diff --git a/tomcat-9.0.43-CVE-2021-43980.patch b/tomcat-9.0.43-CVE-2021-43980.patch
new file mode 100644
index 0000000..b667c46
--- /dev/null
+++ b/tomcat-9.0.43-CVE-2021-43980.patch
@@ -0,0 +1,181 @@
+From 170e0f792bd18ff031677890ba2fe50eb7a376c1 Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt@apache.org>
+Date: Tue, 29 Mar 2022 19:15:37 +0100
+Subject: [PATCH] Improve the recycling of Processor objects to make it more
+ robust.
+
+---
+ java/org/apache/coyote/AbstractProtocol.java  | 32 ++++++++++---------
+ .../tomcat/util/net/SocketWrapperBase.java    | 17 +++++++---
+ webapps/docs/changelog.xml                    |  4 +++
+ 3 files changed, 33 insertions(+), 20 deletions(-)
+
+Index: apache-tomcat-9.0.43-src/java/org/apache/coyote/AbstractProtocol.java
+===================================================================
+--- apache-tomcat-9.0.43-src.orig/java/org/apache/coyote/AbstractProtocol.java
++++ apache-tomcat-9.0.43-src/java/org/apache/coyote/AbstractProtocol.java
+@@ -794,7 +794,11 @@ public abstract class AbstractProtocol<S
+ 
+             S socket = wrapper.getSocket();
+ 
+-            Processor processor = (Processor) wrapper.getCurrentProcessor();
++            // We take complete ownership of the Processor inside of this method to ensure
++            // no other thread can release it while we're using it. Whatever processor is
++            // held by this variable will be associated with the SocketWrapper before this
++            // method returns.
++            Processor processor = (Processor) wrapper.takeCurrentProcessor();
+             if (getLog().isDebugEnabled()) {
+                 getLog().debug(sm.getString("abstractConnectionHandler.connectionsGet",
+                         processor, socket));
+@@ -879,9 +883,6 @@ public abstract class AbstractProtocol<S
+                 processor.setSslSupport(
+                         wrapper.getSslSupport(getProtocol().getClientCertProvider()));
+ 
+-                // Associate the processor with the connection
+-                wrapper.setCurrentProcessor(processor);
+-
+                 SocketState state = SocketState.CLOSED;
+                 do {
+                     state = processor.process(wrapper, status);
+@@ -901,8 +902,6 @@ public abstract class AbstractProtocol<S
+                                 release(processor);
+                                 // Create the upgrade processor
+                                 processor = upgradeProtocol.getProcessor(wrapper, getProtocol().getAdapter());
+-                                // Associate with the processor with the connection
+-                                wrapper.setCurrentProcessor(processor);
+                             } else {
+                                 if (getLog().isDebugEnabled()) {
+                                     getLog().debug(sm.getString(
+@@ -922,8 +921,6 @@ public abstract class AbstractProtocol<S
+                                 getLog().debug(sm.getString("abstractConnectionHandler.upgradeCreate",
+                                         processor, wrapper));
+                             }
+-                            // Associate with the processor with the connection
+-                            wrapper.setCurrentProcessor(processor);
+                             // Initialise the upgrade handler (which may trigger
+                             // some IO using the new protocol which is why the lines
+                             // above are necessary)
+@@ -961,8 +958,8 @@ public abstract class AbstractProtocol<S
+                 } else if (state == SocketState.OPEN) {
+                     // In keep-alive but between requests. OK to recycle
+                     // processor. Continue to poll for the next request.
+-                    wrapper.setCurrentProcessor(null);
+                     release(processor);
++                    processor = null;
+                     wrapper.registerReadInterest();
+                 } else if (state == SocketState.SENDFILE) {
+                     // Sendfile in progress. If it fails, the socket will be
+@@ -987,8 +984,7 @@ public abstract class AbstractProtocol<S
+                     // Connection closed. OK to recycle the processor.
+                     // Processors handling upgrades require additional clean-up
+                     // before release.
+-                    wrapper.setCurrentProcessor(null);
+-                    if (processor.isUpgrade()) {
++                    if (processor != null && processor.isUpgrade()) {
+                         UpgradeToken upgradeToken = processor.getUpgradeToken();
+                         HttpUpgradeHandler httpUpgradeHandler = upgradeToken.getHttpUpgradeHandler();
+                         InstanceManager instanceManager = upgradeToken.getInstanceManager();
+@@ -1009,7 +1005,13 @@ public abstract class AbstractProtocol<S
+                             }
+                         }
+                     }
++
+                     release(processor);
++                    processor = null;
++                }
++
++                if (processor != null) {
++                    wrapper.setCurrentProcessor(processor);
+                 }
+                 return state;
+             } catch(java.net.SocketException e) {
+@@ -1047,7 +1049,6 @@ public abstract class AbstractProtocol<S
+ 
+             // Make sure socket/processor is removed from the list of current
+             // connections
+-            wrapper.setCurrentProcessor(null);
+             release(processor);
+             return SocketState.CLOSED;
+         }
+@@ -1081,7 +1082,9 @@ public abstract class AbstractProtocol<S
+ 
+         /**
+          * Expected to be used by the handler once the processor is no longer
+-         * required.
