diff --git a/evolution-data-server-2.22.3-CVE-2009-0547.patch b/evolution-data-server-2.22.3-CVE-2009-0547.patch
new file mode 100644
index 0000000..edd8ac5
--- /dev/null
+++ b/evolution-data-server-2.22.3-CVE-2009-0547.patch
@@ -0,0 +1,97 @@
+diff -up evolution-data-server-2.22.3/camel/camel-smime-context.c.CVE-2009-0547 evolution-data-server-2.22.3/camel/camel-smime-context.c
+--- evolution-data-server-2.22.3/camel/camel-smime-context.c.CVE-2009-0547	2008-04-04 05:01:59.000000000 -0400
++++ evolution-data-server-2.22.3/camel/camel-smime-context.c	2009-03-17 14:04:17.000000000 -0400
+@@ -40,6 +40,7 @@
+ #include <smime.h>
+ #include <pkcs11t.h>
+ #include <pk11func.h>
++#include <secoid.h>
+ 
+ #include <errno.h>
+ 
+@@ -534,6 +535,7 @@ sm_verify_cmsg(CamelCipherContext *conte
+ 	for (i = 0; i < count; i++) {
+ 		NSSCMSContentInfo *cinfo = NSS_CMSMessage_ContentLevel(cmsg, i);
+ 		SECOidTag typetag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
++		int which_digest;
+ 
+ 		switch (typetag) {
+ 		case SEC_OID_PKCS7_SIGNED_DATA:
+@@ -543,45 +545,50 @@ sm_verify_cmsg(CamelCipherContext *conte
+ 				goto fail;
+ 			}
+ 
+-			/* need to build digests of the content */
+-			if (!NSS_CMSSignedData_HasDigests(sigd)) {
+-				if (extstream == NULL) {
+-					camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Digests missing from enveloped data"));
+-					goto fail;
+-				}
++			if (extstream == NULL) {
++				camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Digests missing from enveloped data"));
++				goto fail;
++			}
+ 
+-				if ((poolp = PORT_NewArena(1024)) == NULL) {
+-					camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, g_strerror (ENOMEM));
+-					goto fail;
+-				}
++			if ((poolp = PORT_NewArena(1024)) == NULL) {
++				camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, g_strerror (ENOMEM));
++				goto fail;
++			}
+ 
+-				digestalgs = NSS_CMSSignedData_GetDigestAlgs(sigd);
++			digestalgs = NSS_CMSSignedData_GetDigestAlgs(sigd);
++			
++			digcx = NSS_CMSDigestContext_StartMultiple(digestalgs);
++			if (digcx == NULL) {
++				camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot calculate digests"));
++				goto fail;
++			}
+ 
+-				digcx = NSS_CMSDigestContext_StartMultiple(digestalgs);
+-				if (digcx == NULL) {
+-					camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot calculate digests"));
+-					goto fail;
+-				}
++			mem = (CamelStreamMem *)camel_stream_mem_new();
++			camel_stream_write_to_stream(extstream, (CamelStream *)mem);
++			NSS_CMSDigestContext_Update(digcx, mem->buffer->data, mem->buffer->len);
++			camel_object_unref(mem);
+ 
+-				mem = (CamelStreamMem *)camel_stream_mem_new();
+-				camel_stream_write_to_stream(extstream, (CamelStream *)mem);
+-				NSS_CMSDigestContext_Update(digcx, mem->buffer->data, mem->buffer->len);
+-				camel_object_unref(mem);
++			if (NSS_CMSDigestContext_FinishMultiple(digcx, poolp, &digests) != SECSuccess) {
++				camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot calculate digests"));
++				goto fail;
++			}
+ 
+-				if (NSS_CMSDigestContext_FinishMultiple(digcx, poolp, &digests) != SECSuccess) {
+-					camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot calculate digests"));
++			for (which_digest = 0; digests[which_digest] != NULL; which_digest++) {
++				SECOidData *digest_alg = SECOID_FindOID(&digestalgs[which_digest]->algorithm);
++				if (digest_alg == NULL) {
++					camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot set message digests"));
+ 					goto fail;
+ 				}
+-
+-				if (NSS_CMSSignedData_SetDigests(sigd, digestalgs, digests) != SECSuccess) {
++				if (NSS_CMSSignedData_SetDigestValue(sigd, digest_alg->offset, digests[which_digest]) != SECSuccess) {
+ 					camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot set message digests"));
+ 					goto fail;
+ 				}
+-
+-				PORT_FreeArena(poolp, PR_FALSE);
+-				poolp = NULL;
+ 			}
+ 
++			PORT_FreeArena(poolp, PR_FALSE);
++			poolp = NULL;
++
++
+ 			/* import all certificates present */
+ 			if (NSS_CMSSignedData_ImportCerts(sigd, p->certdb, certUsageEmailSigner, PR_TRUE) != SECSuccess) {
+ 				camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Certificate import failed"));
diff --git a/evolution-data-server-2.22.3-CVE-2009-0582.patch b/evolution-data-server-2.22.3-CVE-2009-0582.patch
new file mode 100644
index 0000000..f827260
--- /dev/null
+++ b/evolution-data-server-2.22.3-CVE-2009-0582.patch
@@ -0,0 +1,143 @@
+diff -up evolution-data-server-2.22.3/camel/camel-sasl-ntlm.c.CVE-2009-0582 evolution-data-server-2.22.3/camel/camel-sasl-ntlm.c
+--- evolution-data-server-2.22.3/camel/camel-sasl-ntlm.c.CVE-2009-0582	2008-04-04 05:01:59.000000000 -0400
++++ evolution-data-server-2.22.3/camel/camel-sasl-ntlm.c	2009-03-17 14:05:37.000000000 -0400
