diff --git a/0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch b/0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
index c312ff2..b35476b 100644
--- a/0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
+++ b/0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
@@ -1,7 +1,7 @@
 From 222f80a6a2ab4efce95bb7c8da3606b5ad4a3170 Mon Sep 17 00:00:00 2001
 From: Nalin Dahyabhai <nalin@redhat.com>
 Date: Tue, 1 Oct 2024 11:01:45 -0400
-Subject: [PATCH 1/2] CVE-2024-9407: validate "bind-propagation" flag settings
+Subject: [PATCH 1/3] CVE-2024-9407: validate "bind-propagation" flag settings
 
 CVE-2024-9407: validate that the value for the "bind-propagation" flag
 when handling "bind" and "cache" mounts in `buildah run` or in RUN
@@ -10,12 +10,13 @@ instructions is one of the values that we would accept without the
 
 Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
 (cherry picked from commit 732f77064830bb91062d475407b761ade2e4fe6b)
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
 ---
  internal/volumes/volumes.go | 12 ++++++++++++
  1 file changed, 12 insertions(+)
 
 diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go
-index 515f846f3..da6b768fd 100644
+index 515f846f3499..da6b768fdc21 100644
 --- a/internal/volumes/volumes.go
 +++ b/internal/volumes/volumes.go
 @@ -105,6 +105,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
@@ -45,5 +46,5 @@ index 515f846f3..da6b768fd 100644
  		case "id":
  			if !hasArgValue {
 -- 
-2.46.2
+2.46.0
 
diff --git a/0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch b/0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch
index 3f965c2..b3b0ea9 100644
--- a/0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch
+++ b/0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch
@@ -1,7 +1,7 @@
 From 290dbe53fdc8c31aa51f0851c57bda0f195fc1a6 Mon Sep 17 00:00:00 2001
 From: Paul Holzinger <pholzing@redhat.com>
 Date: Wed, 2 Oct 2024 12:15:15 +0200
-Subject: [PATCH 2/2] [conmon] pkg/subscriptions: use securejoin for the
+Subject: [PATCH 2/3] [conmon] pkg/subscriptions: use securejoin for the
  container path
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -17,12 +17,13 @@ https://github.com/containers/common/commit/5a550b6fe26068dd1d5d2616c8595edf10b4
 
 Signed-off-by: Paul Holzinger <pholzing@redhat.com>
 Signed-off-by: Dan Čermák <dcermak@suse.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
 ---
  .../containers/common/pkg/subscriptions/subscriptions.go   | 7 ++++++-
  1 file changed, 6 insertions(+), 1 deletion(-)
 
 diff --git a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
-index 6845914aa..71ee68a59 100644
+index 6845914aa285..71ee68a5909c 100644
 --- a/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
 +++ b/vendor/github.com/containers/common/pkg/subscriptions/subscriptions.go
 @@ -10,6 +10,7 @@ import (
@@ -47,5 +48,5 @@ index 6845914aa..71ee68a59 100644
  		if errors.Is(err, os.ErrNotExist) {
  			return nil
 -- 
-2.46.2
+2.46.0
 
