diff --git a/xen.spec b/xen.spec
index aa2f0dc..93f49d8 100644
--- a/xen.spec
+++ b/xen.spec
@@ -60,7 +60,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 4.10.0
-Release: 8%{?dist}
+Release: 9%{?dist}
 Group:   Development/Libraries
 License: GPLv2+ and LGPLv2+ and BSD
 URL:     http://xen.org/
@@ -127,6 +127,8 @@ Patch48: xsa255-1.patch
 Patch49: xsa255-2.patch
 Patch50: xsa256.patch
 Patch51: xen.gcc8.temp.fix.patch
+Patch52: xsa258.patch
+Patch53: xsa259.patch
 
 
 %if %build_qemutrad
@@ -345,6 +347,8 @@ manage Xen virtual machines.
 %patch49 -p1
 %patch50 -p1
 %patch51 -p1
+%patch52 -p1
+%patch53 -p1
 
 # qemu-xen-traditional patches
 pushd tools/qemu-xen-traditional
@@ -881,6 +885,10 @@ fi
 %endif
 
 %changelog
+* Wed Apr 25 2018 Michael Young <m.a.young@durham.ac.uk> - 4.10.0-9
+- Information leak via crafted user-supplied CDROM [XSA-258] (#1571867)
+- x86: PV guest may crash Xen with XPTI [XSA-259] (#1571878)
+
 * Fri Mar 09 2018 Michael Young <m.a.young@durham.ac.uk> - 4.10.0-8
 - fix safe-strings patch for OCaml 4.0.6
 
