diff --git a/backport-CVE-2025-58060.patch b/backport-CVE-2025-58060.patch
new file mode 100644
index 0000000000000000000000000000000000000000..4975959475fca9415e075a4f5131133899a60d3e
--- /dev/null
+++ b/backport-CVE-2025-58060.patch
@@ -0,0 +1,66 @@
+From: Thorsten Alteholz <debian@alteholz.de>
+Date: Wed, 10 Sep 2025 10:46:21 +0200
+Subject: fix authentication bypass with AuthType negotiate
+
+---
+ scheduler/auth.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+Index: cups-2.4.2/scheduler/auth.c
+===================================================================
+--- cups-2.4.2.orig/scheduler/auth.c	2025-09-10 11:43:40.020228384 +0200
++++ cups-2.4.2/scheduler/auth.c	2025-09-10 11:45:27.288263312 +0200
+@@ -513,6 +513,16 @@
+     int	userlen;			/* Username:password length */
+ 
+ 
++   /*
++    * Only allow Basic if enabled...
++    */
++
++    if (type != CUPSD_AUTH_BASIC)
++    {
++      cupsdLogClient(con, CUPSD_LOG_ERROR, "Basic authentication is not enabled.");
++      return;
++    }
++
+     authorization += 5;
+     while (isspace(*authorization & 255))
+       authorization ++;
+@@ -558,10 +568,6 @@
+     * Validate the username and password...
+     */
+ 
+-    switch (type)
+-    {
+-      default :
+-      case CUPSD_AUTH_BASIC :
+           {
+ #if HAVE_LIBPAM
+ 	   /*
+@@ -715,8 +721,6 @@
+           }
+ 
+ 	  cupsdLogClient(con, CUPSD_LOG_DEBUG, "Authorized as \"%s\" using Basic.", username);
+-          break;
+-    }
+ 
+     con->type = type;
+   }
+@@ -733,6 +737,16 @@
+ 					/* Output token for username */
+     gss_name_t		client_name;	/* Client name */
+ 
++   /*
++    * Only allow Kerberos if enabled...
++    */
++
++    if (type != CUPSD_AUTH_NEGOTIATE)
++    {
++      cupsdLogClient(con, CUPSD_LOG_ERROR, "Kerberos authentication is not enabled.");
++      return;
++    }
++
+ #  ifdef __APPLE__
+    /*
+     * If the weak-linked GSSAPI/Kerberos library is not present, don't try
diff --git a/backport-CVE-2025-58364.patch b/backport-CVE-2025-58364.patch
new file mode 100644
index 0000000000000000000000000000000000000000..5e9d086ef8f2cc1ebdf6ca5e027644b451b89251
--- /dev/null
+++ b/backport-CVE-2025-58364.patch
@@ -0,0 +1,53 @@
+From: Thorsten Alteholz <debian@alteholz.de>
+Date: Wed, 10 Sep 2025 11:05:30 +0200
+Subject: fix remote DoS via null dereference
+
+---
+ cups/ipp.c | 26 +-------------------------
+ 1 file changed, 1 insertion(+), 25 deletions(-)
+
+Index: cups-2.4.2/cups/ipp.c
+===================================================================
+--- cups-2.4.2.orig/cups/ipp.c	2025-09-10 14:22:19.506950359 +0200
++++ cups-2.4.2/cups/ipp.c	2025-09-10 14:22:19.502950359 +0200
+@@ -2949,32 +2949,6 @@
+ 	  */
+ 
+           tag = (ipp_tag_t)buffer[0];
+-          if (tag == IPP_TAG_EXTENSION)
+-          {
+-           /*
+-            * Read 32-bit "extension" tag...
+-            */
+-
+-	    if ((*cb)(src, buffer, 4) < 4)
+-	    {
+-	      DEBUG_puts("1ippReadIO: Callback returned EOF/error");
+-	      goto rollback;
+-	    }
+-
+-	    tag = (ipp_tag_t)((((((buffer[0] << 8) | buffer[1]) << 8) |
+-	                        buffer[2]) << 8) | buffer[3]);
+-
+-            if (tag & IPP_TAG_CUPS_CONST)
+-            {
+-             /*
+-              * Fail if the high bit is set in the tag...
+-              */
+-
+-	      _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("IPP extension tag larger than 0x7FFFFFFF."), 1);
+-	      DEBUG_printf(("1ippReadIO: bad tag 0x%x.", tag));
+-	      goto rollback;
+-            }
+-          }
+ 
+ 	  if (tag == IPP_TAG_END)
+ 	  {
+@@ -3196,6 +3170,7 @@
+ 
+ 	    if ((*cb)(src, buffer, (size_t)n) < n)
+ 	    {
++              _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to read IPP attribute name."), 1);
+ 	      DEBUG_puts("1ippReadIO: unable to read name.");
+ 	      goto rollback;
+ 	    }
diff --git a/cups.spec b/cups.spec
index b0e14740fe651a4ccdfb020bcb0922e7a606c077..042b0eceb21fb733e32789a10c06d29616cca073 100644
--- a/cups.spec
+++ b/cups.spec
@@ -3,7 +3,7 @@
 Name:    cups
 Epoch:   1
 Version: 2.4.0
-Release: 14
+Release: 15
 Summary: CUPS is the standards-based, open source printing system for linux operating systems.
 License: Apache-2.0 WITH LLVM-exception
 Url:     https://openprinting.github.io/cups/
@@ -39,6 +39,8 @@ Patch6011: backport-0003-CVE-2024-47175.patch
 Patch6012: backport-0004-CVE-2024-47175.patch
 Patch6013: backport-0005-CVE-2024-47175.patch
 Patch6014: cups-lspp.patch
+Patch6015: backport-CVE-2025-58060.patch
+Patch6016: backport-CVE-2025-58364.patch
 
