diff --git a/glibc-memset-nontemporal.diff b/glibc-memset-nontemporal.diff
new file mode 100644
index 0000000..413b515
--- /dev/null
+++ b/glibc-memset-nontemporal.diff
@@ -0,0 +1,40 @@
+Fix for bnc #868622, slow memset for large block sizes.
+
+diff --git a/sysdeps/x86_64/memset.S b/sysdeps/x86_64/memset.S
+index db4fb84..9c42018 100644
+--- a/sysdeps/x86_64/memset.S
++++ b/sysdeps/x86_64/memset.S
+@@ -84,6 +84,9 @@ L(loop_start):
+ 	movdqu	%xmm8, -48(%rdi,%rdx)
+ 	movdqu	%xmm8, 48(%rdi)
+ 	movdqu	%xmm8, -64(%rdi,%rdx)
++	mov	__x86_shared_cache_size(%rip),%r9d  # The largest cache size
++	cmp	%r9,%rdx
++	ja	L(nt_move)
+ 	addq	%rdi, %rdx
+ 	andq	$-64, %rdx
+ 	cmpq	%rdx, %rcx
+@@ -99,6 +102,23 @@ L(loop):
+ 	jne	L(loop)
+ 	rep
+ 	ret
++L(nt_move):
++	addq	%rdi, %rdx
++	andq	$-64, %rdx
++	cmpq	%rdx, %rcx
++	je	L(return)
++	.p2align 4
++L(nt_loop):
++	movntdq	%xmm8, (%rcx)
++	movntdq	%xmm8, 16(%rcx)
++	movntdq	%xmm8, 32(%rcx)
++	movntdq	%xmm8, 48(%rcx)
++	addq	$64, %rcx
++	cmpq	%rcx, %rdx
++	jne	L(nt_loop)
++	sfence
++	rep
++	ret
+ L(less_16_bytes):
+ 	movq %xmm8, %rcx
+ 	testb	$24, %dl
diff --git a/glibc-testsuite.changes b/glibc-testsuite.changes
index 891e9f3..0ad0a2d 100644
--- a/glibc-testsuite.changes
+++ b/glibc-testsuite.changes
@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Mon Jun 16 08:27:38 UTC 2014 - schwab@suse.de
+
+- psfaa.patch: copy filename argument in posix_spawn_file_actions_addopen
+  (CVE-2014-4043, bnc#882600, BZ #17048)
+
+-------------------------------------------------------------------
+Wed May 28 15:11:45 UTC 2014 - matz@suse.de
+
+- glibc-memset-nontemporal.diff: Speedup memset on x86_64
+  (bnc#868622, BZ #16830)
+
 -------------------------------------------------------------------
 Thu May 15 15:45:03 UTC 2014 - schwab@suse.de
 
diff --git a/glibc-testsuite.spec b/glibc-testsuite.spec
index 8b6b3a9..2b5fe93 100644
--- a/glibc-testsuite.spec
+++ b/glibc-testsuite.spec
@@ -256,6 +256,8 @@ Patch1010:      ibm-long-double-frexpl.patch
 Patch1011:      aarch64-setcontext.patch
 # PATCH-FIX-UPSTREAM Fix unbound stack use in NIS NSS module (BZ #16932)
 Patch1012:      nss-nis-stack-use.patch
+# PATCH-FIX-UPSTREAM posix_spawn_file_actions_addopen needs to copy the path argument (BZ #17048)
+Patch1013:      psfaa.patch
 
 ### 
 # Patches awaiting upstream approval
@@ -270,6 +272,8 @@ Patch2002:      ldd-system-interp.patch
 Patch2003:      abort-no-flush.patch
 # PATCH-FIX-UPSTREAM Properly handle forced elision in pthread_mutex_trylock (BZ #16657)
 Patch2004:      pthread-mutex-trylock-elision.patch
+# PATCH-FIX-UPSTREAM Speedup memset on x86-64 for large block sizes (BZ #16830)
+Patch2005:      glibc-memset-nontemporal.diff
 
 # Non-glibc patches
 # PATCH-FIX-OPENSUSE Remove debianisms from manpages
@@ -483,12 +487,14 @@ rm nscd/s-stamp
 %patch1010 -p1
 %patch1011 -p1
 %patch1012 -p1
+%patch1013 -p1
 
 %patch2000 -p1
 %patch2001 -p1
 %patch2002 -p1
 %patch2003 -p1
 %patch2004 -p1
+%patch2005 -p1
 
 %patch3000
 
diff --git a/glibc-utils.changes b/glibc-utils.changes
index 891e9f3..0ad0a2d 100644
--- a/glibc-utils.changes
+++ b/glibc-utils.changes
@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Mon Jun 16 08:27:38 UTC 2014 - schwab@suse.de
+
+- psfaa.patch: copy filename argument in posix_spawn_file_actions_addopen
+  (CVE-2014-4043, bnc#882600, BZ #17048)
+
+-------------------------------------------------------------------
+Wed May 28 15:11:45 UTC 2014 - matz@suse.de
+
+- glibc-memset-nontemporal.diff: Speedup memset on x86_64
+  (bnc#868622, BZ #16830)
+
 -------------------------------------------------------------------
 Thu May 15 15:45:03 UTC 2014 - schwab@suse.de
 
diff --git a/glibc-utils.spec b/glibc-utils.spec
index 8d93109..6acdd36 100644
--- a/glibc-utils.spec
+++ b/glibc-utils.spec
@@ -255,6 +255,8 @@ Patch1010:      ibm-long-double-frexpl.patch
 Patch1011:      aarch64-setcontext.patch
 # PATCH-FIX-UPSTREAM Fix unbound stack use in NIS NSS module (BZ #16932)
 Patch1012:      nss-nis-stack-use.patch
+# PATCH-FIX-UPSTREAM posix_spawn_file_actions_addopen needs to copy the path argument (BZ #17048)
+Patch1013:      psfaa.patch
 
 ### 
 # Patches awaiting upstream approval
@@ -269,6 +271,8 @@ Patch2002:      ldd-system-interp.patch
 Patch2003:      abort-no-flush.patch
 # PATCH-FIX-UPSTREAM Properly handle forced elision in pthread_mutex_trylock (BZ #16657)
 Patch2004:      pthread-mutex-trylock-elision.patch
+# PATCH-FIX-UPSTREAM Speedup memset on x86-64 for large block sizes (BZ #16830)
+Patch2005:      glibc-memset-nontemporal.diff
 
 # Non-glibc patches
 # PATCH-FIX-OPENSUSE Remove debianisms from manpages
@@ -483,12 +487,14 @@ rm nscd/s-stamp
 %patch1010 -p1
 %patch1011 -p1
 %patch1012 -p1
+%patch1013 -p1
 
 %patch2000 -p1
 %patch2001 -p1
 %patch2002 -p1
 %patch2003 -p1
 %patch2004 -p1
+%patch2005 -p1
 
 %patch3000
 
diff --git a/glibc.changes b/glibc.changes
index 891e9f3..0ad0a2d 100644
--- a/glibc.changes
+++ b/glibc.changes
@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Mon Jun 16 08:27:38 UTC 2014 - schwab@suse.de
+
+- psfaa.patch: copy filename argument in posix_spawn_file_actions_addopen
+  (CVE-2014-4043, bnc#882600, BZ #17048)
+
+-------------------------------------------------------------------
+Wed May 28 15:11:45 UTC 2014 - matz@suse.de
+
+- glibc-memset-nontemporal.diff: Speedup memset on x86_64
+  (bnc#868622, BZ #16830)
+
 -------------------------------------------------------------------
 Thu May 15 15:45:03 UTC 2014 - schwab@suse.de
 
diff --git a/glibc.spec b/glibc.spec
index f17140d..a4f6b26 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -256,6 +256,8 @@ Patch1010:      ibm-long-double-frexpl.patch
 Patch1011:      aarch64-setcontext.patch
 # PATCH-FIX-UPSTREAM Fix unbound stack use in NIS NSS module (BZ #16932)
 Patch1012:      nss-nis-stack-use.patch
+# PATCH-FIX-UPSTREAM posix_spawn_file_actions_addopen needs to copy the path argument (BZ #17048)
+Patch1013:      psfaa.patch
 
 ### 
 # Patches awaiting upstream approval
@@ -270,6 +272,8 @@ Patch2002:      ldd-system-interp.patch
 Patch2003:      abort-no-flush.patch
 # PATCH-FIX-UPSTREAM Properly handle forced elision in pthread_mutex_trylock (BZ #16657)
 Patch2004:      pthread-mutex-trylock-elision.patch
+# PATCH-FIX-UPSTREAM Speedup memset on x86-64 for large block sizes (BZ #16830)
+Patch2005:      glibc-memset-nontemporal.diff
 
 # Non-glibc patches
 # PATCH-FIX-OPENSUSE Remove debianisms from manpages
@@ -483,12 +487,14 @@ rm nscd/s-stamp
 %patch1010 -p1
 %patch1011 -p1
 %patch1012 -p1
+%patch1013 -p1
 
 %patch2000 -p1
 %patch2001 -p1
 %patch2002 -p1
 %patch2003 -p1
 %patch2004 -p1
+%patch2005 -p1
 
