diff --git a/debian/changelog b/debian/changelog
index b13c03733..138691170 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1253,6 +1253,11 @@ linux (4.19.97-1) UNRELEASED; urgency=medium
   * aufs: Update support patchset to aufs4.19.63+ 20200113; no functional
     changes
   * Bump ABI to 8
+  * libertas: Fix two buffer overflows at parsing bss descriptor
+    (CVE-2019-14896, CVE-2019-14897)
+  * wimax: i2400: fix memory leak (CVE-2019-19051)
+  * wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle
+    (CVE-2019-19051)
 
  -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 14 Dec 2019 22:00:16 +0100
 
diff --git a/debian/patches/bugfix/all/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch b/debian/patches/bugfix/all/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch
new file mode 100644
index 000000000..2cca93842
--- /dev/null
+++ b/debian/patches/bugfix/all/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch
@@ -0,0 +1,64 @@
+From: Wen Huang <huangwenabc@gmail.com>
+Date: Thu, 28 Nov 2019 18:51:04 +0800
+Subject: libertas: Fix two buffer overflows at parsing bss descriptor
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers.git/commit/?id=e5e884b42639c74b5b57dc277909915c0aefc8bb
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14896
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14897
+
+add_ie_rates() copys rates without checking the length
+in bss descriptor from remote AP.when victim connects to
+remote attacker, this may trigger buffer overflow.
+lbs_ibss_join_existing() copys rates without checking the length
+in bss descriptor from remote IBSS node.when victim connects to
+remote attacker, this may trigger buffer overflow.
+Fix them by putting the length check before performing copy.
+
+This fix addresses CVE-2019-14896 and CVE-2019-14897.
+This also fix build warning of mixed declarations and code.
+
+Reported-by: kbuild test robot <lkp@intel.com>
+Signed-off-by: Wen Huang <huangwenabc@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+ drivers/net/wireless/marvell/libertas/cfg.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/net/wireless/marvell/libertas/cfg.c
++++ b/drivers/net/wireless/marvell/libertas/cfg.c
+@@ -273,6 +273,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int
+ 	int hw, ap, ap_max = ie[1];
+ 	u8 hw_rate;
+ 
++	if (ap_max > MAX_RATES) {
++		lbs_deb_assoc("invalid rates\n");
++		return tlv;
++	}
+ 	/* Advance past IE header */
+ 	ie += 2;
+ 
+@@ -1717,6 +1721,9 @@ static int lbs_ibss_join_existing(struct
+ 	struct cmd_ds_802_11_ad_hoc_join cmd;
+ 	u8 preamble = RADIO_PREAMBLE_SHORT;
+ 	int ret = 0;
++	int hw, i;
++	u8 rates_max;
++	u8 *rates;
+ 
+ 	/* TODO: set preamble based on scan result */
+ 	ret = lbs_set_radio(priv, preamble, 1);
+@@ -1775,9 +1782,12 @@ static int lbs_ibss_join_existing(struct
+ 	if (!rates_eid) {
+ 		lbs_add_rates(cmd.bss.rates);
+ 	} else {
+-		int hw, i;
+-		u8 rates_max = rates_eid[1];
+-		u8 *rates = cmd.bss.rates;
++		rates_max = rates_eid[1];
++		if (rates_max > MAX_RATES) {
++			lbs_deb_join("invalid rates");
++			goto out;
++		}
++		rates = cmd.bss.rates;
+ 		for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) {
+ 			u8 hw_rate = lbs_rates[hw].bitrate / 5;
+ 			for (i = 0; i < rates_max; i++) {
diff --git a/debian/patches/bugfix/all/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch b/debian/patches/bugfix/all/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch
new file mode 100644
index 000000000..ac0929be3
--- /dev/null
+++ b/debian/patches/bugfix/all/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch
@@ -0,0 +1,37 @@
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Fri, 25 Oct 2019 23:53:30 -0500
+Subject: wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle
+Origin: https://git.kernel.org/linus/6f3ef5c25cc762687a7341c18cbea5af54461407
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-15217
+
+In the implementation of i2400m_op_rfkill_sw_toggle() the allocated
+buffer for cmd should be released before returning. The
+documentation for i2400m_msg_to_dev() says when it returns the buffer
+can be reused. Meaning cmd should be released in either case. Move
+kfree(cmd) before return to be reached by all execution paths.
+
+Fixes: 2507e6ab7a9a ("wimax: i2400: fix memory leak")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wimax/i2400m/op-rfkill.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wimax/i2400m/op-rfkill.c
++++ b/drivers/net/wimax/i2400m/op-rfkill.c
+@@ -142,12 +142,12 @@ int i2400m_op_rfkill_sw_toggle(struct wi
+ 			"%d\n", result);
+ 	result = 0;
+ error_cmd:
+-	kfree(cmd);
+ 	kfree_skb(ack_skb);
+ error_msg_to_dev:
+ error_alloc:
+ 	d_fnend(4, dev, "(wimax_dev %p state %d) = %d\n",
+ 		wimax_dev, state, result);
++	kfree(cmd);
+ 	return result;
+ }
+ 
diff --git a/debian/patches/bugfix/all/wimax-i2400-fix-memory-leak.patch b/debian/patches/bugfix/all/wimax-i2400-fix-memory-leak.patch
new file mode 100644
index 000000000..d80e17e05
--- /dev/null
+++ b/debian/patches/bugfix/all/wimax-i2400-fix-memory-leak.patch
@@ -0,0 +1,27 @@
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Tue, 10 Sep 2019 18:01:40 -0500
+Subject: wimax: i2400: fix memory leak
+Origin: https://git.kernel.org/linus/2507e6ab7a9a440773be476141a255934468c5ef
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-19051
+
+In i2400m_op_rfkill_sw_toggle cmd buffer should be released along with
+skb response.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wimax/i2400m/op-rfkill.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wimax/i2400m/op-rfkill.c
++++ b/drivers/net/wimax/i2400m/op-rfkill.c
+@@ -142,6 +142,7 @@ int i2400m_op_rfkill_sw_toggle(struct wi
+ 			"%d\n", result);
+ 	result = 0;
+ error_cmd:
++	kfree(cmd);
+ 	kfree_skb(ack_skb);
+ error_msg_to_dev:
+ error_alloc:
diff --git a/debian/patches/series b/debian/patches/series
index b4bbd88b8..30dbd7382 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -301,5 +301,8 @@ features/arm/staging-vc04_services-Use-correct-cache-line-size.patch
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 debian/ntfs-mark-it-as-broken.patch
+bugfix/all/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch
+bugfix/all/wimax-i2400-fix-memory-leak.patch
+bugfix/all/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch
 
 # ABI maintenance