diff --git a/CVE-2012-0217.patch b/CVE-2012-0217.patch
new file mode 100644
index 0000000..7f6c597
--- /dev/null
+++ b/CVE-2012-0217.patch
@@ -0,0 +1,54 @@
+
+# HG changeset patch
+# User Jan Beulich <JBeulich@suse.com>
+# Date 1339497510 -3600
+# Node ID f08e61b9b33f553b21870d58e7c4f95f2c9ac513
+# Parent  435493696053a079ec17d6e1a63e5f2be3a2c9d0
+x86_64: Do not execute sysret with a non-canonical return address
+
+Check for non-canonical guest RIP before attempting to execute sysret.
+If sysret is executed with a non-canonical value in RCX, Intel CPUs
+take the fault in ring0, but we will necessarily already have switched
+to the the user's stack pointer.
+
+This is a security vulnerability, XSA-7 / CVE-2012-0217.
+
+Signed-off-by: Jan Beulich <JBeulich@suse.com>
+Signed-off-by: Ian Campbell <Ian.Campbell@citrix.com>
+Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
+Acked-by: Keir Fraser <keir.xen@gmail.com>
+Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
+
+xen-unstable changeset:   25480:76eaf5966c05
+xen-unstable date:        Tue Jun 12 11:33:40 2012 +0100
+Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
+
+diff -r 435493696053 -r f08e61b9b33f xen/arch/x86/x86_64/entry.S
+--- a/xen/arch/x86/x86_64/entry.S	Fri May 25 08:18:47 2012 +0100
++++ b/xen/arch/x86/x86_64/entry.S	Tue Jun 12 11:38:30 2012 +0100
+@@ -40,6 +40,13 @@ restore_all_guest:
+         testw $TRAP_syscall,4(%rsp)
+         jz    iret_exit_to_guest
+ 
++        /* Don't use SYSRET path if the return address is not canonical. */
++        movq  8(%rsp),%rcx
++        sarq  $47,%rcx
++        incl  %ecx
++        cmpl  $1,%ecx
++        ja    .Lforce_iret
++
+         addq  $8,%rsp
+         popq  %rcx                    # RIP
+         popq  %r11                    # CS
+@@ -50,6 +57,10 @@ restore_all_guest:
+         sysretq
+ 1:      sysretl
+ 
++.Lforce_iret:
++        /* Mimic SYSRET behavior. */
++        movq  8(%rsp),%rcx            # RIP
++        movq  24(%rsp),%r11           # RFLAGS
+         ALIGN
+ /* No special register assumptions. */
+ iret_exit_to_guest:
+
diff --git a/CVE-2012-0218.patch b/CVE-2012-0218.patch
new file mode 100644
index 0000000..22e13b5
--- /dev/null
+++ b/CVE-2012-0218.patch
@@ -0,0 +1,134 @@
+
+# HG changeset patch
+# User Jan Beulich <JBeulich@suse.com>
+# Date 1339497971 -3600
+# Node ID 0fec1afa463808d91defa43f12cb744d3258a868
+# Parent  f08e61b9b33f553b21870d58e7c4f95f2c9ac513
+x86-64: fix #GP generation in assembly code
+
+When guest use of sysenter (64-bit PV guest) or syscall (32-bit PV
+guest) gets converted into a GP fault (due to no callback having got
+registered), we must
+- honor the GP fault handler's request the keep enabled or mask event
+  delivery
+- not allow TBF_EXCEPTION to remain set past the generation of the
+  (guest) exception in the vCPU's trap_bounce.flags, as that would
+  otherwise allow for the next exception occurring in guest mode,
+  should it happen to get handled in Xen itself, to nevertheless get
+  bounced to the guest kernel.
+
+Also, just like compat mode syscall handling already did, native mode
+sysenter handling should, when converting to #GP, subtract 2 from the
+RIP present in the frame so that the guest's GP fault handler would
+see the fault pointing to the offending instruction instead of past it.