+@@ -74,9 +74,8 @@ camel_sasl_ntlm_get_type (void)
+ 
+ #define NTLM_REQUEST "NTLMSSP\x00\x01\x00\x00\x00\x06\x82\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x30\x00\x00\x00"
+ 
+-#define NTLM_CHALLENGE_NONCE_OFFSET      24
+-#define NTLM_CHALLENGE_DOMAIN_OFFSET     48
+-#define NTLM_CHALLENGE_DOMAIN_LEN_OFFSET 44
++#define NTLM_CHALLENGE_DOMAIN_OFFSET		12
++#define NTLM_CHALLENGE_NONCE_OFFSET		24
+ 
+ #define NTLM_RESPONSE_HEADER         "NTLMSSP\x00\x03\x00\x00\x00"
+ #define NTLM_RESPONSE_FLAGS          "\x82\x01"
+@@ -93,22 +92,60 @@ static void ntlm_calc_response   (const 
+ 				  guchar results[24]);
+ static void ntlm_lanmanager_hash (const char *password, char hash[21]);
+ static void ntlm_nt_hash         (const char *password, char hash[21]);
+-static void ntlm_set_string      (GByteArray *ba, int offset,
+-				  const char *data, int len);
++
++typedef struct {
++	guint16 length;
++	guint16 allocated;
++	guint32 offset;
++} SecurityBuffer;
++
++static GString *
++ntlm_get_string (GByteArray *ba, int offset)
++{
++	SecurityBuffer *secbuf;
++	GString *string;
++	gchar *buf_string;
++	guint16 buf_length;
++	guint32 buf_offset;
++
++	secbuf = (SecurityBuffer *) &ba->data[offset];
++	buf_length = GUINT16_FROM_LE (secbuf->length);
++	buf_offset = GUINT32_FROM_LE (secbuf->offset);
++
++	if (ba->len < buf_offset + buf_length)
++		return NULL;
++
++	string = g_string_sized_new (buf_length);
++	buf_string = (gchar *) &ba->data[buf_offset];
++	g_string_append_len (string, buf_string, buf_length);
++
++	return string;
++}
++
++static void
++ntlm_set_string (GByteArray *ba, int offset, const char *data, int len)
++{
++	SecurityBuffer *secbuf;
++
++	secbuf = (SecurityBuffer *) &ba->data[offset];
++	secbuf->length = GUINT16_TO_LE (len);
++	secbuf->offset = GUINT32_TO_LE (ba->len);
++	secbuf->allocated = secbuf->length;
++
++	g_byte_array_append (ba, (guint8 *) data, len);
++}
+ 
+ static GByteArray *
+ ntlm_challenge (CamelSasl *sasl, GByteArray *token, CamelException *ex)
+ {
+ 	GByteArray *ret;
+ 	guchar nonce[8], hash[21], lm_resp[24], nt_resp[24];
++	GString *domain;
+ 
+ 	ret = g_byte_array_new ();
+ 
+-	if (!token || !token->len) {
+-		g_byte_array_append (ret, (guint8 *) NTLM_REQUEST,
+-				     sizeof (NTLM_REQUEST) - 1);
+-		return ret;
+-	}
++	if (!token || token->len < NTLM_CHALLENGE_NONCE_OFFSET + 8)
++		goto fail;
+ 
+ 	memcpy (nonce, token->data + NTLM_CHALLENGE_NONCE_OFFSET, 8);
+ 	ntlm_lanmanager_hash (sasl->service->url->passwd, (char *) hash);
+@@ -116,7 +153,11 @@ ntlm_challenge (CamelSasl *sasl, GByteAr
+ 	ntlm_nt_hash (sasl->service->url->passwd, (char *) hash);
+ 	ntlm_calc_response (hash, nonce, nt_resp);
+ 
+-	ret = g_byte_array_new ();
++	domain = ntlm_get_string (token, NTLM_CHALLENGE_DOMAIN_OFFSET);
++	if (domain == NULL)
++		goto fail;
++
++	/* Don't jump to 'fail' label after this point. */
+ 	g_byte_array_set_size (ret, NTLM_RESPONSE_BASE_SIZE);
+ 	memset (ret->data, 0, NTLM_RESPONSE_BASE_SIZE);
+ 	memcpy (ret->data, NTLM_RESPONSE_HEADER,
+@@ -125,8 +166,7 @@ ntlm_challenge (CamelSasl *sasl, GByteAr
+ 		NTLM_RESPONSE_FLAGS, sizeof (NTLM_RESPONSE_FLAGS) - 1);
+ 
+ 	ntlm_set_string (ret, NTLM_RESPONSE_DOMAIN_OFFSET,
+-			 (const char *) token->data + NTLM_CHALLENGE_DOMAIN_OFFSET,
+-			 atoi ((char *) token->data + NTLM_CHALLENGE_DOMAIN_LEN_OFFSET));
++			 domain->str, domain->len);
+ 	ntlm_set_string (ret, NTLM_RESPONSE_USER_OFFSET,
+ 			 sasl->service->url->user,
+ 			 strlen (sasl->service->url->user));
+@@ -138,6 +178,18 @@ ntlm_challenge (CamelSasl *sasl, GByteAr
+ 			 (const char *) nt_resp, sizeof (nt_resp));
+ 
+ 	sasl->authenticated = TRUE;
++
++	g_string_free (domain, TRUE);
++
++	goto exit;
++
++fail:
++	/* If the challenge is malformed, restart authentication.
++	 * XXX A malicious server could make this loop indefinitely. */
++	g_byte_array_append (ret, (guint8 *) NTLM_REQUEST,
++			     sizeof (NTLM_REQUEST) - 1);
++
++exit:
+ 	return ret;
+ }
+ 
+@@ -201,17 +253,6 @@ ntlm_nt_hash (const char *password, char
+ 	g_free (buf);
+ }
+ 
+-static void
+-ntlm_set_string (GByteArray *ba, int offset, const char *data, int len)
+-{
+-	ba->data[offset    ] = ba->data[offset + 2] =  len       & 0xFF;
+-	ba->data[offset + 1] = ba->data[offset + 3] = (len >> 8) & 0xFF;
+-	ba->data[offset + 4] =  ba->len       & 0xFF;
+-	ba->data[offset + 5] = (ba->len >> 8) & 0xFF;
+-	g_byte_array_append (ba, (guint8 *) data, len);
+-}
+-
+-
+ #define KEYBITS(k,s) \
+         (((k[(s)/8] << ((s)%8)) & 0xFF) | (k[(s)/8+1] >> (8-(s)%8)))
+ 
diff --git a/evolution-data-server.spec b/evolution-data-server.spec
index fcfcf66..83c3d67 100644
--- a/evolution-data-server.spec
+++ b/evolution-data-server.spec
@@ -28,7 +28,7 @@
 