++         * required. Care must be taken to ensure that this method is only
++         * called once per processor, after the request processing has
++         * completed.
+          *
+          * @param processor Processor being released (that was associated with
+          *                  the socket)
+@@ -1119,8 +1122,7 @@ public abstract class AbstractProtocol<S
+          */
+         @Override
+         public void release(SocketWrapperBase<S> socketWrapper) {
+-            Processor processor = (Processor) socketWrapper.getCurrentProcessor();
+-            socketWrapper.setCurrentProcessor(null);
++            Processor processor = (Processor) socketWrapper.takeCurrentProcessor();
+             release(processor);
+         }
+ 
+Index: apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/net/SocketWrapperBase.java
+===================================================================
+--- apache-tomcat-9.0.43-src.orig/java/org/apache/tomcat/util/net/SocketWrapperBase.java
++++ apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/net/SocketWrapperBase.java
+@@ -29,6 +29,7 @@ import java.util.concurrent.RejectedExec
+ import java.util.concurrent.Semaphore;
+ import java.util.concurrent.TimeUnit;
+ import java.util.concurrent.atomic.AtomicBoolean;
++import java.util.concurrent.atomic.AtomicReference;
+ 
+ import org.apache.juli.logging.Log;
+ import org.apache.juli.logging.LogFactory;
+@@ -104,10 +105,12 @@ public abstract class SocketWrapperBase<
+     protected volatile OperationState<?> writeOperation = null;
+ 
+     /**
+-     * The org.apache.coyote.Processor instance currently associated
+-     * with the wrapper.
++     * The org.apache.coyote.Processor instance currently associated with the
++     * wrapper. Only populated when required to maintain wrapper<->Processor
++     * mapping between calls to
++     * {@link AbstractEndpoint.Handler#process(SocketWrapperBase, SocketEvent)}.
+      */
+-    protected Object currentProcessor = null;
++    private final AtomicReference<Object> currentProcessor = new AtomicReference<>();
+ 
+     public SocketWrapperBase(E socket, AbstractEndpoint<E,?> endpoint) {
+         this.socket = socket;
+@@ -134,11 +137,15 @@ public abstract class SocketWrapperBase<
+     }
+ 
+     public Object getCurrentProcessor() {
+-        return currentProcessor;
++        return currentProcessor.get();
+     }
+ 
+     public void setCurrentProcessor(Object currentProcessor) {
+-        this.currentProcessor = currentProcessor;
++        this.currentProcessor.set(currentProcessor);
++    }
++
++    public Object takeCurrentProcessor() {
++        return currentProcessor.getAndSet(null);
+     }
+ 
+     /**
+Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
+===================================================================
+--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml
++++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
+@@ -485,6 +485,10 @@
+         Fix a concurrency issue in the NIO connector that could cause newly
+         created connections to be removed from the poller. (markt)
+       </fix>
++      <fix>
++        Improve the recycling of Processor objects to make it more robust.
++        (markt)
++      </fix>
+     </changelog>
+   </subsection>
+   <subsection name="Jasper">
diff --git a/tomcat-9.0.43-CVE-2022-42252.patch b/tomcat-9.0.43-CVE-2022-42252.patch
new file mode 100644
index 0000000..85b84e2
--- /dev/null
+++ b/tomcat-9.0.43-CVE-2022-42252.patch
@@ -0,0 +1,108 @@
+From 4c7f4fd09d2cc1692112ef70b8ee23a7a037ae77 Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt@apache.org>
+Date: Mon, 3 Oct 2022 11:59:01 +0100
+Subject: [PATCH] Requests with invalid content-length should always be
+ rejected
+---
+
+Index: apache-tomcat-9.0.43-src/java/org/apache/coyote/http11/Http11InputBuffer.java
+===================================================================
+--- apache-tomcat-9.0.43-src.orig/java/org/apache/coyote/http11/Http11InputBuffer.java
++++ apache-tomcat-9.0.43-src/java/org/apache/coyote/http11/Http11InputBuffer.java
+@@ -886,7 +886,7 @@ public class Http11InputBuffer implement
+                 headerData.lastSignificantChar = pos;
+                 byteBuffer.position(byteBuffer.position() - 1);
+                 // skipLine() will handle the error
+-                return skipLine();
++                return skipLine(false);
+             }
+ 
+             // chr is next byte of header name. Convert to lowercase.