+
+Finally, since those exception generating code blocks needed to be
+modified anyway, convert them to make use of UNLIKELY_{START,END}().
+
+[ This bug is security vulnerability, XSA-8 / CVE-2012-0218. ]
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Keir Fraser <keir@xen.org>
+Committed-by: Jan Beulich <jbeulich@suse.com>
+
+xen-unstable changeset:   25200:80f4113be500 25204:569d6f05e1ef
+Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
+
+diff -r f08e61b9b33f -r 0fec1afa4638 xen/arch/x86/x86_64/asm-offsets.c
+--- a/xen/arch/x86/x86_64/asm-offsets.c	Tue Jun 12 11:38:30 2012 +0100
++++ b/xen/arch/x86/x86_64/asm-offsets.c	Tue Jun 12 11:46:11 2012 +0100
+@@ -90,6 +90,8 @@ void __dummy__(void)
+            arch.guest_context.trap_ctxt[TRAP_gp_fault].address);
+     OFFSET(VCPU_gp_fault_sel, struct vcpu,
+            arch.guest_context.trap_ctxt[TRAP_gp_fault].cs);
++    OFFSET(VCPU_gp_fault_flags, struct vcpu,
++           arch.guest_context.trap_ctxt[TRAP_gp_fault].flags);
+     OFFSET(VCPU_kernel_sp, struct vcpu, arch.guest_context.kernel_sp);
+     OFFSET(VCPU_kernel_ss, struct vcpu, arch.guest_context.kernel_ss);
+     OFFSET(VCPU_guest_context_flags, struct vcpu, arch.guest_context.flags);
+diff -r f08e61b9b33f -r 0fec1afa4638 xen/arch/x86/x86_64/compat/entry.S
+--- a/xen/arch/x86/x86_64/compat/entry.S	Tue Jun 12 11:38:30 2012 +0100
++++ b/xen/arch/x86/x86_64/compat/entry.S	Tue Jun 12 11:46:11 2012 +0100
+@@ -214,6 +214,7 @@ 1:      call  compat_create_bounce_frame
+ ENTRY(compat_post_handle_exception)
+         testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx)
+         jz    compat_test_all_events
++.Lcompat_bounce_exception:
+         call  compat_create_bounce_frame
+         movb  $0,TRAPBOUNCE_flags(%rdx)
+         jmp   compat_test_all_events
+@@ -226,19 +227,20 @@ ENTRY(compat_syscall)
+         leaq  VCPU_trap_bounce(%rbx),%rdx
+         testl $~3,%esi
+         leal  (,%rcx,TBF_INTERRUPT),%ecx
+-        jz    2f
+-1:      movq  %rax,TRAPBOUNCE_eip(%rdx)
++UNLIKELY_START(z, compat_syscall_gpf)
++        movl  $TRAP_gp_fault,UREGS_entry_vector(%rsp)
++        subl  $2,UREGS_rip(%rsp)
++        movl  $0,TRAPBOUNCE_error_code(%rdx)
++        movl  VCPU_gp_fault_addr(%rbx),%eax
++        movzwl VCPU_gp_fault_sel(%rbx),%esi
++        testb $4,VCPU_gp_fault_flags(%rbx)
++        setnz %cl
++        leal  TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE(,%rcx,TBF_INTERRUPT),%ecx
++UNLIKELY_END(compat_syscall_gpf)
++        movq  %rax,TRAPBOUNCE_eip(%rdx)
+         movw  %si,TRAPBOUNCE_cs(%rdx)
+         movb  %cl,TRAPBOUNCE_flags(%rdx)
+-        call  compat_create_bounce_frame
+-        jmp   compat_test_all_events
+-2:      movl  $TRAP_gp_fault,UREGS_entry_vector(%rsp)
