diff --git a/debian/changelog b/debian/changelog
index a8d919d143195debfc4b7f7fc27ed9bdf5851343..e9c08f2a0acf2c6039838639bfb3a167de35382b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+xorg-server (2:1.20.4-1+deb10u4) buster-security; urgency=high
+
+ * record: Fix out of bounds access in SwapCreateRegister() [CVE-2021-4011]
+ * xfixes: Fix out of bounds access in *ProcXFixesCreatePointerBarrier() [CVE-2021-4009]
+ * Xext: Fix out of bounds access in SProcScreenSaverSuspend() [CVE-2021-4010]
+ * render: Fix out of bounds access in SProcRenderCompositeGlyphs() [CVE-2021-4008]
+
+ -- Julien Cristau <jcristau@debian.org> Sat, 18 Dec 2021 10:05:36 +0100
+
xorg-server (2:1.20.4-1+deb10u3) buster-security; urgency=high
* Fix XChangeFeedbackControl() request underflow (CVE-2021-3472)
diff --git a/debian/patches/13_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch b/debian/patches/13_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9f78423a753ff821a1fcac6b5a0d4c9204a33da9
--- /dev/null
+++ b/debian/patches/13_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch
@@ -0,0 +1,33 @@
+From e56f61c79fc3cee26d83cda0f84ae56d5979f768 Mon Sep 17 00:00:00 2001
+From: Povilas Kanapickas <povilas@radix.lt>
+Date: Tue, 14 Dec 2021 15:00:00 +0200
+Subject: [PATCH] record: Fix out of bounds access in SwapCreateRegister()
+
+ZDI-CAN-14952, CVE-2021-4011
+
+This vulnerability was discovered and the fix was suggested by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
+---
+ record/record.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/record/record.c b/record/record.c
+index be154525d2..e123867a7d 100644
+--- a/record/record.c
++++ b/record/record.c
+@@ -2516,8 +2516,8 @@ SwapCreateRegister(ClientPtr client, xRecordRegisterClientsReq * stuff)
+ swapl(pClientID);
+ }
+ if (stuff->nRanges >
+- client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
+- - stuff->nClients)
++ (client->req_len - bytes_to_int32(sz_xRecordRegisterClientsReq)
++ - stuff->nClients) / bytes_to_int32(sz_xRecordRange))
+ return BadLength;
+ RecordSwapRanges((xRecordRange *) pClientID, stuff->nRanges);
+ return Success;
+--
+2.30.2
+
diff --git a/debian/patches/14_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch b/debian/patches/14_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch
new file mode 100644
index 0000000000000000000000000000000000000000..46057460725ea514e96be01572a990fffd75e263
--- /dev/null
+++ b/debian/patches/14_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch
@@ -0,0 +1,43 @@
+From b5196750099ae6ae582e1f46bd0a6dad29550e02 Mon Sep 17 00:00:00 2001
+From: Povilas Kanapickas <povilas@radix.lt>
+Date: Tue, 14 Dec 2021 15:00:01 +0200
+Subject: [PATCH] xfixes: Fix out of bounds access in
+ *ProcXFixesCreatePointerBarrier()
+
+ZDI-CAN-14950, CVE-2021-4009
+
+This vulnerability was discovered and the fix was suggested by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
+---
+ xfixes/cursor.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/xfixes/cursor.c b/xfixes/cursor.c
+index 60580b88f2..c5d4554b22 100644
+--- a/xfixes/cursor.c
++++ b/xfixes/cursor.c
+@@ -1010,7 +1010,8 @@ ProcXFixesCreatePointerBarrier(ClientPtr client)
+ {
+ REQUEST(xXFixesCreatePointerBarrierReq);
+
+- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
++ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
++ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
+ LEGAL_NEW_RESOURCE(stuff->barrier, client);
+
+ return XICreatePointerBarrier(client, stuff);
+@@ -1027,7 +1028,8 @@ SProcXFixesCreatePointerBarrier(ClientPtr client)
+
+ swaps(&stuff->length);
