diff --git a/SOURCES/dhcp-CVE-2022-2928.patch b/SOURCES/dhcp-CVE-2022-2928.patch
new file mode 100644
index 0000000..485b1d8
--- /dev/null
+++ b/SOURCES/dhcp-CVE-2022-2928.patch
@@ -0,0 +1,32 @@
+diff --git a/common/options.c b/common/options.c
+index ed8ac38..addc65a 100644
+--- a/common/options.c
++++ b/common/options.c
+@@ -4397,6 +4397,8 @@ add_option(struct option_state *options,
+ 	if (!option_cache_allocate(&oc, MDL)) {
+ 		log_error("No memory for option cache adding %s (option %d).",
+ 			  option->name, option_num);
++		/* Get rid of reference created during hash lookup. */
++		option_dereference(&option, MDL);
+ 		return 0;
+ 	}
+ 
+@@ -4408,6 +4410,8 @@ add_option(struct option_state *options,
+ 			     MDL)) {
+ 		log_error("No memory for constant data adding %s (option %d).",
+ 			  option->name, option_num);
++		/* Get rid of reference created during hash lookup. */
++		option_dereference(&option, MDL);
+ 		option_cache_dereference(&oc, MDL);
+ 		return 0;
+ 	}
+@@ -4416,6 +4420,9 @@ add_option(struct option_state *options,
+ 	save_option(&dhcp_universe, options, oc);
+ 	option_cache_dereference(&oc, MDL);
+ 
++	/* Get rid of reference created during hash lookup. */
++	option_dereference(&option, MDL);
++
+ 	return 1;
+ }
+ 
diff --git a/SOURCES/dhcp-CVE-2022-2929.patch b/SOURCES/dhcp-CVE-2022-2929.patch
new file mode 100644
index 0000000..d719bf6
--- /dev/null
+++ b/SOURCES/dhcp-CVE-2022-2929.patch
@@ -0,0 +1,25 @@
+diff --git a/common/options.c b/common/options.c
+index addc65a..3e6383a 100644
+--- a/common/options.c
++++ b/common/options.c
+@@ -435,16 +435,16 @@ int fqdn_universe_decode (struct option_state *options,
+ 		while (s < &bp -> data[0] + length + 2) {
+ 			len = *s;
+ 			if (len > 63) {
+-				log_info ("fancy bits in fqdn option");
+-				return 0;
++				log_info ("label length exceeds 63 in fqdn option");
++				goto bad;
+ 			}
+ 			if (len == 0) {
+ 				terminated = 1;
+ 				break;
+ 			}
+ 			if (s + len > &bp -> data [0] + length + 3) {
+-				log_info ("fqdn tag longer than buffer");
+-				return 0;
++				log_info ("fqdn label longer than buffer");
++				goto bad;
+ 			}
+ 
+ 			if (first_len == 0) {
diff --git a/SOURCES/dhcp-dhcp6-vendor-opts.patch b/SOURCES/dhcp-dhcp6-vendor-opts.patch
new file mode 100644
index 0000000..4bd685e
--- /dev/null
+++ b/SOURCES/dhcp-dhcp6-vendor-opts.patch
@@ -0,0 +1,12 @@
+diff --git a/common/options.c b/common/options.c
+index 3e6383a..9216ae4 100644
+--- a/common/options.c
++++ b/common/options.c
+@@ -1122,7 +1122,6 @@ store_options6(char *buf, int buflen,
+ 		 */
+ 		if (code == vsio_option_code) {
+ 			vsio_wanted = 1;
+-			continue;
+ 		}
+ 
+ 		/*
diff --git a/SOURCES/dhcp-omshell-hmac-sha512-support.patch b/SOURCES/dhcp-omshell-hmac-sha512-support.patch
new file mode 100644
index 0000000..3c07ea8
--- /dev/null
+++ b/SOURCES/dhcp-omshell-hmac-sha512-support.patch
@@ -0,0 +1,155 @@
+diff --git a/omapip/connection.c b/omapip/connection.c
+index a74becc..56826a5 100644
+--- a/omapip/connection.c
++++ b/omapip/connection.c
+@@ -46,6 +46,9 @@ extern omapi_array_t *trace_listeners;
+ #endif
+ static isc_result_t omapi_connection_connect_internal (omapi_object_t *);
+ 
++static isc_result_t ctring_from_attribute(omapi_object_t *obj, char *attr_name,
++                                          char **cstr);