diff --git a/xsa258.patch b/xsa258.patch
new file mode 100644
index 0000000..900b78b
--- /dev/null
+++ b/xsa258.patch
@@ -0,0 +1,108 @@
+From bf9ab0ec0b632739fe6366391e89a7d4dcf9993b Mon Sep 17 00:00:00 2001
+From: Anthony PERARD <anthony.perard@citrix.com>
+Date: Thu, 8 Mar 2018 18:16:41 +0000
+Subject: [PATCH] libxl: Specify format of inserted cdrom
+
+Without this extra parameter on the QMP command, QEMU will guess the
+format of the new file.
+
+This is XSA-258.
+
+Reported-by: Anthony PERARD <anthony.perard@citrix.com>
+Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
+Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
+---
+ tools/libxl/libxl_device.c   | 13 +++++++++++++
+ tools/libxl/libxl_dm.c       | 17 ++---------------
+ tools/libxl/libxl_internal.h |  1 +
+ tools/libxl/libxl_qmp.c      |  2 ++
+ 4 files changed, 18 insertions(+), 15 deletions(-)
+
+diff --git a/tools/libxl/libxl_device.c b/tools/libxl/libxl_device.c
+index c60cafe774..a4a8e9ac32 100644
+--- a/tools/libxl/libxl_device.c
++++ b/tools/libxl/libxl_device.c
+@@ -462,6 +462,19 @@ char *libxl__device_disk_string_of_backend(libxl_disk_backend backend)
+     }
+ }
+ 
++const char *libxl__qemu_disk_format_string(libxl_disk_format format)
++{
++    switch (format) {
++    case LIBXL_DISK_FORMAT_QCOW: return "qcow";
++    case LIBXL_DISK_FORMAT_QCOW2: return "qcow2";
++    case LIBXL_DISK_FORMAT_VHD: return "vpc";
++    case LIBXL_DISK_FORMAT_RAW: return "raw";
++    case LIBXL_DISK_FORMAT_EMPTY: return NULL;
++    case LIBXL_DISK_FORMAT_QED: return "qed";
++    default: return NULL;
++    }
++}
++
+ int libxl__device_physdisk_major_minor(const char *physpath, int *major, int *minor)
+ {
+     struct stat buf;
+diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
+index a3cddce8b7..b51178b9fd 100644
+--- a/tools/libxl/libxl_dm.c
++++ b/tools/libxl/libxl_dm.c
+@@ -677,19 +677,6 @@ static int libxl__build_device_model_args_old(libxl__gc *gc,
+     return 0;
+ }
+ 
+-static const char *qemu_disk_format_string(libxl_disk_format format)
+-{
+-    switch (format) {
+-    case LIBXL_DISK_FORMAT_QCOW: return "qcow";
+-    case LIBXL_DISK_FORMAT_QCOW2: return "qcow2";
+-    case LIBXL_DISK_FORMAT_VHD: return "vpc";
+-    case LIBXL_DISK_FORMAT_RAW: return "raw";
+-    case LIBXL_DISK_FORMAT_EMPTY: return NULL;
+-    case LIBXL_DISK_FORMAT_QED: return "qed";
+-    default: return NULL;
+-    }
+-}
+-
+ static char *dm_spice_options(libxl__gc *gc,
+                                     const libxl_spice_info *spice)
+ {
+@@ -1516,9 +1503,9 @@ static int libxl__build_device_model_args_new(libxl__gc *gc,
+              * always raw
+              */
+             if (disks[i].backend == LIBXL_DISK_BACKEND_QDISK)
+-                format = qemu_disk_format_string(disks[i].format);
++                format = libxl__qemu_disk_format_string(disks[i].format);
+             else
+-                format = qemu_disk_format_string(LIBXL_DISK_FORMAT_RAW);
++                format = libxl__qemu_disk_format_string(LIBXL_DISK_FORMAT_RAW);
+ 
+             if (disks[i].format == LIBXL_DISK_FORMAT_EMPTY) {
+                 if (!disks[i].is_cdrom) {
+diff --git a/tools/libxl/libxl_internal.h b/tools/libxl/libxl_internal.h
+index 506687fbe9..0812be5376 100644
+--- a/tools/libxl/libxl_internal.h
++++ b/tools/libxl/libxl_internal.h
+@@ -1202,6 +1202,7 @@ _hidden int libxl__domain_pvcontrol_write(libxl__gc *gc, xs_transaction_t t,
+ /* from xl_device */
+ _hidden char *libxl__device_disk_string_of_backend(libxl_disk_backend backend);
+ _hidden char *libxl__device_disk_string_of_format(libxl_disk_format format);
++_hidden const char *libxl__qemu_disk_format_string(libxl_disk_format format);
+ _hidden int libxl__device_disk_set_backend(libxl__gc*, libxl_device_disk*);
+ 
+ _hidden int libxl__device_physdisk_major_minor(const char *physpath, int *major, int *minor);
+diff --git a/tools/libxl/libxl_qmp.c b/tools/libxl/libxl_qmp.c
+index eab993aca9..567ed1e772 100644
+--- a/tools/libxl/libxl_qmp.c
++++ b/tools/libxl/libxl_qmp.c
+@@ -982,6 +982,8 @@ int libxl__qmp_insert_cdrom(libxl__gc *gc, int domid,
+         return qmp_run_command(gc, domid, "eject", args, NULL, NULL);
+     } else {
+         qmp_parameters_add_string(gc, &args, "target", disk->pdev_path);
++        qmp_parameters_add_string(gc, &args, "arg",
++            libxl__qemu_disk_format_string(disk->format));
+         return qmp_run_command(gc, domid, "change", args, NULL, NULL);
+     }
+ }
+-- 
+2.16.2
+
diff --git a/xsa259.patch b/xsa259.patch
new file mode 100644
index 0000000..3d6c3b6
--- /dev/null
+++ b/xsa259.patch
@@ -0,0 +1,29 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86: fix slow int80 path after XPTI additions
+
+For the int80 slow path to jump to handle_exception_saved, %r14 needs to
+be set up suitably for XPTI purposes. This is because of the difference
+in nature between the int80 path (which is synchronous WRT guest
+actions) and the exception path which is potentially asynchronous.
+
+This is XSA-259.
+
+Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/arch/x86/x86_64/entry.S
++++ b/xen/arch/x86/x86_64/entry.S
+@@ -396,6 +396,12 @@ int80_slow_path:
+         movl  $TRAP_gp_fault,UREGS_entry_vector(%rsp)
+         /* A GPF wouldn't have incremented the instruction pointer. */
+         subq  $2,UREGS_rip(%rsp)
++        /*
++         * While we've cleared xen_cr3 above already, normal exception handling
++         * code has logic to restore the original value from %r15. Therefore we
++         * need to set up %r14 here, while %r15 is required to still be zero.
++         */
++        GET_STACK_END(14)
+         jmp   handle_exception_saved
+ 
+ /* CREATE A BASIC EXCEPTION FRAME ON GUEST OS STACK:                     */