+-        subl  $2,UREGS_rip(%rsp)
+-        movq  VCPU_gp_fault_addr(%rbx),%rax
+-        movzwl VCPU_gp_fault_sel(%rbx),%esi
+-        movb  $(TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE|TBF_INTERRUPT),%cl
+-        movl  $0,TRAPBOUNCE_error_code(%rdx)
+-        jmp   1b
++        jmp   .Lcompat_bounce_exception
+ 
+ ENTRY(compat_sysenter)
+         cmpl  $TRAP_gp_fault,UREGS_entry_vector(%rsp)
+diff -r f08e61b9b33f -r 0fec1afa4638 xen/arch/x86/x86_64/entry.S
+--- a/xen/arch/x86/x86_64/entry.S	Tue Jun 12 11:38:30 2012 +0100
++++ b/xen/arch/x86/x86_64/entry.S	Tue Jun 12 11:46:11 2012 +0100
+@@ -289,19 +289,21 @@ sysenter_eflags_saved:
+         leaq  VCPU_trap_bounce(%rbx),%rdx
+         testq %rax,%rax
+         leal  (,%rcx,TBF_INTERRUPT),%ecx
+-        jz    2f
+-1:      movq  VCPU_domain(%rbx),%rdi
++UNLIKELY_START(z, sysenter_gpf)
++        movl  $TRAP_gp_fault,UREGS_entry_vector(%rsp)
++        subq  $2,UREGS_rip(%rsp)
++        movl  %eax,TRAPBOUNCE_error_code(%rdx)
++        movq  VCPU_gp_fault_addr(%rbx),%rax
++        testb $4,VCPU_gp_fault_flags(%rbx)
++        setnz %cl
++        leal  TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE(,%rcx,TBF_INTERRUPT),%ecx
++UNLIKELY_END(sysenter_gpf)
++        movq  VCPU_domain(%rbx),%rdi
+         movq  %rax,TRAPBOUNCE_eip(%rdx)
+         movb  %cl,TRAPBOUNCE_flags(%rdx)
+         testb $1,DOMAIN_is_32bit_pv(%rdi)
+         jnz   compat_sysenter
+-        call  create_bounce_frame
+-        jmp   test_all_events
+-2:      movl  %eax,TRAPBOUNCE_error_code(%rdx)
+-        movq  VCPU_gp_fault_addr(%rbx),%rax
+-        movb  $(TBF_EXCEPTION|TBF_EXCEPTION_ERRCODE|TBF_INTERRUPT),%cl
+-        movl  $TRAP_gp_fault,UREGS_entry_vector(%rsp)
+-        jmp   1b
++        jmp   .Lbounce_exception
+ 
+ ENTRY(int80_direct_trap)
+         pushq $0
+@@ -493,6 +495,7 @@ 1:      movq  %rsp,%rdi
+         jnz   compat_post_handle_exception
+         testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx)
+         jz    test_all_events
++.Lbounce_exception:
+         call  create_bounce_frame
+         movb  $0,TRAPBOUNCE_flags(%rdx)
+         jmp   test_all_events
+
diff --git a/CVE-2012-2934.patch b/CVE-2012-2934.patch
new file mode 100644
index 0000000..4111927
--- /dev/null
+++ b/CVE-2012-2934.patch
@@ -0,0 +1,60 @@
+
+# HG changeset patch
+# User Jan Beulich <JBeulich@suse.com>
+# Date 1339497777 -3600
+# Node ID a9c0a89c08f2a1c92f64f001b653d7c02fbc852c
+# Parent  0fec1afa463808d91defa43f12cb744d3258a868
+x86-64: detect processors subject to AMD erratum #121 and refuse to boot
+
+Processors with this erratum are subject to a DoS attack by unprivileged
+guest users.
+
+This is XSA-9 / CVE-2012-2934.