++
+ OMAPI_OBJECT_ALLOC (omapi_connection,
+ 		    omapi_connection_object_t, omapi_type_connection)
+ 
+@@ -765,64 +768,41 @@ isc_result_t omapi_connection_reaper (omapi_object_t *h)
+ }
+ 
+ static isc_result_t make_dst_key (dst_key_t **dst_key, omapi_object_t *a) {
+-	omapi_value_t *name      = (omapi_value_t *)0;
+-	omapi_value_t *algorithm = (omapi_value_t *)0;
+-	omapi_value_t *key       = (omapi_value_t *)0;
+-	char *name_str = NULL;
++	omapi_value_t *key = 0;
++	char *name_str = 0;
++	char *algorithm_str = 0;
+ 	isc_result_t status = ISC_R_SUCCESS;
+ 
+-	if (status == ISC_R_SUCCESS)
+-		status = omapi_get_value_str
+-			(a, (omapi_object_t *)0, "name", &name);
+-
+-	if (status == ISC_R_SUCCESS)
+-		status = omapi_get_value_str
+-			(a, (omapi_object_t *)0, "algorithm", &algorithm);
+-
+-	if (status == ISC_R_SUCCESS)
+-		status = omapi_get_value_str
+-			(a, (omapi_object_t *)0, "key", &key);
+-
++	/* Get the key name as a C string. */
++	status = ctring_from_attribute(a, "name", &name_str);
+ 	if (status == ISC_R_SUCCESS) {
+-		if ((algorithm->value->type != omapi_datatype_data &&
+-		     algorithm->value->type != omapi_datatype_string) ||
+-		    strncasecmp((char *)algorithm->value->u.buffer.value,
+-				NS_TSIG_ALG_HMAC_MD5 ".",
+-				algorithm->value->u.buffer.len) != 0) {
+-			status = DHCP_R_INVALIDARG;
++		/* Get the algorithm name as a C string. */
++		status = ctring_from_attribute(a, "algorithm", &algorithm_str);
++		if (status == ISC_R_SUCCESS) {
++			/* Get the key secret value */
++			status = omapi_get_value_str(a, 0, "key", &key);
++			if (status == ISC_R_SUCCESS) {
++				/* Now let's try and create the key */
++				status = isclib_make_dst_key(
++						name_str,
++						algorithm_str,
++						key->value->u.buffer.value,
++						key->value->u.buffer.len,
++						dst_key);
++
++				if (*dst_key == NULL) {
++					status = ISC_R_NOMEMORY;
++				}
++			}
+ 		}
+ 	}
+ 
+-	if (status == ISC_R_SUCCESS) {
+-		name_str = dmalloc (name -> value -> u.buffer.len + 1, MDL);
+-		if (!name_str)
+-			status = ISC_R_NOMEMORY;
+-	}
+-
+-	if (status == ISC_R_SUCCESS) {
+-		memcpy (name_str,
+-			name -> value -> u.buffer.value,
+-			name -> value -> u.buffer.len);
+-		name_str [name -> value -> u.buffer.len] = 0;
+-
+-		status = isclib_make_dst_key(name_str,
+-					     DHCP_HMAC_MD5_NAME,
+-					     key->value->u.buffer.value,
+-					     key->value->u.buffer.len,
+-					     dst_key);
+-
+-		if (*dst_key == NULL)
+-			status = ISC_R_NOMEMORY;
+-	}
+-
+ 	if (name_str)
+ 		dfree (name_str, MDL);
++	if (algorithm_str)
++		dfree (algorithm_str, MDL);
+ 	if (key)
+ 		omapi_value_dereference (&key, MDL);
+-	if (algorithm)
+-		omapi_value_dereference (&algorithm, MDL);
+-	if (name)
+-		omapi_value_dereference (&name, MDL);
+ 
+ 	return status;
+ }
+@@ -1105,3 +1085,50 @@ isc_result_t omapi_connection_stuff_values (omapi_object_t *c,
+ 								m -> inner);
+ 	return ISC_R_SUCCESS;
+ }
++
++/* @brief Fetches the value of an attribute in an object as an allocated
++ * C string
++ *
++ * @param obj ompapi object containing the desire attribute
++ * @param attr_name  name of the desired attribute
++ * @param[out] cstr pointer in which to place the allocated C string's address
++ *
++ * Caller is responsible for freeing (via dfree) the allocated string.
