diff --git a/xen.fedora.systemd.patch b/xen.fedora.systemd.patch
index 26c8a8f..0f26a1c 100644
--- a/xen.fedora.systemd.patch
+++ b/xen.fedora.systemd.patch
@@ -114,7 +114,7 @@ diff -uN xen-4.5.0/tools/hotplug/Linux/systemd.orig/xenstored.service.in xen-4.5
  hotplug/Linux/init.d/xen-watchdog
  hotplug/Linux/init.d/xencommons
  hotplug/Linux/init.d/xendomains
-+otplug/Linux/systemd/oxenstored.service
++hotplug/Linux/systemd/oxenstored.service
  hotplug/Linux/systemd/proc-xen.mount
  hotplug/Linux/systemd/var-lib-xenstored.mount
 -hotplug/Linux/systemd/xen-init-dom0.service
diff --git a/xen.spec b/xen.spec
index eddde91..26addaf 100644
--- a/xen.spec
+++ b/xen.spec
@@ -51,7 +51,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.5.0
-Release: 2%{?dist}
+Release: 3%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -88,6 +88,8 @@ Patch19: xsa118-4.5-unstable-1.patch
 Patch20: xsa118-4.5-unstable-2.patch
 Patch21: xsa117.patch
 Patch22: xen.gcc5.fix.patch
+Patch23: xsa121.patch
+Patch24: xsa122.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: transfig libidn-devel zlib-devel texi2html SDL-devel curl-devel
@@ -275,6 +277,8 @@ manage Xen virtual machines.
 %patch20 -p1
 %patch21 -p1
 %patch22 -p1
+%patch23 -p1
+%patch24 -p1
 
 # stubdom sources
 cp -v %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} stubdom
@@ -779,6 +783,13 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Thu Mar 05 2015 Michael Young <m.a.young@durham.ac.uk> - 4.5.0-3
+- Information leak via internal x86 system device emulation [XSA-121,
+	CVE-2015-2044]
+- Information leak through version information hypercall [XSA-122,
+	CVE-2015-2045]
+- fix a typo in xen.fedora.systemd.patch
+
 * Sat Feb 14 2015 Michael Young <m.a.young@durham.ac.uk> - 4.5.0-2
 - arm: vgic-v2: GICD_SGIR is not properly emulated [XSA-117, CVE-2015-0268]
 - allow certain warnings with gcc5 that would otherwise be treated as errors
diff --git a/xsa121.patch b/xsa121.patch
new file mode 100644
index 0000000..f3d1397
--- /dev/null
+++ b/xsa121.patch
@@ -0,0 +1,51 @@
+x86/HVM: return all ones on wrong-sized reads of system device I/O ports
+
+So far the value presented to the guest remained uninitialized.
+
+This is CVE-2015-2044 / XSA-121.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+--- a/xen/arch/x86/hvm/i8254.c
++++ b/xen/arch/x86/hvm/i8254.c
+@@ -486,6 +486,7 @@ static int handle_pit_io(
+     if ( bytes != 1 )
+     {
+         gdprintk(XENLOG_WARNING, "PIT bad access\n");
++        *val = ~0;
+         return X86EMUL_OKAY;
+     }
+ 
+--- a/xen/arch/x86/hvm/pmtimer.c
++++ b/xen/arch/x86/hvm/pmtimer.c
+@@ -213,6 +213,7 @@ static int handle_pmt_io(
+     if ( bytes != 4 )
+     {
+         gdprintk(XENLOG_WARNING, "HVM_PMT bad access\n");
++        *val = ~0;
+         return X86EMUL_OKAY;
+     }
+     
+--- a/xen/arch/x86/hvm/rtc.c
++++ b/xen/arch/x86/hvm/rtc.c
+@@ -703,7 +703,8 @@ static int handle_rtc_io(
+ 
+     if ( bytes != 1 )
+     {
+-        gdprintk(XENLOG_WARNING, "HVM_RTC bas access\n");
++        gdprintk(XENLOG_WARNING, "HVM_RTC bad access\n");
++        *val = ~0;
+         return X86EMUL_OKAY;
+     }
+     
+--- a/xen/arch/x86/hvm/vpic.c
++++ b/xen/arch/x86/hvm/vpic.c
+@@ -331,6 +331,7 @@ static int vpic_intercept_pic_io(
+     if ( bytes != 1 )
+     {
+         gdprintk(XENLOG_WARNING, "PIC_IO bad access size %d\n", bytes);
++        *val = ~0;
+         return X86EMUL_OKAY;
+     }
+ 
diff --git a/xsa122.patch b/xsa122.patch
new file mode 100644
index 0000000..1e58965
--- /dev/null
+++ b/xsa122.patch
@@ -0,0 +1,40 @@
+pre-fill structures for certain HYPERVISOR_xen_version sub-ops
+
+... avoiding to pass hypervisor stack contents back to the caller
+through space unused by the respective strings.
+
+This is CVE-2015-2045 / XSA-122.
+
+Signed-off-by: Aaron Adams <Aaron.Adams@nccgroup.com>
+Acked-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+--- a/xen/common/kernel.c
++++ b/xen/common/kernel.c
+@@ -240,6 +240,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL
+     case XENVER_extraversion:
+     {
+         xen_extraversion_t extraversion;
++
++        memset(extraversion, 0, sizeof(extraversion));
+         safe_strcpy(extraversion, xen_extra_version());
+         if ( copy_to_guest(arg, extraversion, ARRAY_SIZE(extraversion)) )
+             return -EFAULT;
+@@ -249,6 +251,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL
+     case XENVER_compile_info:
+     {
+         struct xen_compile_info info;
++
++        memset(&info, 0, sizeof(info));
+         safe_strcpy(info.compiler,       xen_compiler());
+         safe_strcpy(info.compile_by,     xen_compile_by());
+         safe_strcpy(info.compile_domain, xen_compile_domain());
+@@ -284,6 +288,8 @@ DO(xen_version)(int cmd, XEN_GUEST_HANDL
+     case XENVER_changeset:
+     {
+         xen_changeset_info_t chgset;
++
++        memset(chgset, 0, sizeof(chgset));
+         safe_strcpy(chgset, xen_changeset());
+         if ( copy_to_guest(arg, chgset, ARRAY_SIZE(chgset)) )
+             return -EFAULT;