diff --git a/SOURCES/nss-3.44-fix-cmac-alignment-crash.patch b/SOURCES/nss-3.44-fix-cmac-alignment-crash.patch
new file mode 100644
index 0000000..3b68ef9
--- /dev/null
+++ b/SOURCES/nss-3.44-fix-cmac-alignment-crash.patch
@@ -0,0 +1,45 @@
+diff --git a/lib/freebl/cmac.c b/lib/freebl/cmac.c
+--- a/lib/freebl/cmac.c
++++ b/lib/freebl/cmac.c
+@@ -22,7 +22,7 @@
+      * add a new Context pointer to the cipher union with the correct type. */
+     CMACCipher cipherType;
+     union {
+-        AESContext aes;
++        AESContext *aes;
+     } cipher;
+     int blockSize;
+ 
+@@ -62,7 +62,7 @@
+ {
+     if (ctx->cipherType == CMAC_AES) {
+         unsigned int tmpOutputLen;
+-        SECStatus rv = AES_Encrypt(&ctx->cipher.aes, output, &tmpOutputLen,
++        SECStatus rv = AES_Encrypt(ctx->cipher.aes, output, &tmpOutputLen,
+                                    ctx->blockSize, input, inputLen);
+ 
+         /* Assumption: AES_Encrypt (when in ECB mode) always returns an
+@@ -156,8 +156,9 @@
+ 
+     ctx->blockSize = AES_BLOCK_SIZE;
+     ctx->cipherType = CMAC_AES;
+-    if (AES_InitContext(&ctx->cipher.aes, key, key_len, NULL, NSS_AES, 1,
+-                        ctx->blockSize) != SECSuccess) {
++    ctx->cipher.aes = AES_CreateContext(key, NULL, NSS_AES, 1, key_len,
++                                        ctx->blockSize);
++    if (ctx->cipher.aes == NULL) {
+         return SECFailure;
+     }
+ 
+@@ -308,8 +309,8 @@
+         return;
+     }
+ 
+-    if (ctx->cipherType == CMAC_AES) {
+-        AES_DestroyContext(&ctx->cipher.aes, PR_FALSE);
++    if (ctx->cipherType == CMAC_AES && ctx->cipher.aes != NULL) {
++        AES_DestroyContext(ctx->cipher.aes, PR_TRUE);
+     }
+ 
+     /* Destroy everything in the context. This includes sensitive data in
+
diff --git a/SOURCES/nss-3.44-fix-swapped-cmac.patch b/SOURCES/nss-3.44-fix-swapped-cmac.patch
new file mode 100644
index 0000000..54684ca
--- /dev/null
+++ b/SOURCES/nss-3.44-fix-swapped-cmac.patch
@@ -0,0 +1,15 @@
+diff --git a/lib/util/pkcs11t.h b/lib/util/pkcs11t.h
+--- a/lib/util/pkcs11t.h
++++ b/lib/util/pkcs11t.h
+@@ -898,8 +898,8 @@
+ #define CKM_AES_CCM 0x00001088
+ #define CKM_AES_CTS 0x00001089
+ /* AES-CMAC values copied from v2.40 errata 1 header file */
+-#define CKM_AES_CMAC_GENERAL 0x0000108A
+-#define CKM_AES_CMAC 0x0000108B
++#define CKM_AES_CMAC 0x0000108A
++#define CKM_AES_CMAC_GENERAL 0x0000108B
+ #define CKM_AES_XCBC_MAC 0x0000108C
+ #define CKM_AES_XCBC_MAC_96 0x0000108D
+ 
+
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index 013b644..10e08e2 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -46,7 +46,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          14%{?dist}
+Release:          15%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
@@ -154,6 +154,10 @@ Patch216:         nss-3.44-kbkdf.patch
 Patch217:         nss-3.44-kbkdf-update.patch
 Patch218:         nss-3.44-encrypt-update.patch
 Patch219:         nss-3.44-kbkdf-coverity.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1611209
+Patch220:         nss-3.44-fix-swapped-cmac.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1610687
+Patch221:         nss-3.44-fix-cmac-alignment-crash.patch
 
 
 %description
@@ -928,6 +932,10 @@ update-crypto-policies --no-reload &> /dev/null || :
 
 
 %changelog
+* Fri Jan 31 2020 Bob Relyea <rrelyea@redhat.com> - 3.44.0-15
+- Fix swapped CMAC PKCS #11 values.
+- Fix data alignment crash in CMAC.
+
 * Tue Dec 3 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-14
 - Fix coverify scan issue