diff --git a/backport-CVE-2025-58060.patch b/backport-CVE-2025-58060.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9ec0821ad3f6ad6128a062981db4b4a5c5009d7f
--- /dev/null
+++ b/backport-CVE-2025-58060.patch
@@ -0,0 +1,56 @@
+From 595d691075b1d396d2edfaa0a8fd0873a0a1f221 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Thu, 11 Sep 2025 14:44:59 +0200
+Subject: [PATCH] cupsd: Block authentication using alternate method
+
+Fixes: CVE-2025-58060
+---
+ scheduler/auth.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/scheduler/auth.c b/scheduler/auth.c
+index 5fa53644d..3c9aa72aa 100644
+--- a/scheduler/auth.c
++++ b/scheduler/auth.c
+@@ -513,6 +513,16 @@ cupsdAuthorize(cupsd_client_t *con)	/* I - Client connection */
+     int	userlen;			/* Username:password length */
+ 
+ 
++   /*
++    * Only allow Basic if enabled...
++    */
++
++    if (type != CUPSD_AUTH_BASIC)
++    {
++      cupsdLogClient(con, CUPSD_LOG_ERROR, "Basic authentication is not enabled.");
++      return;
++    }
++
+     authorization += 5;
+     while (isspace(*authorization & 255))
+       authorization ++;
+@@ -558,7 +568,6 @@ cupsdAuthorize(cupsd_client_t *con)	/* I - Client connection */
+     * Validate the username and password...
+     */
+ 
+-    if (type == CUPSD_AUTH_BASIC)
+     {
+ #if HAVE_LIBPAM
+      /*
+@@ -727,6 +736,16 @@ cupsdAuthorize(cupsd_client_t *con)	/* I - Client connection */
+ 					/* Output token for username */
+     gss_name_t		client_name;	/* Client name */
+ 
++   /*
++    * Only allow Kerberos if enabled...
++    */
++
++    if (type != CUPSD_AUTH_NEGOTIATE)
++    {
++      cupsdLogClient(con, CUPSD_LOG_ERROR, "Kerberos authentication is not enabled.");
++      return;
++    }
++
+ #  ifdef __APPLE__
+    /*
+     * If the weak-linked GSSAPI/Kerberos library is not present, don't try
diff --git a/backport-CVE-2025-58364.patch b/backport-CVE-2025-58364.patch
new file mode 100644
index 0000000000000000000000000000000000000000..37845b993eea53cdea0d22b13aa3367d8084f082
--- /dev/null
+++ b/backport-CVE-2025-58364.patch
@@ -0,0 +1,52 @@
+From: Thorsten Alteholz <debian@alteholz.de>
+Date: Wed, 10 Sep 2025 11:05:30 +0200
+Subject: fix remote DoS via null dereference
+
+---
+ cups/ipp.c | 26 +-------------------------
+ 1 file changed, 1 insertion(+), 25 deletions(-)
+
+Index: cups-2.4.10/cups/ipp.c
+===================================================================
+--- cups-2.4.10.orig/cups/ipp.c	2025-09-10 11:25:47.275881427 +0200
++++ cups-2.4.10/cups/ipp.c	2025-09-10 12:33:15.653213317 +0200
+@@ -2949,31 +2949,6 @@
+ 	  */
+ 
+           tag = (ipp_tag_t)buffer[0];
+-          if (tag == IPP_TAG_EXTENSION)
+-          {
+-           /*
+-            * Read 32-bit "extension" tag...
+-            */
+-
+-	    if ((*cb)(src, buffer, 4) < 4)
+-	    {
+-	      DEBUG_puts("1ippReadIO: Callback returned EOF/error");
+-	      goto rollback;
+-	    }
+-
+-	    tag = (ipp_tag_t)((buffer[0] << 24) | (buffer[1] << 16) | (buffer[2] << 8) | buffer[3]);
+-
+-            if (tag & IPP_TAG_CUPS_CONST)
+-            {
+-             /*
+-              * Fail if the high bit is set in the tag...
+-              */
+-
+-	      _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("IPP extension tag larger than 0x7FFFFFFF."), 1);
+-	      DEBUG_printf(("1ippReadIO: bad tag 0x%x.", tag));
+-	      goto rollback;
+-            }
+-          }
+ 
+ 	  if (tag == IPP_TAG_END)
+ 	  {
+@@ -3196,6 +3171,7 @@
+ 
+ 	    if ((*cb)(src, buffer, (size_t)n) < n)
+ 	    {
++              _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to read IPP attribute name."), 1);
+ 	      DEBUG_puts("1ippReadIO: unable to read name.");
+ 	      goto rollback;
+ 	    }
diff --git a/cups.spec b/cups.spec
index 5035b9ee94f31280110a28ffb4fbf1348ccf89e8..234f2125d10f45f0feb707ae2e9b44b6359265bf 100644
--- a/cups.spec
+++ b/cups.spec
@@ -3,7 +3,7 @@
 Name:    cups
 Epoch:   1
 Version: 2.4.7
-Release: 6
+Release: 7
 Summary: CUPS is the standards-based, open source printing system for linux operating systems.
 License: Apache-2.0
 Url:     https://openprinting.github.io/cups/
@@ -34,6 +34,8 @@ Patch6009: backport-0002-CVE-2024-47175.patch
 Patch6010: backport-0003-CVE-2024-47175.patch
 Patch6011: backport-0004-CVE-2024-47175.patch
 Patch6012: backport-0005-CVE-2024-47175.patch
+Patch6013: backport-CVE-2025-58060.patch
+Patch6014: backport-CVE-2025-58364.patch
 