 BuildRequires: pam-devel pkgconf-pkg-config pkgconfig(gnutls) libacl-devel openldap-devel pkgconfig(libusb-1.0)
 BuildRequires: krb5-devel pkgconfig(avahi-client) systemd pkgconfig(libsystemd) pkgconfig(dbus-1) python3-cups
@@ -47,6 +49,7 @@ Requires: dbus systemd acl cups-filters /usr/sbin/alternatives
 Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
 Requires: %{name}-client%{?_isa} = %{epoch}:%{version}-%{release}
 Requires: %{name}-filesystem = %{epoch}:%{version}-%{release}
+Conflicts: %{name}-help < 1:2.4.0-15
 
 # Requires working PrivateTmp (bug #807672)
 Requires(pre): systemd
@@ -336,13 +339,17 @@ rm -f %{_exec_prefix}/lib/cups/backend/smb
 %dir %{_datadir}/%{name}/www
 %{_datadir}/%{name}/www/images
 %{_datadir}/%{name}/www/*.css
-%dir %{_datadir}/%{name}/www/de
-%dir %{_datadir}/%{name}/www/da
-%dir %{_datadir}/%{name}/www/es
-%dir %{_datadir}/%{name}/www/fr
-%dir %{_datadir}/%{name}/www/ja
-%dir %{_datadir}/%{name}/www/pt_BR
-%dir %{_datadir}/%{name}/www/ru
+%{_datadir}/%{name}/www/index.html
+%{_datadir}/%{name}/www/help
+%{_datadir}/%{name}/www/robots.txt
+%{_datadir}/%{name}/www/apple-touch-icon.png
+%lang(de) %{_datadir}/%{name}/www/de
+%lang(da) %{_datadir}/%{name}/www/da
+%lang(es) %{_datadir}/%{name}/www/es
+%lang(fr) %{_datadir}/%{name}/www/fr
+%lang(ja) %{_datadir}/%{name}/www/ja
+%lang(pt_BR) %{_datadir}/%{name}/www/pt_BR
+%lang(ru) %{_datadir}/%{name}/www/ru
 %{_datadir}/pixmaps/cupsprinter.png
 %dir %attr(1770,root,lp) %{_localstatedir}/spool/cups/tmp
 %dir %attr(0710,root,lp) %{_localstatedir}/spool/cups
@@ -422,19 +429,12 @@ rm -f %{_exec_prefix}/lib/cups/backend/smb
 %files help
 %{_mandir}/man?/*
 %doc README.md CREDITS.md CHANGES.md
-%doc %{_datadir}/%{name}/www/index.html
-%doc %{_datadir}/%{name}/www/help
-%doc %{_datadir}/%{name}/www/robots.txt
-%doc %{_datadir}/%{name}/www/de/index.html
-%doc %{_datadir}/%{name}/www/da/index.html
-%doc %{_datadir}/%{name}/www/es/index.html
-%doc %{_datadir}/%{name}/www/fr/index.html
-%doc %{_datadir}/%{name}/www/ja/index.html
-%doc %{_datadir}/%{name}/www/ru/index.html
-%doc %{_datadir}/%{name}/www/pt_BR/index.html
-%doc %{_datadir}/%{name}/www/apple-touch-icon.png
 
 %changelog
+* Fri Sep 12 2025 Funda Wang <fundawang@yeah.net> - 1:2.4.0-15
+- fix CVE-2025-58060, CVE-2025-58364
+- move www files into main package due to requirement by web interface
+
 * Sat Oct 12 2024 Funda Wang <fundawang@yeah.net> - 1:2.4.0-14
 - fix file conflicts regarding man pages
 - add back lspp patch