diff --git a/0003-certprofile-mod-correctly-authorise-config-update.patch b/0003-certprofile-mod-correctly-authorise-config-update.patch
new file mode 100644
index 0000000..d69b785
--- /dev/null
+++ b/0003-certprofile-mod-correctly-authorise-config-update.patch
@@ -0,0 +1,38 @@
+From cca4741602bf60fbc0589116113dd95646fa2888 Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Tue, 15 Nov 2016 14:02:54 +1000
+Subject: [PATCH] certprofile-mod: correctly authorise config update
+
+Certificate profiles consist of an FreeIPA object, and a
+corresponding Dogtag configuration object.  When updating profile
+configuration, changes to the Dogtag configuration are not properly
+authorised, allowing unprivileged operators to modify (but not
+create or delete) profiles.  This could result in issuance of
+certificates with fraudulent subject naming information, improper
+key usage, or other badness.
+
+Update certprofile-mod to ensure that the operator has permission to
+modify FreeIPA certprofile objects before modifying the Dogtag
+configuration.
+---
+ ipaserver/plugins/certprofile.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/ipaserver/plugins/certprofile.py b/ipaserver/plugins/certprofile.py
+index f4466077484591c8e941027fa8e4897602384f7c..2bd3311e3b729b768188d537bf7f675a0f9346c2 100644
+--- a/ipaserver/plugins/certprofile.py
++++ b/ipaserver/plugins/certprofile.py
+@@ -310,6 +310,11 @@ class certprofile_mod(LDAPUpdate):
+             raise errors.ProtectedEntryError(label='certprofile', key=keys[0],
+                 reason=_('Certificate profiles cannot be renamed'))
+         if 'file' in options:
++            # ensure operator has permission to update a certprofile
++            if not ldap.can_write(dn, 'ipacertprofilestoreissued'):
++                raise errors.ACIError(info=_(
++                    "Insufficient privilege to modify a certificate profile."))
++
+             with self.api.Backend.ra_certprofile as profile_api:
+                 profile_api.disable_profile(keys[0])
+                 try:
+--
+2.7.4
diff --git a/0004-password-policy-Add-explicit-default-password-policy.patch b/0004-password-policy-Add-explicit-default-password-policy.patch
new file mode 100644
index 0000000..80664af
--- /dev/null
+++ b/0004-password-policy-Add-explicit-default-password-policy.patch
@@ -0,0 +1,188 @@
+From bcb06e1d67b3aefad33db387ce7a7700a224f30c Mon Sep 17 00:00:00 2001
+From: David Kupka <dkupka@redhat.com>
+Date: Thu, 29 Sep 2016 15:59:34 +0200
+Subject: [PATCH] password policy: Add explicit default password policy for
+ hosts and services
+
+Set explicitly krbPwdPolicyReference attribute to all hosts (entries in
+cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and
+Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's
+CoS so no attributes are really added.
+
+The default policies effectively disable any enforcement or lockout for hosts
+and services. Since hosts and services use keytabs passwords enforcements
+doesn't make much sense. Also the lockout policy could be used for easy and
+cheap DoS.
+---
+ install/updates/20-default_password_policy.update | 133 ++++++++++++++++++++++
+ install/updates/Makefile.am                       |   1 +
+ ipaserver/install/service.py                      |   1 +
+ 3 files changed, 135 insertions(+)
+ create mode 100644 install/updates/20-default_password_policy.update
+
+diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update
+new file mode 100644
+index 0000000000000000000000000000000000000000..b1f9754a98e9c4b9cb8558e96f7195ea87c2f1ce
+--- /dev/null
++++ b/install/updates/20-default_password_policy.update
+@@ -0,0 +1,133 @@
++# Default password policies for hosts, services and Kerberos services
++# Setting all attributes to zero effectively disables any password policy
++# We can do this because hosts and services uses keytabs instead of passwords
++
++# hosts
++dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
++default:objectClass: krbPwdPolicy
++default:objectClass: nsContainer
++default:objectClass: top
++default:cn: Default Host Password Policy
++default:krbMinPwdLife: 0
++default:krbPwdMinDiffChars: 0
++default:krbPwdMinLength: 0
++default:krbPwdHistoryLength: 0
++default:krbMaxPwdLife: 0
++default:krbPwdMaxFailure: 0
++default:krbPwdFailureCountInterval: 0
++default:krbPwdLockoutDuration: 0
++
++# services
++dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
++default:objectClass: krbPwdPolicy
++default:objectClass: nsContainer
++default:objectClass: top
++default:cn: Default Service Password Policy
++default:krbMinPwdLife: 0
++default:krbPwdMinDiffChars: 0
++default:krbPwdMinLength: 0
++default:krbPwdHistoryLength: 0
++default:krbMaxPwdLife: 0
++default:krbPwdMaxFailure: 0
++default:krbPwdFailureCountInterval: 0
++default:krbPwdLockoutDuration: 0
++
++# kerberos policy container
++# this is necessary to avoid mixing the Kerberos sevice password policy
++# with group-membership based user password policies
++dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
++default:objectClass: nsContainer
++default:objectClass: top
++default:cn: Kerberos Service Password Policy
++
++# kerberos services
++dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
++default:objectClass: krbPwdPolicy
++default:objectClass: nsContainer
++default:objectClass: top
++default:cn: Default Kerberos Service Password Policy
++default:krbMinPwdLife: 0
++default:krbPwdMinDiffChars: 0