 %patch3000
 
diff --git a/psfaa.patch b/psfaa.patch
new file mode 100644
index 0000000..f3596ae
--- /dev/null
+++ b/psfaa.patch
@@ -0,0 +1,139 @@
+2014-06-11  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #17048]
+	* posix/spawn_int.h (struct __spawn_action): Make the path string
+	non-const to support deallocation.
+	* posix/spawn_faction_addopen.c
+	(posix_spawn_file_actions_addopen): Make a copy of the pathname.
+	* posix/spawn_faction_destroy.c
+	(posix_spawn_file_actions_destroy): Adjust comment.  Deallocate
+	path in all spawn_do_open actions.
+	* posix/tst-spawn.c (do_test): Exercise the copy operation in
+	posix_spawn_file_actions_addopen.
+
+Index: glibc-2.19/posix/spawn_faction_addopen.c
+===================================================================
+--- glibc-2.19.orig/posix/spawn_faction_addopen.c
++++ glibc-2.19/posix/spawn_faction_addopen.c
+@@ -18,6 +18,7 @@
+ #include <errno.h>
+ #include <spawn.h>
+ #include <unistd.h>
++#include <string.h>
+ 
+ #include "spawn_int.h"
+ 
+@@ -35,17 +36,24 @@ posix_spawn_file_actions_addopen (posix_
+   if (fd < 0 || fd >= maxfd)
+     return EBADF;
+ 
++  char *path_copy = strdup (path);
++  if (path_copy == NULL)
++    return ENOMEM;
++
+   /* Allocate more memory if needed.  */
+   if (file_actions->__used == file_actions->__allocated
+       && __posix_spawn_file_actions_realloc (file_actions) != 0)
+-    /* This can only mean we ran out of memory.  */
+-    return ENOMEM;
++    {
++      /* This can only mean we ran out of memory.  */
++      free (path_copy);
++      return ENOMEM;
++    }
+ 
+   /* Add the new value.  */
+   rec = &file_actions->__actions[file_actions->__used];
+   rec->tag = spawn_do_open;
+   rec->action.open_action.fd = fd;
+-  rec->action.open_action.path = path;
++  rec->action.open_action.path = path_copy;
+   rec->action.open_action.oflag = oflag;
+   rec->action.open_action.mode = mode;
+ 
+Index: glibc-2.19/posix/spawn_faction_destroy.c
+===================================================================
+--- glibc-2.19.orig/posix/spawn_faction_destroy.c
++++ glibc-2.19/posix/spawn_faction_destroy.c
+@@ -18,11 +18,29 @@
+ #include <spawn.h>
+ #include <stdlib.h>
+ 
+-/* Initialize data structure for file attribute for `spawn' call.  */
++#include "spawn_int.h"
++
++/* Deallocate the file actions.  */
+ int
+ posix_spawn_file_actions_destroy (posix_spawn_file_actions_t *file_actions)
+ {
+-  /* Free the memory allocated.  */
++  /* Free the paths in the open actions.  */
++  for (int i = 0; i < file_actions->__used; ++i)
++    {
++      struct __spawn_action *sa = &file_actions->__actions[i];
++      switch (sa->tag)
++	{
++	case spawn_do_open:
++	  free (sa->action.open_action.path);
++	  break;
++	case spawn_do_close:
++	case spawn_do_dup2:
++	  /* No cleanup required.  */
++	  break;
++	}
++    }
++
++  /* Free the array of actions.  */
+   free (file_actions->__actions);
+   return 0;
+ }
+Index: glibc-2.19/posix/spawn_int.h
+===================================================================
+--- glibc-2.19.orig/posix/spawn_int.h
++++ glibc-2.19/posix/spawn_int.h
+@@ -22,7 +22,7 @@ struct __spawn_action
+     struct
+     {
+       int fd;
+-      const char *path;
++      char *path;
+       int oflag;
+       mode_t mode;
+     } open_action;
+Index: glibc-2.19/posix/tst-spawn.c
+===================================================================
+--- glibc-2.19.orig/posix/tst-spawn.c
++++ glibc-2.19/posix/tst-spawn.c
+@@ -168,6 +168,7 @@ do_test (int argc, char *argv[])
+   char fd2name[18];
+   char fd3name[18];
+   char fd4name[18];
++  char *name3_copy;
+   char *spargv[12];
+   int i;
+ 
+@@ -222,9 +223,15 @@ do_test (int argc, char *argv[])
+    if (posix_spawn_file_actions_addclose (&actions, fd1) != 0)
+      error (EXIT_FAILURE, errno, "posix_spawn_file_actions_addclose");
+    /* We want to open the third file.  */
+-   if (posix_spawn_file_actions_addopen (&actions, fd3, name3,
++   name3_copy = strdup (name3);
++   if (name3_copy == NULL)
++     error (EXIT_FAILURE, errno, "strdup");
++   if (posix_spawn_file_actions_addopen (&actions, fd3, name3_copy,
+ 					 O_RDONLY, 0666) != 0)
+      error (EXIT_FAILURE, errno, "posix_spawn_file_actions_addopen");
++   /* Overwrite the name to check that a copy has been made.  */
++   memset (name3_copy, 'X', strlen (name3_copy));
++
+    /* We dup the second descriptor.  */
+    fd4 = MAX (2, MAX (fd1, MAX (fd2, fd3))) + 1;
+    if (posix_spawn_file_actions_adddup2 (&actions, fd2, fd4) != 0)
+@@ -253,6 +260,7 @@ do_test (int argc, char *argv[])
+    /* Cleanup.  */
+    if (posix_spawn_file_actions_destroy (&actions) != 0)
+      error (EXIT_FAILURE, errno, "posix_spawn_file_actions_destroy");
++   free (name3_copy);
+ 
+   /* Wait for the child.  */
+   if (waitpid (pid, &status, 0) != pid)