diff --git a/exiv2.spec b/exiv2.spec
index be01756..d9537df 100644
--- a/exiv2.spec
+++ b/exiv2.spec
@@ -5,7 +5,7 @@ Summary: Exif and Iptc metadata manipulation library
 Name:    exiv2
 Version: 0.27.3
 %global internal_ver %{version}
-Release: 6%{?dist}
+Release: 7%{?dist}
 
 License: GPLv2+
 URL:     http://www.exiv2.org/
@@ -17,6 +17,13 @@ Source0: http://exiv2.org/builds/%{name}-%{version}-Source.tar.gz
 
 ## upstream patches
 
+## security fixes
+Patch50: exiv2-CVE-2021-3482.patch
+Patch51: exiv2-CVE-2021-29457.patch
+Patch52: exiv2-CVE-2021-29458.patch
+Patch53: exiv2-CVE-2021-29470.patch
+Patch54: exiv2-CVE-2021-29473.patch
+
 ## upstreamable patches
 # don't unconditionally use -fcf-protection flag, not supported on all archs
 # fedora already includes this on archs that do support it
@@ -135,6 +142,14 @@ test -x %{buildroot}%{_libdir}/libexiv2.so
 
 
 %changelog
+* Mon May 03 2021 Jan Grulich <jgrulich@redhat.com> - 0.27.3-7
+- CVE-2021-3482: Fix heap-based buffer overflow in Jp2Image::readMetadata()
+  CVE-2021-29458 exiv2: out-of-bounds read in Exiv2::Internal::CrwMap::encode
+  CVE-2021-29457 exiv2: heap-based buffer overflow in Exiv2::Jp2Image::doWriteMetadata
+  CVE-2021-29470 exiv2: out-of-bounds read in Exiv2::Jp2Image::encodeJp2Header
+  CVE-2021-29473 exiv2: out-of-bounds read in Exiv2::Jp2Image::doWriteMetadata
+  Resolves: bz#1956174
+
 * Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 0.27.3-6
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937