diff --git a/proftpd-tls-crls-issue859.patch b/proftpd-tls-crls-issue859.patch
new file mode 100644
index 0000000..98ccc98
--- /dev/null
+++ b/proftpd-tls-crls-issue859.patch
@@ -0,0 +1,35 @@
+commit 81cc5dce4fc0285629a1b08a07a109af10c208dd
+Author: TJ Saunders <tj@castaglia.org>
+Date:   Sun Nov 24 14:03:54 2019 -0800
+
+    Issue #859, #861: Fix handling of CRL lookups by properly using issuer for
+    lookups, and guarding against null pointers.
+    (CVE-2019-19269, CVE-2019-19270)
+
+diff --git a/contrib/mod_tls.c b/contrib/mod_tls.c
+index 4b74cf989..0e08b0399 100644
+--- a/contrib/mod_tls.c
++++ b/contrib/mod_tls.c
+@@ -9777,10 +9777,10 @@ static int tls_verify_crl(int ok, X509_STORE_CTX *ctx) {
+ 
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
+     !defined(HAVE_LIBRESSL)
+-  crls = X509_STORE_CTX_get1_crls(store_ctx, subject);
++  crls = X509_STORE_CTX_get1_crls(store_ctx, issuer);
+ #elif OPENSSL_VERSION_NUMBER >= 0x10000000L && \
+       !defined(HAVE_LIBRESSL)
+-  crls = X509_STORE_get1_crls(store_ctx, subject);
++  crls = X509_STORE_get1_crls(store_ctx, issuer);
+ #else
+   /* Your OpenSSL is before 1.0.0.  You really need to upgrade. */
+   crls = NULL;
+@@ -9799,6 +9799,9 @@ static int tls_verify_crl(int ok, X509_STORE_CTX *ctx) {
+         ASN1_INTEGER *sn;
+ 
+         revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), j);
++        if (revoked == NULL) {
++          continue;
++        }
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
+     !defined(HAVE_LIBRESSL)
+         sn = X509_REVOKED_get0_serialNumber(revoked);
diff --git a/proftpd.changes b/proftpd.changes
index ec7b526..1320f8f 100644
--- a/proftpd.changes
+++ b/proftpd.changes
@@ -1,6 +1,20 @@
+-------------------------------------------------------------------
+Sat Dec 28 20:45:30 UTC 2019 - chris@computersalat.de
+
+- fix changes file
+  * add missing info about boo#1155834
+  * add missing info about boo#1154600
+- fix for boo#1156210
+  * GeoIP has been discontinued by Maxmind
+  * remove module build for geoip
+    see https://support.maxmind.com/geolite-legacy-discontinuation-notice/
+- fix for boo#1157803 (CVE-2019-19269), boo#1157798 (CVE-2019-19270)
+  * add upstream patch proftpd-tls-crls-issue859.patch
+
 -------------------------------------------------------------------
 Sun Nov  3 22:25:28 UTC 2019 - chris@computersalat.de
 
+- fix for boo#1154600 (CVE-2019-18217, gh#846)
 - update to 1.3.6b
   * Fixed pre-authentication remote denial-of-service issue (Issue #846).
   * Backported fix for building mod_sql_mysql using MySQL 8 (Issue #824).
@@ -18,8 +32,9 @@ Sun Nov  3 22:25:28 UTC 2019 - chris@computersalat.de
 -------------------------------------------------------------------
 Sat Nov  2 18:12:51 UTC 2019 - Martin Hauke <mardnh@gmx.de>
 
-- Add missing Requires(pre): group(ftp) for Leap 15 and Tumbleweed
-- Add missing Requires(pre): user(ftp) for Leap 15 and Tumbleweed
+- fix for boo#1155834
+  * Add missing Requires(pre): group(ftp) for Leap 15 and Tumbleweed
+  * Add missing Requires(pre): user(ftp) for Leap 15 and Tumbleweed
 
 -------------------------------------------------------------------
 Wed Oct  2 15:01:11 UTC 2019 - Bernhard Wiedemann <bwiedemann@suse.com>
diff --git a/proftpd.spec b/proftpd.spec
index af8cf06..8d1ecb0 100644
--- a/proftpd.spec
+++ b/proftpd.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package proftpd
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -24,7 +24,7 @@ License:        GPL-2.0-or-later
 Group:          Productivity/Networking/Ftp/Servers
 Version:        1.3.6b
 Release:        0
-Url:            http://www.proftpd.org/
+URL:            http://www.proftpd.org/
 Source0:        ftp://ftp.proftpd.org/distrib/source/%{name}-%{version}.tar.gz
 Source1:        ftp://ftp.proftpd.org/distrib/source/%{name}-%{version}.tar.gz.asc
 Source11:       %{name}.init
@@ -47,6 +47,8 @@ Patch103:       %{name}-strip.patch
 Patch104:       %{name}-no_BuildDate.patch
 #RPMLINT-FIX-openSUSE: env-script-interpreter
 Patch105:       %{name}_env-script-interpreter.patch
+#PATCH-FIX-UPSTREAM: (CVE-2019-19269, CVE-2019-19270)
+Patch200:       %{name}-tls-crls-issue859.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 #BuildRequires:  gpg-offline
 BuildRequires:  fdupes
@@ -54,7 +56,7 @@ BuildRequires:  krb5-devel
 BuildRequires:  libacl-devel
 BuildRequires:  libattr-devel
 #BuildRequires:  libmemcached-devel
-BuildRequires:  libGeoIP-devel
+#BuildRequires:  libGeoIP-devel
 BuildRequires:  mysql-devel
 BuildRequires:  ncurses-devel
 BuildRequires:  openldap2-devel
@@ -155,8 +157,11 @@ rm README.AIX
 %patch104
 %patch105
 
+%patch200 -p1
+
 %build
 rm contrib/mod_wrap.c
+rm contrib/mod_geoip.c
 PROFTPD_SHARED_MODS="$(for spec_mod in $(find contrib -name mod_\*.c|sort); do echo "$(basename ${spec_mod%%.c})"; done | tr '\n' ':' | sed -e 's|:$||')"
 export CFLAGS="%{optflags} -D_GNU_SOURCE -DLDAP_DEPRECATED"
 export CXXFLAGS="$CFLAGS"