+@@ -897,7 +897,7 @@ public class Http11InputBuffer implement
+ 
+         // Skip the line and ignore the header
+         if (headerParsePos == HeaderParsePosition.HEADER_SKIPLINE) {
+-            return skipLine();
++            return skipLine(false);
+         }
+ 
+         //
+@@ -948,15 +948,11 @@ public class Http11InputBuffer implement
+                     } else if (prevChr == Constants.CR && chr == Constants.LF) {
+                         eol = true;
+                     } else if (prevChr == Constants.CR) {
+-                        // Invalid value
+-                        // Delete the header (it will be the most recent one)
+-                        headers.removeHeader(headers.size() - 1);
+-                        return skipLine();
++                        // Invalid value - also need to delete header
++                        return skipLine(true);
+                     } else if (chr != Constants.HT && HttpParser.isControl(chr)) {
+-                        // Invalid value
+-                        // Delete the header (it will be the most recent one)
+-                        headers.removeHeader(headers.size() - 1);
+-                        return skipLine();
++                        // Invalid value - also need to delete header
++                        return skipLine(true);
+                     } else if (chr == Constants.SP || chr == Constants.HT) {
+                         byteBuffer.put(headerData.realPos, chr);
+                         headerData.realPos++;
+@@ -1004,7 +1000,27 @@ public class Http11InputBuffer implement
+     }
+ 
+ 
+-    private HeaderParseStatus skipLine() throws IOException {
++    private HeaderParseStatus skipLine(boolean deleteHeader) throws IOException {
++        boolean rejectThisHeader = rejectIllegalHeader;
++        // Check if rejectIllegalHeader is disabled and needs to be overridden
++        // for this header. The header name is required to determine if this
++        // override is required. The header name is only available once the
++        // header has been created. If the header has been created then
++        // deleteHeader will be true.
++        if (!rejectThisHeader && deleteHeader) {
++            if (headers.getName(headers.size() - 1).equalsIgnoreCase("content-length")) {
++                // Malformed content-length headers must always be rejected
++                // RFC 9112, section 6.3, bullet 5.
++                rejectThisHeader = true;
++            } else {
++                // Only need to delete the header if the request isn't going to
++                // be rejected (it will be the most recent one)
++                headers.removeHeader(headers.size() - 1);
++            }
++        }
++
++        // Parse the rest of the invalid header so we can construct a useful
++        // exception and/or debug message.
+         headerParsePos = HeaderParsePosition.HEADER_SKIPLINE;
+         boolean eol = false;
+ 
+@@ -1029,11 +1045,11 @@ public class Http11InputBuffer implement
+                 headerData.lastSignificantChar = pos;
+             }
+         }
+-        if (rejectIllegalHeader || log.isDebugEnabled()) {
++        if (rejectThisHeader || log.isDebugEnabled()) {
+             String message = sm.getString("iib.invalidheader",
+                     HeaderUtil.toPrintableString(byteBuffer.array(), headerData.lineStart,
+                             headerData.lastSignificantChar - headerData.lineStart + 1));
+-            if (rejectIllegalHeader) {
++            if (rejectThisHeader) {
+                 throw new IllegalArgumentException(message);
+             }
+             log.debug(message);
+Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
+===================================================================
+--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml
++++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
+@@ -223,6 +223,11 @@
+         Avoid possible infinite loop in <code>OpenSSLEngine.unwrap</code>
+         when the destination buffers state is changed concurrently. (remm)
+       </fix>
++      <fix>
++        Enforce the requirement of RFC 7230 onwards that a request with a
++        malformed <code>content-length</code> header should always be rejected
++        with a 400 response. (markt)
++      </fix>
+     </changelog>
+   </subsection>
+   <subsection name="Jasper">
diff --git a/tomcat.changes b/tomcat.changes
index efd8582..5e49e18 100644
--- a/tomcat.changes
+++ b/tomcat.changes
@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Mon Nov 21 07:42:34 UTC 2022 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Fixed CVEs:
+  * CVE-2022-42252: reject invalid content-length requests. (bsc#1204918)
+- Added patches:
+  * tomcat-9.0.43-CVE-2022-42252.patch
+
+-------------------------------------------------------------------
+Thu Oct 20 15:58:40 UTC 2022 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Fixed CVEs:
+  * CVE-2021-43980: Improve the recycling of Processor objects to make it more robust. (bsc#1203868)
+- Added patches:
+  * tomcat-9.0.43-CVE-2021-43980.patch
+
 -------------------------------------------------------------------
 Wed Jul 13 13:41:43 UTC 2022 - Fridrich Strba <fstrba@suse.com>
 
diff --git a/tomcat.spec b/tomcat.spec
index a38bf65..e52de74 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -88,6 +88,8 @@ Patch9:         tomcat-9.0-CVE-2021-30640.patch
 Patch10:        tomcat-9.0-NPE-JNDIRealm.patch
 Patch11:        tomcat-9.0-CVE-2022-23181.patch
 Patch12:        tomcat-9.0-hardening_getResources.patch
+Patch13:        tomcat-9.0.43-CVE-2021-43980.patch
+Patch14:        tomcat-9.0.43-CVE-2022-42252.patch
 
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@@ -266,6 +268,8 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
+%patch13 -p1
+%patch14 -p1
 
 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl