diff --git a/tigervnc-dont-get-pointer-position-for-floating-device.patch b/tigervnc-dont-get-pointer-position-for-floating-device.patch
new file mode 100644
index 0000000..3bf7dda
--- /dev/null
+++ b/tigervnc-dont-get-pointer-position-for-floating-device.patch
@@ -0,0 +1,13 @@
+diff --git a/unix/xserver/hw/vnc/vncInput.c b/unix/xserver/hw/vnc/vncInput.c
+index b3d0926d..d36a096f 100644
+--- a/unix/xserver/hw/vnc/vncInput.c
++++ b/unix/xserver/hw/vnc/vncInput.c
+@@ -167,7 +167,7 @@ void vncPointerMove(int x, int y)
+ 
+ void vncGetPointerPos(int *x, int *y)
+ {
+-	if (vncPointerDev != NULL) {
++	if (vncPointerDev != NULL && !IsFloating(vncPointerDev)) {
+ 		ScreenPtr ptrScreen;
+ 
+ 		miPointerGetPosition(vncPointerDev, &cursorPosX, &cursorPosY);
diff --git a/tigervnc.spec b/tigervnc.spec
index 464e6bb..aeb7d85 100644
--- a/tigervnc.spec
+++ b/tigervnc.spec
@@ -5,7 +5,7 @@
 
 Name:           tigervnc
 Version:        1.13.1
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        A TigerVNC remote display system
 
 %global _hardened_build 1
@@ -29,14 +29,14 @@ Patch2:         tigervnc-vncsession-restore-script-systemd-service.patch
 Patch50:        tigervnc-support-username-alias-in-plainusers.patch
 Patch51:        tigervnc-use-dup-to-get-available-fd-for-inetd.patch
 
+# Upstreamable patches
+Patch80:        tigervnc-dont-get-pointer-position-for-floating-device.patch
+
 # This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
 Patch100:       tigervnc-xserver120.patch
 # 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start
 Patch101:       0001-rpath-hack.patch
 
-# Xorg backports
-Patch300:       xorg-rename-boolean-config-value-field-from-bool-to-boolean.patch
-
 BuildRequires:  make
 BuildRequires:  gcc-c++
 BuildRequires:  gettext
@@ -185,7 +185,6 @@ for all in `find . -type f -perm -001`; do
 done
 %patch100 -p1 -b .xserver120-rebased
 %patch101 -p1 -b .rpath
-%patch300 -p1 -b .xorg-rename-boolean-config-value-field-from-bool-to-boolean
 popd
 
 %patch1 -p1 -b .use-gnome-as-default-session
@@ -195,6 +194,9 @@ popd
 %patch50 -p1 -b .support-username-alias-in-plainusers
 %patch51 -p1 -b .use-dup-to-get-available-fd-for-inetd
 
+# Upstreamable patches
+%patch80 -p1 -b .dont-get-pointer-position-for-floating-device
+
 %build
 %ifarch sparcv9 sparc64 s390 s390x
 export CFLAGS="$RPM_OPT_FLAGS -fPIC"
@@ -376,6 +378,16 @@ fi
 %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
 
 %changelog
+* Mon Jan 22 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-7
+- Fix CVE-2024-21886 tigervnc: xorg-x11-server: heap buffer overflow in DisableDevice
+  Resolves: RHEL-20389
+- Fix CVE-2024-21885 tigervnc: xorg-x11-server: heap buffer overflow in XISendDeviceHierarchyEvent
+  Resolves: RHEL-20383
+- Fix CVE-2024-0229 tigervnc: xorg-x11-server: reattaching to different master device may lead to out-of-bounds memory access
+  Resolves: RHEL-20533
+- Fix CVE-2023-6816 tigervnc: xorg-x11-server: Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer
+  Resolves: RHEL-21213
+
 * Mon Jan 08 2024 Jan Grulich <jgrulich@redhat.com> - 1.13.1-6
 - Use dup() to get available file descriptor when using -inetd option
   Resolves: RHEL-19858
diff --git a/xorg-rename-boolean-config-value-field-from-bool-to-boolean.patch b/xorg-rename-boolean-config-value-field-from-bool-to-boolean.patch
deleted file mode 100644
index 6be0e4f..0000000
--- a/xorg-rename-boolean-config-value-field-from-bool-to-boolean.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From 454b3a826edb5fc6d0fea3a9cfd1a5e8fc568747 Mon Sep 17 00:00:00 2001
-From: Adam Jackson <ajax@redhat.com>
-Date: Mon, 22 Jul 2019 13:51:06 -0400
-Subject: [PATCH] hw: Rename boolean config value field from bool to boolean
-
-"bool" conflicts with C++ (meh) and stdbool.h (ngh alright fine). This
-is a driver-visible change and will likely break the build for mach64,
-but it can be fixed by simply using xf86ReturnOptValBool like every
-other driver.
-
-Signed-off-by: Adam Jackson <ajax@redhat.com>
----
- hw/xfree86/common/xf86Opt.h    |  2 +-
- hw/xfree86/common/xf86Option.c | 10 +++++-----
- hw/xwin/winconfig.c            | 22 +++++++++++-----------
- hw/xwin/winconfig.h            |  2 +-
- 4 files changed, 18 insertions(+), 18 deletions(-)
-
-diff --git a/hw/xfree86/common/xf86Opt.h b/hw/xfree86/common/xf86Opt.h
-index 3be2a0fc7e..3046fbd417 100644
---- a/hw/xfree86/common/xf86Opt.h
-+++ b/hw/xfree86/common/xf86Opt.h
-@@ -41,7 +41,7 @@ typedef union {
-     unsigned long num;
-     const char *str;
-     double realnum;
--    Bool bool;
-+    Bool boolean;
-     OptFrequency freq;
- } ValueUnion;
-
-diff --git a/hw/xwin/winconfig.c b/hw/xwin/winconfig.c
-index 31894d2fb0..646d690062 100644
---- a/hw/xwin/winconfig.c
-+++ b/hw/xwin/winconfig.c
-@@ -623,7 +623,7 @@ winSetBoolOption(void *optlist, const char *name, int deflt)
-     o.name = name;
-     o.type = OPTV_BOOLEAN;
-     if (ParseOptionValue(-1, optlist, &o))
--        deflt = o.value.bool;
-+        deflt = o.value.boolean;
-     return deflt;
- }
-
-@@ -918,7 +918,7 @@ ParseOptionValue(int scrnIndex, void *options, OptionInfoPtr p)
-         }
-         if ((s = winFindOptionValue(options, newn)) != NULL) {
-             if (GetBoolValue(&opt, s)) {
--                p->value.bool = !opt.value.bool;
-+                p->value.boolean = !opt.value.boolean;
-                 p->found = TRUE;
-             }
-             else {
-@@ -968,25 +968,25 @@ static Bool
- GetBoolValue(OptionInfoPtr p, const char *s)
- {
-     if (*s == 0) {
--        p->value.bool = TRUE;
-+        p->value.boolean = TRUE;
-     }
-     else {
-         if (winNameCompare(s, "1") == 0)
--            p->value.bool = TRUE;
-+            p->value.boolean = TRUE;
-         else if (winNameCompare(s, "on") == 0)
--            p->value.bool = TRUE;
-+            p->value.boolean = TRUE;
-         else if (winNameCompare(s, "true") == 0)
--            p->value.bool = TRUE;
-+            p->value.boolean = TRUE;
-         else if (winNameCompare(s, "yes") == 0)
--            p->value.bool = TRUE;
-+            p->value.boolean = TRUE;
-         else if (winNameCompare(s, "0") == 0)
--            p->value.bool = FALSE;
-+            p->value.boolean = FALSE;
-         else if (winNameCompare(s, "off") == 0)
--            p->value.bool = FALSE;
-+            p->value.boolean = FALSE;
-         else if (winNameCompare(s, "false") == 0)
--            p->value.bool = FALSE;
-+            p->value.boolean = FALSE;
-         else if (winNameCompare(s, "no") == 0)
--            p->value.bool = FALSE;
-+            p->value.boolean = FALSE;
-     }
-     return TRUE;
- }
-diff --git a/hw/xwin/winconfig.h b/hw/xwin/winconfig.h
-index f079368c7c..bd1f596509 100644
---- a/hw/xwin/winconfig.h
-+++ b/hw/xwin/winconfig.h
-@@ -199,7 +199,7 @@ typedef union {
-     unsigned long num;
-     char *str;
-     double realnum;
--    Bool bool;
-+    Bool boolean;
-     OptFrequency freq;
- } ValueUnion;
-
---
-GitLab
-