diff --git a/0001-replace-more-dup-by-F_DUPFD_CLOEXEC.patch b/0001-replace-more-dup-by-F_DUPFD_CLOEXEC.patch
new file mode 100644
index 00000000..0438c3ee
--- /dev/null
+++ b/0001-replace-more-dup-by-F_DUPFD_CLOEXEC.patch
@@ -0,0 +1,39 @@
+From ead349509e325aad720bb0349521a9e56e2ac7c0 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Tue, 13 May 2014 16:40:53 +0200
+Subject: [PATCH] replace more dup() by F_DUPFD_CLOEXEC
+
+---
+ src/login/inhibit.c  |    2 +-
+ src/shared/install.c |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git src/login/inhibit.c src/login/inhibit.c
+index 48c2ec4..ae3afdf 100644
+--- src/login/inhibit.c
++++ src/login/inhibit.c
+@@ -64,7 +64,7 @@ static int inhibit(sd_bus *bus, sd_bus_error *error) {
+         if (r < 0)
+                 return r;
+ 
+-        r = dup(fd);
++        r = fcntl(fd, F_DUPFD_CLOEXEC, 3);
+         if (r < 0)
+                 return -errno;
+ 
+diff --git src/shared/install.c src/shared/install.c
+index acfba25..9ce9403 100644
+--- src/shared/install.c
++++ src/shared/install.c
+@@ -332,7 +332,7 @@ static int remove_marked_symlinks(
+                 int q, cfd;
+                 deleted = false;
+ 
+-                cfd = dup(fd);
++                cfd = fcntl(fd, F_DUPFD_CLOEXEC, 3);
+                 if (cfd < 0) {
+                         r = -errno;
+                         break;
+-- 
+1.7.9.2
+
diff --git a/0002-pam_systemd-use-F_DUPFD_CLOEXEC-when-dupping-session.patch b/0002-pam_systemd-use-F_DUPFD_CLOEXEC-when-dupping-session.patch
new file mode 100644
index 00000000..06a4521c
--- /dev/null
+++ b/0002-pam_systemd-use-F_DUPFD_CLOEXEC-when-dupping-session.patch
@@ -0,0 +1,26 @@
+From 85c08dc013f9f99b58bc9b79284af0b35304237b Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Tue, 13 May 2014 16:35:34 +0200
+Subject: [PATCH] pam_systemd: use F_DUPFD_CLOEXEC when dupping session fds
+
+http://lists.freedesktop.org/archives/systemd-devel/2014-May/019034.html
+---
+ src/login/pam-module.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git src/login/pam-module.c src/login/pam-module.c
+index 9873dd5..1259457 100644
+--- src/login/pam-module.c
++++ src/login/pam-module.c
+@@ -475,7 +475,7 @@ _public_ PAM_EXTERN int pam_sm_open_session(
+         }
+ 
+         if (session_fd >= 0) {
+-                session_fd = dup(session_fd);
++                session_fd = fcntl(session_fd, F_DUPFD_CLOEXEC, 3);
+                 if (session_fd < 0) {
+                         pam_syslog(handle, LOG_ERR, "Failed to dup session fd: %m");
+                         return PAM_SESSION_ERR;
+-- 
+1.7.9.2
+
diff --git a/systemd-mini.changes b/systemd-mini.changes
index 620b4e9a..5a840c30 100644
--- a/systemd-mini.changes
+++ b/systemd-mini.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed May 14 07:37:08 UTC 2014 - werner@suse.de
+
+- Add upstram patches
+  0001-replace-more-dup-by-F_DUPFD_CLOEXEC.patch
+  0002-pam_systemd-use-F_DUPFD_CLOEXEC-when-dupping-session.patch
+  to avoid that in pam session unwanted file descriptors are inherited
+
 -------------------------------------------------------------------
 Tue May 13 08:28:05 UTC 2014 - werner@suse.de
 
diff --git a/systemd-mini.spec b/systemd-mini.spec
index 954150b4..af59d0b7 100644
--- a/systemd-mini.spec
+++ b/systemd-mini.spec
@@ -429,6 +429,10 @@ Patch217:       0004-backlight-warn-if-kernel-exposes-backlight-device-wi.patch
 Patch218:       0005-backlight-handle-saved-brightness-exceeding-max-brig.patch
 # PATCH-FIX-SUSE Do not poison kmsg ring buffer with systemd/udev messages (bnc#877021)
 Patch219:       log-target-null-instead-kmsg.patch
+# PATCH-FIX-UPSTREAM added at 2014/05/14
+Patch220:       0001-replace-more-dup-by-F_DUPFD_CLOEXEC.patch
+# PATCH-FIX-UPSTREAM added at 2014/05/14
+Patch221:       0002-pam_systemd-use-F_DUPFD_CLOEXEC-when-dupping-session.patch
 
 # UDEV PATCHES
 # ============
@@ -833,6 +837,8 @@ cp %{SOURCE7} m4/
 %patch217 -p0
 %patch218 -p0
 %patch219 -p1
+%patch220 -p0
+%patch221 -p0
 
 # udev patches
 %patch1001 -p1
diff --git a/systemd.changes b/systemd.changes
index 620b4e9a..5a840c30 100644
--- a/systemd.changes
+++ b/systemd.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed May 14 07:37:08 UTC 2014 - werner@suse.de
+
+- Add upstram patches
+  0001-replace-more-dup-by-F_DUPFD_CLOEXEC.patch
+  0002-pam_systemd-use-F_DUPFD_CLOEXEC-when-dupping-session.patch
+  to avoid that in pam session unwanted file descriptors are inherited
+
 -------------------------------------------------------------------
 Tue May 13 08:28:05 UTC 2014 - werner@suse.de
 
diff --git a/systemd.spec b/systemd.spec
index dc84387e..0de404e3 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -424,6 +424,10 @@ Patch217:       0004-backlight-warn-if-kernel-exposes-backlight-device-wi.patch
 Patch218:       0005-backlight-handle-saved-brightness-exceeding-max-brig.patch
 # PATCH-FIX-SUSE Do not poison kmsg ring buffer with systemd/udev messages (bnc#877021)
 Patch219:       log-target-null-instead-kmsg.patch
+# PATCH-FIX-UPSTREAM added at 2014/05/14
+Patch220:       0001-replace-more-dup-by-F_DUPFD_CLOEXEC.patch
+# PATCH-FIX-UPSTREAM added at 2014/05/14
+Patch221:       0002-pam_systemd-use-F_DUPFD_CLOEXEC-when-dupping-session.patch
 
 # UDEV PATCHES
 # ============
@@ -828,6 +832,8 @@ cp %{SOURCE7} m4/
 %patch217 -p0
 %patch218 -p0
 %patch219 -p1
+%patch220 -p0
+%patch221 -p0
 
 # udev patches
 %patch1001 -p1