+
+Signed-off-by: Jan Beulich <JBeulich@suse.com>
+Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
+Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
+
+xen-unstable changeset:   25481:422880dc94a4
+xen-unstable date:        Tue Jun 12 11:33:42 2012 +0100
+Committed-by: Ian Jackson <ian.jackson@eu.citrix.com>
+
+diff -r 0fec1afa4638 -r a9c0a89c08f2 xen/arch/x86/cpu/amd.c
+--- a/xen/arch/x86/cpu/amd.c	Tue Jun 12 11:46:11 2012 +0100
++++ b/xen/arch/x86/cpu/amd.c	Tue Jun 12 11:42:57 2012 +0100
+@@ -32,6 +32,9 @@
+ static char opt_famrev[14];
+ string_param("cpuid_mask_cpu", opt_famrev);
+ 
++static int opt_allow_unsafe;
++boolean_param("allow_unsafe", opt_allow_unsafe);
++
+ static inline void wrmsr_amd(unsigned int index, unsigned int lo, 
+ 		unsigned int hi)
+ {
+@@ -620,6 +623,11 @@ static void __devinit init_amd(struct cp
+ 		clear_bit(X86_FEATURE_MCE, c->x86_capability);
+ 
+ #ifdef __x86_64__
++	if (cpu_has_amd_erratum(c, AMD_ERRATUM_121) && !opt_allow_unsafe)
++		panic("Xen will not boot on this CPU for security reasons.\n"
++		      "Pass \"allow_unsafe\" if you're trusting all your"
++		      " (PV) guest kernels.\n");
++
+ 	/* AMD CPUs do not support SYSENTER outside of legacy mode. */
+ 	clear_bit(X86_FEATURE_SEP, c->x86_capability);
+ 
+diff -r 0fec1afa4638 -r a9c0a89c08f2 xen/include/asm-x86/amd.h
+--- a/xen/include/asm-x86/amd.h	Tue Jun 12 11:46:11 2012 +0100
++++ b/xen/include/asm-x86/amd.h	Tue Jun 12 11:42:57 2012 +0100
+@@ -127,6 +127,9 @@
+ #define AMD_MODEL_RANGE_START(range)    (((range) >> 12) & 0xfff)
+ #define AMD_MODEL_RANGE_END(range)      ((range) & 0xfff)
+ 
++#define AMD_ERRATUM_121                                                 \
++    AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x0f, 0x0, 0x0, 0x3f, 0xf))
++
+ #define AMD_ERRATUM_170                                                 \
+     AMD_LEGACY_ERRATUM(AMD_MODEL_RANGE(0x0f, 0x0, 0x0, 0x67, 0xf))
+ 
+
diff --git a/xen.spec b/xen.spec
index b642825..739ec3c 100644
--- a/xen.spec
+++ b/xen.spec
@@ -20,7 +20,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.1.2
-Release: 19%{?dist}
+Release: 20%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -76,6 +76,9 @@ Patch38: xen-backend.rules.patch
 Patch39: xend.selinux.setuid.patch
 Patch40: pygrub.size.limits.patch
 Patch41: xen-4.1-testing.23297.patch
+Patch42: CVE-2012-0217.patch
+Patch43: CVE-2012-0218.patch
+Patch44: CVE-2012-2934.patch
 
 Patch50: upstream-23936:cdb34816a40a-rework
 Patch51: upstream-23937:5173834e8476
@@ -243,6 +246,9 @@ manage Xen virtual machines.
 %patch39 -p1
 %patch40 -p1
 %patch41 -p1
+%patch42 -p1
+%patch43 -p1
+%patch44 -p1
 
 %patch50 -p1
 %patch51 -p1
@@ -707,6 +713,13 @@ rm -rf %{buildroot}
 %endif
 
 %changelog
+* Tue Jun 12 2012 Michael Young <m.a.young@durham.ac.uk> - 4.1.2-20
+- Apply three security patches
+  64-bit PV guest privilege escalation vulnerability [CVE-2012-0217]
+  guest denial of service on syscall/sysenter exception generation
+    [CVE-2012-0218]
+  PV guest host Denial of Service [CVE-2012-2934]
+
 * Sat Jun 09 2012 Michael Young <m.a.young@durham.ac.uk> - 4.1.2-19
 - adjust xend.service systemd file to avoid selinux problems