 BuildRequires: pam-devel pkgconf-pkg-config pkgconfig(gnutls) libacl-devel openldap-devel pkgconfig(libusb-1.0)
 BuildRequires: krb5-devel pkgconfig(avahi-client) systemd pkgconfig(libsystemd) pkgconfig(dbus-1) python3-cups
@@ -42,6 +44,7 @@ Requires: dbus systemd acl cups-filters /usr/sbin/alternatives
 Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
 Requires: %{name}-client%{?_isa} = %{epoch}:%{version}-%{release}
 Requires: %{name}-filesystem = %{epoch}:%{version}-%{release}
+Conflicts: %{name}-help < 1:2.4.7-7
 
 # Requires working PrivateTmp (bug #807672)
 Requires(pre): systemd
@@ -329,15 +332,19 @@ rm -f %{_exec_prefix}/lib/cups/backend/smb
 %dir %{_datadir}/%{name}/usb
 %{_datadir}/%{name}/usb/org.cups.usb-quirks
 %dir %{_datadir}/%{name}/www
+%{_datadir}/%{name}/www/index.html
+%{_datadir}/%{name}/www/help
+%{_datadir}/%{name}/www/robots.txt
+%{_datadir}/%{name}/www/apple-touch-icon.png
 %{_datadir}/%{name}/www/images
 %{_datadir}/%{name}/www/*.css
-%dir %{_datadir}/%{name}/www/de
-%dir %{_datadir}/%{name}/www/da
-%dir %{_datadir}/%{name}/www/es
-%dir %{_datadir}/%{name}/www/fr
-%dir %{_datadir}/%{name}/www/ja
-%dir %{_datadir}/%{name}/www/pt_BR
-%dir %{_datadir}/%{name}/www/ru
+%lang(de) %{_datadir}/%{name}/www/de
+%lang(da) %{_datadir}/%{name}/www/da
+%lang(es) %{_datadir}/%{name}/www/es
+%lang(fr) %{_datadir}/%{name}/www/fr
+%lang(ja) %{_datadir}/%{name}/www/ja
+%lang(pt_BR) %{_datadir}/%{name}/www/pt_BR
+%lang(ru) %{_datadir}/%{name}/www/ru
 %{_datadir}/pixmaps/cupsprinter.png
 %dir %attr(1770,root,lp) %{_localstatedir}/spool/cups/tmp
 %dir %attr(0710,root,lp) %{_localstatedir}/spool/cups
@@ -418,19 +425,12 @@ rm -f %{_exec_prefix}/lib/cups/backend/smb
 %files help
 %{_mandir}/man?/*
 %doc README.md CREDITS.md CHANGES.md
-%doc %{_datadir}/%{name}/www/index.html
-%doc %{_datadir}/%{name}/www/help
-%doc %{_datadir}/%{name}/www/robots.txt
-%doc %{_datadir}/%{name}/www/de/index.html
-%doc %{_datadir}/%{name}/www/da/index.html
-%doc %{_datadir}/%{name}/www/es/index.html
-%doc %{_datadir}/%{name}/www/fr/index.html
-%doc %{_datadir}/%{name}/www/ja/index.html
-%doc %{_datadir}/%{name}/www/ru/index.html
-%doc %{_datadir}/%{name}/www/pt_BR/index.html
-%doc %{_datadir}/%{name}/www/apple-touch-icon.png
 
 %changelog
+* Fri Sep 12 2025 Funda Wang <fundawang@yeah.net> - 1:2.4.7-7
+- fix CVE-2025-58060, CVE-2025-58364
+- move www files into main package due to requirement by web interface
+
 * Sat Oct 12 2024 Funda Wang <fundawang@yeah.net> - 1:2.4.7-6
 - fix file conflicts regarding man pages
 - add back lspp patch