 Name: evolution-data-server
 Version: 2.22.3
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: LGPL
 Group: System Environment/Libraries
 Summary: Backend data server for Evolution
@@ -58,6 +58,12 @@ Patch15: evolution-data-server-2.22.0-implicit-function-declaration.patch
 # GNOME bug #537415
 Patch16: evolution-data-server-2.22.3-e-book-auth-util.patch
 
+# RH bug #484925 / CVE-2009-0547
+Patch17: evolution-data-server-2.22.3-CVE-2009-0547.patch
+
+# RH bug #487685 / CVE-2009-0582
+Patch18: evolution-data-server-2.22.3-CVE-2009-0582.patch
+
 ### Build Dependencies ###
 
 BuildRequires: GConf2-devel
@@ -138,6 +144,8 @@ This package contains developer documentation for %{name}.
 %patch14 -p1 -b .fix-64bit-acinclude
 %patch15 -p1 -b .implicit-function-declaration
 %patch16 -p1 -b .e-book-auth-util
+%patch17 -p1 -b .CVE-2009-0582
+%patch18 -p1 -b .CVE-2009-0587
 
 mkdir -p krb5-fakeprefix/include
 mkdir -p krb5-fakeprefix/lib
@@ -380,6 +388,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/gtk-doc/html/libedataserverui
 
 %changelog
+* Tue Mar 17 2009 Matthew Barnes <mbarnes@redhat.com> - 2.22.3-3.fc9
+- Add patch for RH bug #484925 (CVE-2009-0547, S/MIME signatures).
+- Add patch for RH bug #487685 (CVE-2009-0582, NTLM authentication).
+
 * Tue Jul 08 2008 Matthew Barnes <mbarnes@redhat.com> - 2.22.3-2.fc9
 - Add patch for GNOME bug #537415 (infinite loop in GAL authentication).