+ swaps(&stuff->num_devices);
+- REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq, pad_to_int32(stuff->num_devices));
++ REQUEST_FIXED_SIZE(xXFixesCreatePointerBarrierReq,
++ pad_to_int32(stuff->num_devices * sizeof(CARD16)));
+
+ swapl(&stuff->barrier);
+ swapl(&stuff->window);
+--
+2.30.2
+
diff --git a/debian/patches/15_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch b/debian/patches/15_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b66466784220ced8a5e5438b5962ac4e4a664d79
--- /dev/null
+++ b/debian/patches/15_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch
@@ -0,0 +1,32 @@
+From 6c4c53010772e3cb4cb8acd54950c8eec9c00d21 Mon Sep 17 00:00:00 2001
+From: Povilas Kanapickas <povilas@radix.lt>
+Date: Tue, 14 Dec 2021 15:00:02 +0200
+Subject: [PATCH] Xext: Fix out of bounds access in SProcScreenSaverSuspend()
+
+ZDI-CAN-14951, CVE-2021-4010
+
+This vulnerability was discovered and the fix was suggested by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
+---
+ Xext/saver.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Xext/saver.c b/Xext/saver.c
+index 1d7e3cadf3..f813ba08d1 100644
+--- a/Xext/saver.c
++++ b/Xext/saver.c
+@@ -1351,8 +1351,8 @@ SProcScreenSaverSuspend(ClientPtr client)
+ REQUEST(xScreenSaverSuspendReq);
+
+ swaps(&stuff->length);
+- swapl(&stuff->suspend);
+ REQUEST_SIZE_MATCH(xScreenSaverSuspendReq);
++ swapl(&stuff->suspend);
+ return ProcScreenSaverSuspend(client);
+ }
+
+--
+2.30.2
+
diff --git a/debian/patches/16_render-Fix-out-of-bounds-access-in-SProcRenderCompos.patch b/debian/patches/16_render-Fix-out-of-bounds-access-in-SProcRenderCompos.patch
new file mode 100644
index 0000000000000000000000000000000000000000..f406b1542da84a46a136c5afc1cd3df8f7333696
--- /dev/null
+++ b/debian/patches/16_render-Fix-out-of-bounds-access-in-SProcRenderCompos.patch
@@ -0,0 +1,52 @@
+From ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60 Mon Sep 17 00:00:00 2001
+From: Povilas Kanapickas <povilas@radix.lt>
+Date: Tue, 14 Dec 2021 15:00:03 +0200
+Subject: [PATCH] render: Fix out of bounds access in
+ SProcRenderCompositeGlyphs()
+
+ZDI-CAN-14192, CVE-2021-4008
+
+This vulnerability was discovered and the fix was suggested by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
+---
+ render/render.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/render/render.c b/render/render.c
+index c376090cad..456f156d43 100644
+--- a/render/render.c
++++ b/render/render.c
+@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client)
+
+ i = elt->len;
+ if (i == 0xff) {
++ if (buffer + 4 > end) {
++ return BadLength;
++ }
+ swapl((int *) buffer);
+ buffer += 4;
+ }
+@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client)
+ buffer += i;
+ break;
+ case 2:
++ if (buffer + i * 2 > end) {
++ return BadLength;
++ }
+ while (i--) {
+ swaps((short *) buffer);
+ buffer += 2;
+ }
+ break;
+ case 4:
++ if (buffer + i * 4 > end) {
++ return BadLength;
++ }
+ while (i--) {
+ swapl((int *) buffer);
+ buffer += 4;
+--
+2.30.2
+
diff --git a/debian/patches/series b/debian/patches/series
index a22a72eb60d393c93c5954d766db06bb4c1fa195..2b947c1daa200fc07f2c27df2b447557eadc5313 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,7 @@
10_Fix-XIChangeHierarchy-integer-underflow.patch
11_Fix-XkbSelectEvents-integer-underflow.patch
12_Fix-XRecordRegisterClients-Integer-underflow.patch
+13_record-Fix-out-of-bounds-access-in-SwapCreateRegiste.patch
+14_xfixes-Fix-out-of-bounds-access-in-ProcXFixesCreateP.patch
+15_Xext-Fix-out-of-bounds-access-in-SProcScreenSaverSus.patch
+16_render-Fix-out-of-bounds-access-in-SProcRenderCompos.patch