diff --git a/pptp-1.8.0-call-init-fix.patch b/pptp-1.8.0-call-init-fix.patch
deleted file mode 100644
index 9dbdb26..0000000
--- a/pptp-1.8.0-call-init-fix.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/pptp_ctrl.c b/pptp_ctrl.c
-index 9864374..1948bce 100644
---- a/pptp_ctrl.c
-+++ b/pptp_ctrl.c
-@@ -351,6 +351,7 @@ PPTP_CALL * pptp_call_open(PPTP_CONN * conn, pptp_call_cb callback,
-     /* allocate structure. */
-     if ((call = malloc(sizeof(*call))) == NULL) return NULL;
-     /* Initialize call structure */
-+    memset(call, 0, sizeof(*call));
-     call->call_type = PPTP_CALL_PNS;
-     call->state.pns = PNS_IDLE;
-     call->call_id   = (u_int16_t) i;
diff --git a/pptp-1.8.0-call-use-after-free-fix.patch b/pptp-1.8.0-call-use-after-free-fix.patch
new file mode 100644
index 0000000..463fce8
--- /dev/null
+++ b/pptp-1.8.0-call-use-after-free-fix.patch
@@ -0,0 +1,23 @@
+diff --git a/pptp_ctrl.c b/pptp_ctrl.c
+index 9864374..416f416 100644
+--- a/pptp_ctrl.c
++++ b/pptp_ctrl.c
+@@ -928,6 +928,7 @@ int ctrlp_disp(PPTP_CONN * conn, void * buffer, size_t size)
+                 PPTP_HEADER_CTRL(PPTP_CALL_CLEAR_NTFY), packet->call_id,
+                 1, PPTP_GENERAL_ERROR_NONE, 0, 0, {0}
+             };
++            int i;
+             log("Received Call Clear Request.");
+             if (vector_contains(conn->call, ntoh16(packet->call_id))) {
+                 PPTP_CALL * call;
+@@ -935,8 +936,9 @@ int ctrlp_disp(PPTP_CONN * conn, void * buffer, size_t size)
+                 if (call->callback != NULL)
+                     call->callback(conn, call, CALL_CLOSE_RQST);
+                 if (pptp_send_ctrl_packet(conn, &reply, sizeof(reply))) {
++                    i = call->call_id;
+                     pptp_call_destroy(conn, call);
+-                    log("Call closed (RQST) (call id %d)", (int) call->call_id);
++                    log("Call closed (RQST) (call id %d)", i);
+                 }
+             }
+             break;
diff --git a/pptp-1.8.0-vector-remove-fix.patch b/pptp-1.8.0-vector-remove-fix.patch
new file mode 100644
index 0000000..288a4e9
--- /dev/null
+++ b/pptp-1.8.0-vector-remove-fix.patch
@@ -0,0 +1,34 @@
+From ca29b846ccb924df388a1d396a25325c32b2e346 Mon Sep 17 00:00:00 2001
+From: James Cameron <quozl@laptop.org>
+Date: Thu, 22 Jan 2015 10:36:45 +1100
+Subject: [PATCH] vector: remove clobbered heap
+
+While running vector_test.c under valgrind, observed read and writes
+beyond allocated memory.
+
+Cause was bad calculation of length to move when an item is being
+removed from a vector.
+
+Combined with a shortage of memory (a malloc fail in pptp_conn_open),
+may be a cause of
+https://bugzilla.redhat.com/show_bug.cgi?id=1183627
+---
+ vector.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/vector.c b/vector.c
+index d0b5027..703e523 100644
+--- a/vector.c
++++ b/vector.c
+@@ -115,7 +115,7 @@ int  vector_remove(VECTOR *v, int key)
+     assert(v != NULL);
+     if ((tmp =binary_search(v,key)) == NULL) return FALSE;
+     assert(tmp >= v->item && tmp < v->item + v->size);
+-    memmove(tmp, tmp + 1, (v->size - (v->item - tmp) - 1) * sizeof(*(v->item)));
++    memmove(tmp, tmp + 1, (v->size - (tmp - v->item) - 1) * sizeof(*(v->item)));
+     v->size--;
+     return TRUE;
+ }
+-- 
+1.8.3.2
+
diff --git a/pptp.spec b/pptp.spec
index 3e48b94..5660422 100644
--- a/pptp.spec
+++ b/pptp.spec
@@ -1,6 +1,6 @@
 Name:		pptp
 Version:	1.8.0
-Release:	5%{?dist}
+Release:	6%{?dist}
 Summary:	Point-to-Point Tunneling Protocol (PPTP) Client
 Group:		Applications/Internet
 License:	GPLv2+
@@ -8,8 +8,9 @@ URL:		http://pptpclient.sourceforge.net/
 Source0:	http://downloads.sf.net/pptpclient/pptp-%{version}.tar.gz
 Source1:	pptp-tmpfs.conf
 Patch0:		pptp-1.7.2-pptpsetup-mppe.patch
-# patch sent upstream
-Patch1:		pptp-1.8.0-call-init-fix.patch
+# patch from upstream
+Patch1:		pptp-1.8.0-vector-remove-fix.patch
+Patch2:		pptp-1.8.0-call-use-after-free-fix.patch
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
 BuildRequires:	/usr/bin/pod2man
 Requires:	ppp >= 2.4.2, /sbin/ip
@@ -38,7 +39,8 @@ tunnels.
 # Fedora releases and EL ≥ 5 include MPPE support out of the box (#502967)
 %patch0 -p1 -b .mppe
 
-%patch1 -p1 -b .call-init-fix
+%patch1 -p1 -b .vector-remove-fix
+%patch2 -p1 -b .call-use-after-free-fix
 
 # Pacify rpmlint
 perl -pi -e 's/install -o root -m 555 pptp/install -m 755 pptp/;' Makefile
@@ -80,6 +82,11 @@ rm -rf %{buildroot}
 %{_mandir}/man8/pptpsetup.8*
 
 %changelog
+* Fri Jan 23 2015 Jaroslav Škarvada <jskarvad@redhat.com> - 1.8.0-6
+- Replaced call-init-fix patch by vector-remove-fix patch from upstream
+  Related: rhbz#1183627
+- Fixed one deref_after_free (by call-use-after-free-fix patch)
+
 * Tue Jan 20 2015 Jaroslav Škarvada <jskarvad@redhat.com> - 1.8.0-5
 - Fixed initialization of the call structure
   Resolves: rhbz#1183627