diff --git a/CVE-2019-5481.patch b/CVE-2019-5481.patch
new file mode 100644
index 0000000..2aa4952
--- /dev/null
+++ b/CVE-2019-5481.patch
@@ -0,0 +1,40 @@
+From 9069838b30fb3b48af0123e39f664cea683254a5 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 3 Sep 2019 22:59:32 +0200
+Subject: [PATCH] security:read_data fix bad realloc()
+
+... that could end up a double-free
+
+CVE-2019-5481
+Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
+---
+ lib/security.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/lib/security.c b/lib/security.c
+index 550ea2da8d..c5e4e135df 100644
+--- a/lib/security.c
++++ b/lib/security.c
+@@ -191,7 +191,6 @@ static CURLcode read_data(struct connectdata *conn,
+                           struct krb5buffer *buf)
+ {
+   int len;
+-  void *tmp = NULL;
+   CURLcode result;
+ 
+   result = socket_read(fd, &len, sizeof(len));
+@@ -201,12 +200,11 @@ static CURLcode read_data(struct connectdata *conn,
+   if(len) {
+     /* only realloc if there was a length */
+     len = ntohl(len);
+-    tmp = Curl_saferealloc(buf->data, len);
++    buf->data = Curl_saferealloc(buf->data, len);
+   }
+-  if(tmp == NULL)
++  if(!len || !buf->data)
+     return CURLE_OUT_OF_MEMORY;
+ 
+-  buf->data = tmp;
+   result = socket_read(fd, buf->data, len);
+   if(result)
+     return result;
diff --git a/CVE-2019-5482.patch b/CVE-2019-5482.patch
new file mode 100644
index 0000000..fc9dc73
--- /dev/null
+++ b/CVE-2019-5482.patch
@@ -0,0 +1,59 @@
+From facb0e4662415b5f28163e853dc6742ac5fafb3d Mon Sep 17 00:00:00 2001
+From: Thomas Vegas <>
+Date: Sat, 31 Aug 2019 17:30:51 +0200
+Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is
+ received
+
+Fixes potential buffer overflow from 'recvfrom()', should the server
+return an OACK without blksize.
+
+Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
+CVE-2019-5482
+---
+ lib/tftp.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/lib/tftp.c b/lib/tftp.c
+index a7176cec80..346f293dc5 100644
+--- a/lib/tftp.c
++++ b/lib/tftp.c
+@@ -985,6 +985,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+ {
+   tftp_state_data_t *state;
+   int blksize;
++  int need_blksize;
+ 
+   blksize = TFTP_BLKSIZE_DEFAULT;
+ 
+@@ -999,15 +1000,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+       return CURLE_TFTP_ILLEGAL;
+   }
+ 
++  need_blksize = blksize;
++  /* default size is the fallback when no OACK is received */
++  if(need_blksize < TFTP_BLKSIZE_DEFAULT)
++    need_blksize = TFTP_BLKSIZE_DEFAULT;
++
+   if(!state->rpacket.data) {
+-    state->rpacket.data = calloc(1, blksize + 2 + 2);
++    state->rpacket.data = calloc(1, need_blksize + 2 + 2);
+ 
+     if(!state->rpacket.data)
+       return CURLE_OUT_OF_MEMORY;
+   }
+ 
+   if(!state->spacket.data) {
+-    state->spacket.data = calloc(1, blksize + 2 + 2);
++    state->spacket.data = calloc(1, need_blksize + 2 + 2);
+ 
+     if(!state->spacket.data)
+       return CURLE_OUT_OF_MEMORY;
+@@ -1021,7 +1027,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
+   state->sockfd = state->conn->sock[FIRSTSOCKET];
+   state->state = TFTP_STATE_START;
+   state->error = TFTP_ERR_NONE;
+-  state->blksize = blksize;
++  state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */
+   state->requested_blksize = blksize;
+ 
+   ((struct sockaddr *)&state->local_addr)->sa_family =
diff --git a/curl.spec b/curl.spec
index 8c354d1..4c75ebd 100644
--- a/curl.spec
+++ b/curl.spec
@@ -7,7 +7,7 @@
 #Basic Information
 Name:    curl
 Version: 7.61.1
-Release: 3
+Release: 4
 Summary: curl is used in command lines or scripts to transfer data
 License: MIT
 URL:     https://curl.haxx.se/
@@ -70,6 +70,8 @@ Patch6047: zsh.pl-escape-character.patch
 Patch6048: examples-postinmemory-Potential-leak-of-memory-point.patch
 Patch6049: mbedtls-release-sessionid-resources-on-error.patch
 Patch6050: CVE-2019-5436.patch
+Patch6051: CVE-2019-5481.patch
+Patch6052: CVE-2019-5482.patch
 Patch9000: 0001-fix-double-free-when-multi-perform.patch
 
 Provides: curl-full = %{version}-%{release} libcurl-full = %{version}-%{release}
@@ -244,5 +246,11 @@ LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" %make_install -C sc
 %doc docs/TheArtOfHttpScripting docs/TODO
 
 %changelog
+* Sat Dec 21 2019 openEuler Buildteam <buildteam@openeuler.org> - 7.61.1-4
+- Type:cves
+- ID:CVE-2019-5481 CVE-2019-5482
+- SUG:NA
+- DESC:fix CVE-2019-5481 CVE-2019-5482
+
 * Wed Sep 18 2019 guanyanjie <guanyanjie@huawei.com> - 7.61.1-3
 - Init for openEuler