diff --git a/n_xorg-wrapper-rename-Xorg.patch b/n_xorg-wrapper-rename-Xorg.patch
new file mode 100644
index 0000000..4563665
--- /dev/null
+++ b/n_xorg-wrapper-rename-Xorg.patch
@@ -0,0 +1,20 @@
+--- xserver-1.20.9/hw/xfree86/xorg-wrapper.c.old	2020-09-24 03:16:27.270885000 +0200
++++ xserver-1.20.9/hw/xfree86/xorg-wrapper.c	2020-09-24 03:18:42.047597000 +0200
+@@ -375,7 +375,7 @@ int main(int argc, char *argv[])
+         }
+     }
+ 
+-    snprintf(buf, sizeof(buf), "%s/Xorg", SUID_WRAPPER_DIR);
++    snprintf(buf, sizeof(buf), "%s/Xorg.bin", SUID_WRAPPER_DIR);
+ 
+     /* Check if the server is executable by our real uid */
+     if (access(buf, X_OK) != 0) {
+--- xserver-1.20.9/hw/xfree86/Xorg.sh.in.orig	2020-09-24 03:36:20.690412000 +0200
++++ xserver-1.20.9/hw/xfree86/Xorg.sh.in	2020-09-24 03:36:37.594497000 +0200
+@@ -7,5 +7,5 @@
+ if [ -x "$basedir"/Xorg.wrap ]; then
+ 	exec "$basedir"/Xorg.wrap "$@"
+ else
+-	exec "$basedir"/Xorg "$@"
++	exec "$basedir"/Xorg.bin "$@"
+ fi
diff --git a/u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch b/u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch
new file mode 100644
index 0000000..6fb7b47
--- /dev/null
+++ b/u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch
@@ -0,0 +1,96 @@
+--- xserver-1.20.9/hw/xfree86/xorg-wrapper.c	
++++ xserver-1.20.9/hw/xfree86/xorg-wrapper.c	2020-09-29 12:52:59.256970275 +0200
+@@ -191,6 +191,60 @@ 
+     return 0;
+ }
+ 
++static int check_vt_range(long int vt)
++{
++    if (vt >= 2 && vt <= 7 ) {
++        return 1;
++    }
++
++    return 0;
++}
++
++/* Xserver option whitelist filter (boo#1175867) */
++static int option_filter(int argc, char* argv[]){
++
++    for(int pos=1; pos<argc; pos++) {
++        const char *arg = argv[pos];
++
++        if (strlen(arg) == 3 && !strncmp(arg,"vt", 2) && check_vt_range(strtol(arg+2, NULL, 10)) == 1) {
++            /* vtX (vt2-vt7) */
++            continue;
++        } else if(!strcmp(arg,"-displayfd") ||
++                  !strcmp(arg,"-auth") ||
++                  !strcmp(arg,"-background") ||
++                  !strcmp(arg,"-verbose") ||
++                  !strcmp(arg,"-listen")) {
++            /* -displayfd x
++               -auth xxxx
++               -backgound none
++               -verbose 7 (7 or 3)
++               -listen tcp
++            */
++            if ((pos+1) < argc) {
++                pos++;
++            } else {
++                fprintf(stderr, "%s: Missing argument for Xserver option \"%s\". Aborting.\n",
++                        progname, arg);
++                return 0;
++            }
++        } else if (!strcmp(arg,"-noreset") ||
++                   !strcmp(arg,"-keeptty") ||
++                   !strcmp(arg,"-core")) {
++            /* -noreset
++               -keeptty
++               -core
++            */
++            continue;
++        } else {
++            fprintf(stderr, "%s: Xserver option \"%s\" invalid or not in whitelist. Aborting.\n",
++                    progname, arg);
++            return 0;
++        }
++    }
++
++    return 1;
++}
++
+ int main(int argc, char *argv[])
+ {
+ #ifdef WITH_LIBDRM
+@@ -250,11 +304,14 @@ 
+ 
+             close(fd);
+         }
++        /* If we've found cards, and all cards support kms, drop root rights */
++        if (total_cards && kms_cards == total_cards) {
++            needs_root_rights = 0;
++        }
+     }
+ #endif
+ 
+-    /* If we've found cards, and all cards support kms, drop root rights */
+-    if (needs_root_rights == 0 || (total_cards && kms_cards == total_cards)) {
++    if (needs_root_rights == 0) {
+         gid_t realgid = getgid();
+         uid_t realuid = getuid();
+         int ngroups = 0;
+@@ -326,6 +383,15 @@ 
+     }
+ 
+     argv[0] = buf;
++
++    if (needs_root_rights == 1 && getuid() != 0)
++    {
++        /* Xserver option whitelist filter (boo#1175867) */
++        if (option_filter(argc, argv) == 0) {
++            exit(1);
++        }
++    }
++
+     if (getuid() == geteuid())
+         (void) execv(argv[0], argv);
+     else
diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes
index 3d8f086..0ef5cee 100644
--- a/xorg-x11-server.changes
+++ b/xorg-x11-server.changes
@@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Tue Sep 29 14:47:48 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
+
+- u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch
+  * replaced by improved version written by Matthias Gerstner of
+    our security team
+    + simplified the option parsing code a bit
+    + changed the "ignore forbidden argument" logic into an "abort
+      on forbidden argument" logic. This is safer and avoids 
+      surprises on the user's end that could occur if the desired
+      command line arguments aren't effective but the Xorg server is
+      still started.
+    + tried to adjust to the coding style present in the file 
+      (mostly the function name)
+    + added some logic to apply the option filtering only to 
+      non-root users when Xorg is actually started as root. This
+      should allow for full flexibility if root calls the wrapper or
+      if the Xorg server only runs with user privileges.
+
 -------------------------------------------------------------------
 Mon Sep 28 10:29:23 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
 