++ *
++ * @return ISC_R_SUCCESS if successful, otherwise indicates the type of failure
++*/
++static isc_result_t ctring_from_attribute(omapi_object_t *obj, char *attr_name,
++                                          char **cstr) {
++	isc_result_t status = ISC_R_SUCCESS;
++	omapi_value_t *attr = 0;
++
++	/* Find the attribute in the object. */
++	status = omapi_get_value_str(obj, (omapi_object_t *)0, attr_name,
++                                 &attr);
++	if (status != ISC_R_SUCCESS) {
++		return (status);
++	}
++
++	/* Got it, let's make sure it's either data or string type. */
++	if (attr->value->type != omapi_datatype_data &&
++            attr->value->type != omapi_datatype_string) {
++		return (DHCP_R_INVALIDARG);
++        }
++
++	/* Make a C string from the attribute value. */
++	*cstr = dmalloc (attr->value->u.buffer.len + 1, MDL);
++	if (!(*cstr)) {
++		status = ISC_R_NOMEMORY;
++        } else {
++	        memcpy (*cstr, attr->value->u.buffer.value,
++		            attr->value->u.buffer.len);
++	        (*cstr)[attr->value->u.buffer.len] = 0;
++	}
++
++	/* Get rid of the attribute reference */
++	if (attr) {
++		omapi_value_dereference (&attr, MDL);
++	}
++
++	return (status);
++}
diff --git a/SPECS/dhcp.spec b/SPECS/dhcp.spec
index 6c42b67..af0ed6b 100644
--- a/SPECS/dhcp.spec
+++ b/SPECS/dhcp.spec
@@ -16,7 +16,7 @@
 Summary:  Dynamic host configuration protocol software
 Name:     dhcp
 Version:  4.3.6
-Release:  47.itix1%{?dist}
+Release:  49.itix1%{?dist}
 # NEVER CHANGE THE EPOCH on this package.  The previous maintainer (prior to
 # dcantrell maintaining the package) made incorrect use of the epoch and
 # that's why it is at 12 now.  It should have never been used, but it was.
@@ -84,7 +84,11 @@ Patch48:  dhcp-bind-9.11.patch
 Patch49:  dhcp-detect-system-time-jumps.patch
 Patch50:  dhcp-key_algorithm.patch
 Patch51:  dhcp-statement_parser.patch
-Patch52:  dhcp-orange-fibre.patch
+Patch52:  dhcp-omshell-hmac-sha512-support.patch
+Patch53:  dhcp-CVE-2022-2928.patch
+Patch54:  dhcp-CVE-2022-2929.patch
+Patch55:  dhcp-dhcp6-vendor-opts.patch
+Patch56:  dhcp-orange-fibre.patch
 
 BuildRequires: autoconf
 BuildRequires: automake
@@ -367,9 +371,21 @@ rm bind/bind.tar.gz
 # https://bugzilla.redhat.com/show_bug.cgi?id=1963807
 %patch51 -p1
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=2016248
+%patch52 -p1
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=2132248
+%patch53 -p1
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=2132245
+%patch54 -p1
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=2142024
+%patch55 -p1
+
 # Patch for the Orange Fibre ISP
 # https://lafibre.info/remplacer-livebox/en-cours-remplacer-sa-livebox-par-un-routeur-ubiquiti-edgemax/msg319883/#msg319883
-%patch52 -p1
+%patch56 -p1
 
 # Update paths in all man pages
 for page in client/dhclient.conf.5 client/dhclient.leases.5 \
@@ -704,6 +720,14 @@ done
 %endif
 
 %changelog
+* Tue Oct 11 2022 Martin Osvald <mosvald@redhat.com> - 12:4.3.6-49
+- Fix for CVE-2022-2928
+- Fix for CVE-2022-2929
+- send back dhcp6.vendor-opts again (#2142024)
+
+* Tue May 10 2022 Martin Osvald <mosvald@redhat.com> - 12:4.3.6-48
+- omshell: add support for hmac-sha512 algorithm (#2016248)
+
 * Tue Dec 21 2021 Petr Menšík <pemensik@redhat.com> - 12:4.3.6-47
 - Rebuilt on a new side-tag (#2022715)