diff --git a/0003-Properly-validate-cache-IDs-and-sources.patch b/0003-Properly-validate-cache-IDs-and-sources.patch
new file mode 100644
index 0000000..cfc975b
--- /dev/null
+++ b/0003-Properly-validate-cache-IDs-and-sources.patch
@@ -0,0 +1,115 @@
+From b48b2e689270ee7cc8c13464cbae1b5405fcb901 Mon Sep 17 00:00:00 2001
+From: Matt Heon <mheon@redhat.com>
+Date: Wed, 9 Oct 2024 15:23:03 -0400
+Subject: [PATCH 3/3] Properly validate cache IDs and sources
+
+The `--mount type=cache` argument to the `RUN` instruction in
+Dockerfiles was using `filepath.Join` on user input, allowing
+crafted paths to be used to gain access to paths on the host,
+when the command should normally be limited only to Buildah;s own
+cache and context directories. Switch to `filepath.SecureJoin` to
+resolve the issue.
+
+Fixes CVE-2024-9675
+
+Signed-off-by: Matt Heon <mheon@redhat.com>
+Signed-off-by: Danish Prakash <contact@danishpraka.sh>
+---
+ internal/volumes/volumes.go | 22 +++++++++++++++-------
+ tests/bud.bats              | 34 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 49 insertions(+), 7 deletions(-)
+
+diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go
+index da6b768fdc21..2dd04d9c32a4 100644
+--- a/internal/volumes/volumes.go
++++ b/internal/volumes/volumes.go
+@@ -23,6 +23,7 @@ import (
+ 	"github.com/containers/storage/pkg/idtools"
+ 	"github.com/containers/storage/pkg/lockfile"
+ 	"github.com/containers/storage/pkg/unshare"
++	digest "github.com/opencontainers/go-digest"
+ 	specs "github.com/opencontainers/runtime-spec/specs-go"
+ 	selinux "github.com/opencontainers/selinux/go-selinux"
+ )
+@@ -374,10 +375,13 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
+ 			return newMount, nil, fmt.Errorf("no stage found with name %s", fromStage)
+ 		}
+ 		// path should be /contextDir/specified path
+-		newMount.Source = filepath.Join(mountPoint, filepath.Clean(string(filepath.Separator)+newMount.Source))
++		evaluated, err := copier.Eval(mountPoint, string(filepath.Separator)+newMount.Source, copier.EvalOptions{})
++		if err != nil {
++			return newMount, nil, err
++		}
++		newMount.Source = evaluated
+ 	} else {
+-		// we need to create cache on host if no image is being used
+-
++		// we need to create the cache directory on the host if no image is being used
+ 		// since type is cache and cache can be reused by consecutive builds
+ 		// create a common cache directory, which persists on hosts within temp lifecycle
+ 		// add subdirectory if specified
+@@ -391,11 +395,15 @@ func GetCacheMount(args []string, store storage.Store, imageMountLabel string, a
+ 		}
+ 
+ 		if id != "" {
+-			newMount.Source = filepath.Join(cacheParent, filepath.Clean(id))
+-			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(id))
++			// Don't let the user control where we place the directory.
++			dirID := digest.FromString(id).Encoded()[:16]
++			newMount.Source = filepath.Join(cacheParent, dirID)
++			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
+ 		} else {
+-			newMount.Source = filepath.Join(cacheParent, filepath.Clean(newMount.Destination))
+-			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, filepath.Clean(newMount.Destination))
++			// Don't let the user control where we place the directory.
++			dirID := digest.FromString(newMount.Destination).Encoded()[:16]
++			newMount.Source = filepath.Join(cacheParent, dirID)
++			buildahLockFilesDir = filepath.Join(BuildahCacheLockfileDir, dirID)
+ 		}
+ 		idPair := idtools.IDPair{
+ 			UID: uid,
+diff --git a/tests/bud.bats b/tests/bud.bats
+index b6982bbc0ee4..e28fc3dd8add 100644
+--- a/tests/bud.bats
++++ b/tests/bud.bats
+@@ -6659,3 +6659,37 @@ _EOF
+   assert "$status" -eq 2 "exit code from ls"
+   expect_output --substring "No such file or directory"
+ }
++
++@test "build-check-cve-2024-9675" {
++  _prefetch alpine
++
++  touch ${TEST_SCRATCH_DIR}/file.txt
++
++  cat > ${TEST_SCRATCH_DIR}/Containerfile <<EOF
++FROM alpine
++RUN --mount=type=cache,id=../../../../../../../../../../../$TEST_SCRATCH_DIR,target=/var/tmp \
++ls -l /var/tmp && cat /var/tmp/file.txt
++EOF
++
++  run_buildah 1 build --no-cache ${TEST_SCRATCH_DIR}
++  expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
++
++  cat > ${TEST_SCRATCH_DIR}/Containerfile <<EOF
++FROM alpine
++RUN --mount=type=cache,source=../../../../../../../../../../../$TEST_SCRATCH_DIR,target=/var/tmp \
++ls -l /var/tmp && cat /var/tmp/file.txt
++EOF
++
++  run_buildah 1 build --no-cache ${TEST_SCRATCH_DIR}
++  expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
++
++  mkdir ${TEST_SCRATCH_DIR}/cve20249675
++  cat > ${TEST_SCRATCH_DIR}/cve20249675/Containerfile <<EOF
++FROM alpine
++RUN --mount=type=cache,from=testbuild,source=../,target=/var/tmp \
++ls -l /var/tmp && cat /var/tmp/file.txt
++EOF
++
++  run_buildah 1 build --security-opt label=disable --build-context testbuild=${TEST_SCRATCH_DIR}/cve20249675/ --no-cache ${TEST_SCRATCH_DIR}/cve20249675/
++  expect_output --substring "cat: can't open '/var/tmp/file.txt': No such file or directory"
++}
+-- 
+2.46.0
+
diff --git a/buildah.changes b/buildah.changes
index f8cdca6..1064431 100644
--- a/buildah.changes
+++ b/buildah.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed Oct 16 06:53:35 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
+
+- Add patch for CVE-2024-9675 (bsc#1231499):
+  * 0003-Properly-validate-cache-IDs-and-sources.patch
+- Rebase patches:
+  * 0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
+  * 0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch
+
 -------------------------------------------------------------------
 Wed Oct  2 10:24:41 UTC 2024 - Dan Čermák <dcermak@suse.com>
 
diff --git a/buildah.spec b/buildah.spec
index c604e84..868bde1 100644
--- a/buildah.spec
+++ b/buildah.spec
@@ -29,6 +29,7 @@ Source0:        %{name}-%{version}.tar.xz
 Source1:        %{name}-rpmlintrc
 Patch0:         0001-CVE-2024-9407-validate-bind-propagation-flag-setting.patch
 Patch1:         0002-conmon-pkg-subscriptions-use-securejoin-for-the-cont.patch
+Patch2:         0003-Properly-validate-cache-IDs-and-sources.patch
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel
 BuildRequires:  fdupes