@@ -7,6 +26,21 @@ Mon Sep 28 10:29:23 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
   U_Revert-linux-Make-platform-device-probe-less-fragile.patch
   * fix Xserver startup on Raspberry Pi 3 (boo#1176203) 
 
+-------------------------------------------------------------------
+Thu Sep 24 01:40:17 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
+
+- n_xorg-wrapper-rename-Xorg.patch
+  * moved Xorg to Xorg.bin and Xorg.sh to Xorg (boo#1175867)
+- change default for needs_root_rights to auto in Xwrapper.config
+  (boo#1175867)
+
+-------------------------------------------------------------------
+Wed Sep 16 10:54:32 UTC 2020 - Stefan Dirsch <sndirsch@suse.com>
+
+- reenabled SUID wrapper for TW (boo#1175867)
+- u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch
+  * Xserver option whitelist filter (boo#1175867) 
+
 -------------------------------------------------------------------
 Wed Sep  9 18:50:37 UTC 2020 - Michael Gorse <mgorse@suse.com>
 
diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec
index d94788e..04a6743 100644
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@@ -26,19 +26,18 @@
 %define have_wayland 1
 %endif
 
-%define build_suid_wrapper 0
-
-%if 0%{!?build_suid_wrapper:1}
-%ifarch s390 s390x
-%define build_suid_wrapper 0
-%else
-%if 0%{?suse_version} >= 1330
 %define build_suid_wrapper 1
-%define suid_wrapper_dir %{_libexecdir}
-%else
-%define build_suid_wrapper 0
-%endif
-%endif
+
+%if 0%{?build_suid_wrapper:1}
+  %ifarch s390 s390x
+    %define build_suid_wrapper 0
+  %else
+    %if 0%{?suse_version} >= 1550
+      %define suid_wrapper_dir %{_bindir}
+    %else
+      %define build_suid_wrapper 0
+    %endif
+  %endif
 %endif
 
 Name:           xorg-x11-server
@@ -213,6 +212,8 @@ Patch6:         N_fix-dpi-values.diff
 Patch7:         N_Install-Avoid-failure-on-wrapper-installation.patch
 Patch8:         u_xorg-wrapper-Drop-supplemental-group-IDs.patch
 Patch9:         u_xorg-wrapper-build-Build-position-independent-code.patch
+Patch10:        u_xorg-wrapper-Xserver-Options-Whitelist-Filter.patch
+Patch11:        n_xorg-wrapper-rename-Xorg.patch
 Patch100:       u_01-Improved-ConfineToShape.patch
 Patch101:       u_02-DIX-ConfineTo-Don-t-bother-about-the-bounding-box-when-grabbing-a-shaped-window.patch
 # PATCH-FIX-UPSTREAM u_x86emu-include-order.patch schwab@suse.de -- Change include order to avoid conflict with system header, remove duplicate definitions
@@ -305,8 +306,6 @@ Summary:        Xserver SUID Wrapper
 Group:          System/X11/Servers/XF86_4
 PreReq:         permissions
 Requires:       xorg-x11-server == %{version}
-Provides:       xorg-x11-server-wayland = 7.6_%{version}
-Obsoletes:      xorg-x11-server-wayland < 7.6_%{version}
 
 %description wrapper
 This package contains an SUID wrapper for the Xserver.
@@ -377,6 +376,8 @@ sh %{SOURCE92} --verify . %{SOURCE91}
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
+%patch11 -p1
 #
 %patch100 -p1
 #%patch101 -p1
@@ -493,6 +494,12 @@ chmod u-s %{buildroot}%{_bindir}/Xorg
 %__mkdir_p %{buildroot}%{pci_ids_dir}
 install -m 644 %{S:6} %{buildroot}%{pci_ids_dir}
 %endif
+%if 0%{?build_suid_wrapper} == 1
+mv %{buildroot}%{_bindir}/Xorg \
+   %{buildroot}%{_bindir}/Xorg.bin
+mv %{buildroot}%{_bindir}/Xorg.sh \
+   %{buildroot}%{_bindir}/Xorg
+%endif
 ln -snf Xorg %{buildroot}%{_bindir}/X
 %if 0%{?suse_version} > 1120
 %{__install} -m 644 %{S:5} %{buildroot}%{_datadir}/X11/xorg.conf.d
@@ -536,6 +543,16 @@ ln -snf %{_sysconfdir}/alternatives/libglx.so %{buildroot}%{_libdir}/xorg/module
 mkdir -p %{buildroot}/usr/src/xserver
 xargs cp --parents --target-directory=%{buildroot}/usr/src/xserver < source-file-list
 
+%if 0%{?build_suid_wrapper} == 1
+mkdir -p %{buildroot}%{_sysconfdir}/X11
+cat > %{buildroot}%{_sysconfdir}/X11/Xwrapper.config << EOF
+# rootonly, console, anybody
+allowed_users=anybody
+# yes, no, auto
+needs_root_rights=auto
+EOF
+%endif
+
 %post
 %tmpfiles_create xbb.conf
 %ifnarch s390 s390x
@@ -616,7 +633,7 @@ fi
 %ifnarch s390 s390x
 %{_bindir}/Xorg
 %if 0%{?build_suid_wrapper} == 1
-%{suid_wrapper_dir}/Xorg
+%{_bindir}/Xorg.bin
 %endif
 %{_bindir}/X
 
@@ -641,6 +658,8 @@ fi
 %files wrapper
 %defattr(-,root,root)
 %attr(4755,root,root) %{suid_wrapper_dir}/Xorg.wrap
+%dir %{_sysconfdir}/X11
+%attr(0644,root,root) %config %{_sysconfdir}/X11/Xwrapper.config
 %endif
 
 %files extra