++default:krbPwdMinLength: 0
++default:krbPwdHistoryLength: 0
++default:krbMaxPwdLife: 0
++default:krbPwdMaxFailure: 0
++default:krbPwdFailureCountInterval: 0
++default:krbPwdLockoutDuration: 0
++
++# default password policies for hosts, services and kerberos services
++# cosPriority is set intentionally to higher number than FreeIPA API allows
++# to set to ensure that these password policies have always lower priority
++# than any defined by user.
++
++# hosts
++dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
++default:objectclass: top
++default:objectclass: nsContainer
++default:cn: cosTemplates
++
++dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
++default:objectclass: top
++default:objectclass: cosTemplate
++default:objectclass: extensibleObject
++default:objectclass: krbContainer
++default:cn: Default Password Policy
++default:cosPriority: 10000000000
++default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
++
++dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX
++default:description: Default Password Policy for Hosts
++default:objectClass: top
++default:objectClass: ldapsubentry
++default:objectClass: cosSuperDefinition
++default:objectClass: cosPointerDefinition
++default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
++default:cosAttribute: krbPwdPolicyReference default
++
++# services
++dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
++default:objectclass: top
++default:objectclass: nsContainer
++default:cn: cosTemplates
++
++dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
++default:objectclass: top
++default:objectclass: cosTemplate
++default:objectclass: extensibleObject
++default:objectclass: krbContainer
++default:cn: Default Password Policy
++default:cosPriority: 10000000000
++default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
++
++dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX
++default:description: Default Password Policy for Services
++default:objectClass: top
++default:objectClass: ldapsubentry
++default:objectClass: cosSuperDefinition
++default:objectClass: cosPointerDefinition
++default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
++default:cosAttribute: krbPwdPolicyReference default
++
++# kerberos services
++dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
++default:objectclass: top
++default:objectclass: nsContainer
++default:cn: cosTemplates
++
++dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
++default:objectclass: top
++default:objectclass: cosTemplate
++default:objectclass: extensibleObject
++default:objectclass: krbContainer
++default:cn: Default Password Policy
++default:cosPriority: 10000000000
++default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
++
++dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
++default:description: Default Password Policy for Kerberos Services
++default:objectClass: top
++default:objectClass: ldapsubentry
++default:objectClass: cosSuperDefinition
++default:objectClass: cosPointerDefinition
++default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
++default:cosAttribute: krbPwdPolicyReference default
+diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
+index a80256f029f5547b1bc5c2226c9a0a0dd45432f4..e8a55e1734eb9979b34ddb96783902926cc975c0 100644
+--- a/install/updates/Makefile.am
++++ b/install/updates/Makefile.am
+@@ -24,6 +24,7 @@ app_DATA =				\
+ 	20-winsync_index.update		\
+ 	20-idoverride_index.update	\
+ 	20-uuid.update  \
++	20-default_password_policy.update \
+ 	21-replicas_container.update	\
+ 	21-ca_renewal_container.update	\
+ 	21-certstore_container.update	\
+diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
+index 4cc7012f62c5945839af694e8d8e74179d998b12..6451f92f0d3d768cf4619e8b0e3f52e190b628c8 100644
+--- a/ipaserver/install/service.py
++++ b/ipaserver/install/service.py
+@@ -245,6 +245,7 @@ class Service(object):
+             # There is no service in the wrong location, nothing to do.
+             # This can happen when installing a replica
+             return None
++        entry.pop('krbpwdpolicyreference', None)  # don't copy virtual attr
+         newdn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix)
+         hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix)
+         api.Backend.ldap2.delete_entry(entry)
+--
+2.7.4
+
diff --git a/freeipa.spec b/freeipa.spec
index 3030de8..adc14b0 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -38,7 +38,7 @@
 
 Name:           freeipa
 Version:        %{VERSION}
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -49,6 +49,8 @@ BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 Patch0001:      0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
 Patch0002:      0002-Support-DAL-version-5-and-version-6.patch
+Patch0003:      0003-certprofile-mod-correctly-authorise-config-update.patch
+Patch0004:      0004-password-policy-Add-explicit-default-password-policy.patch
 
 %if ! %{ONLY_CLIENT}
 BuildRequires:  389-ds-base-devel >= 1.3.5.6
@@ -1476,6 +1478,11 @@ fi
 %endif # ONLY_CLIENT
 
 %changelog
+* Wed Dec 14 2016 Pavel Vomacka <pvomacka@redhat.com> - 4.4.2-4
+- Fixes 1395311 - CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod
+- Fixes 1370493 - CVE-2016-7030 ipa: DoS attack against kerberized services
+  by abusing password policy
+
 * Tue Nov 29 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.2-3
 - Fixes 1389866  krb5-server: ipadb_change_pwd(): kdb5_util killed by SIGSEGV