,8 @@ Patch89: qemu.CVE-2016-2857.patch
 Patch90: qemu.trad.CVE-2016-2857.patch
 Patch91: qemu.CVE-2015-8817+8.patch
 Patch92: qemu.git-60253ed1e6ec6d8e5ef2efe7bf755f475.patch
+Patch93: xen.glibc.fix.patch
+Patch94: xsa172.patch
 
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -365,6 +367,8 @@ manage Xen virtual machines.
 %patch90 -p1
 %patch91 -p1
 %patch92 -p1
+%patch93 -p1
+%patch94 -p1
 
 # stubdom sources
 cp -v %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} stubdom
@@ -891,6 +895,11 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Tue Mar 29 2016 Michael Young <m.a.young@durham.ac.uk> - 4.6.1-4
+- fix for build problems on F25
+- broken AMD FPU FIP/FDP/FOP leak workaround [XSA-172, CVE-2016-3158,
+	CVE-2016-3159] (#1321944)
+
 * Mon Mar 07 2016 Michael Young <m.a.young@durham.ac.uk> - 4.6.1-3
 - pandoc should work again
 - Qemu: nvram: OOB r/w access in processing firmware configurations
diff --git a/xsa172.patch b/xsa172.patch
new file mode 100644
index 0000000..8b1d01f
--- /dev/null
+++ b/xsa172.patch
@@ -0,0 +1,39 @@
+x86: fix information leak on AMD CPUs
+
+The fix for XSA-52 was wrong, and so was the change synchronizing that
+new behavior to the FXRSTOR logic: AMD's manuals explictly state that
+writes to the ES bit are ignored, and it instead gets calculated from
+the exception and mask bits (it gets set whenever there is an unmasked
+exception, and cleared otherwise). Hence we need to follow that model
+in our workaround.
+
+This is XSA-172.
+
+The first hunk (xen/arch/x86/i387.c:fpu_fxrstor) is CVE-2016-3159.
+The second hunk (xen/arch/x86/xstate.c:xrstor) is CVE-2016-3158.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/arch/x86/i387.c
++++ b/xen/arch/x86/i387.c
+@@ -49,7 +49,7 @@ static inline void fpu_fxrstor(struct vc
+      * sometimes new user value. Both should be ok. Use the FPU saved
+      * data block as a safe address because it should be in L1.
+      */
+-    if ( !(fpu_ctxt->fsw & 0x0080) &&
++    if ( !(fpu_ctxt->fsw & ~fpu_ctxt->fcw & 0x003f) &&
+          boot_cpu_data.x86_vendor == X86_VENDOR_AMD )
+     {
+         asm volatile ( "fnclex\n\t"
+--- a/xen/arch/x86/xstate.c
++++ b/xen/arch/x86/xstate.c
+@@ -344,7 +344,7 @@ void xrstor(struct vcpu *v, uint64_t mas
+      * data block as a safe address because it should be in L1.
+      */
+     if ( (mask & ptr->xsave_hdr.xstate_bv & XSTATE_FP) &&
+-         !(ptr->fpu_sse.fsw & 0x0080) &&
++         !(ptr->fpu_sse.fsw & ~ptr->fpu_sse.fcw & 0x003f) &&
+          boot_cpu_data.x86_vendor == X86_VENDOR_AMD )
+         asm volatile ( "fnclex\n\t"        /* clear exceptions */
+                        "ffree %%st(7)\n\t" /* clear stack tag */