diff --git a/backport-CVE-2023-43115-Bug707051-IJS-device-try-and-secure-the-IJS-server-startup.patch b/backport-CVE-2023-43115-Bug707051-IJS-device-try-and-secure-the-IJS-server-startup.patch
new file mode 100644
index 0000000000000000000000000000000000000000..531e4ebd5678024a5d3e8fe689fccd2af4580ec5
--- /dev/null
+++ b/backport-CVE-2023-43115-Bug707051-IJS-device-try-and-secure-the-IJS-server-startup.patch
@@ -0,0 +1,57 @@
+From e59216049cac290fb437a04c4f41ea46826cfba5 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Thu, 24 Aug 2023 15:24:35 +0100
+Subject: [PATCH 01/44] IJS device - try and secure the IJS server startup
+
+Bug #707051 ""ijs" device can execute arbitrary commands"
+
+The problem is that the 'IJS' device needs to start the IJS server, and
+that is indeed an arbitrary command line. There is (apparently) no way
+to validate it. Indeed, this is covered quite clearly in the comments
+at the start of the source:
+
+ * WARNING: The ijs server can be selected on the gs command line
+ * which is a security risk, since any program can be run.
+
+Previously this used the awful LockSafetyParams hackery, which we
+abandoned some time ago because it simply couldn't be made secure (it
+was implemented in PostScript and was therefore vulnerable to PostScript
+programs).
+
+This commit prevents PostScript programs switching to the IJS device
+after SAFER has been activated, and prevents changes to the IjsServer
+parameter after SAFER has been activated.
+
+SAFER is activated, unless explicitly disabled, before any user
+PostScript is executed which means that the device and the server
+invocation can only be configured on the command line. This does at
+least provide minimal security against malicious PostScript programs.
+---
+ devices/gdevijs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/devices/gdevijs.c b/devices/gdevijs.c
+index 8cbd84b97..16f5a1752 100644
+--- a/devices/gdevijs.c
++++ b/devices/gdevijs.c
+@@ -888,6 +888,8 @@ gsijs_initialize_device(gx_device *dev)
+     static const char rgb[] = "DeviceRGB";
+     gx_device_ijs *ijsdev = (gx_device_ijs *)dev;
+ 
++    if (ijsdev->memory->gs_lib_ctx->core->path_control_active)
++        return_error(gs_error_invalidaccess);
+     if (!ijsdev->ColorSpace) {
+         ijsdev->ColorSpace = gs_malloc(ijsdev->memory, sizeof(rgb), 1,
+                                        "gsijs_initialize");
+@@ -1326,7 +1328,7 @@ gsijs_put_params(gx_device *dev, gs_param_list *plist)
+     if (code >= 0)
+         code = gsijs_read_string(plist, "IjsServer",
+             ijsdev->IjsServer, sizeof(ijsdev->IjsServer),
+-            dev->LockSafetyParams, is_open);
++            ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open);
+ 
+     if (code >= 0)
+         code = gsijs_read_string_malloc(plist, "DeviceManufacturer",
+-- 
+2.33.0
+
diff --git a/backport-CVE-2023-46751.patch b/backport-CVE-2023-46751.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1e0c31f176192715c0d53289555d53e70f38445b
--- /dev/null
+++ b/backport-CVE-2023-46751.patch
@@ -0,0 +1,43 @@
+From 5d2da96e81c7455338302c71a291088a8396245a Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Mon, 16 Oct 2023 16:49:40 +0100
+Subject: [PATCH] Bug 707264: Fix tiffsep(1) requirement for seekable output
+ files
+
+In the device initialization redesign, tiffsep and tiffsep1 lost the requirement
+for the output files to be seekable.
+
+Fixing that highlighted a problem with the error handling in
+gdev_prn_open_printer_seekable() where closing the erroring file would leave a
+dangling pointer, and lead to a crash.
+---
+ base/gdevprn.c     | 1 +
+ devices/gdevtsep.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/base/gdevprn.c b/base/gdevprn.c
+index 0491a3c6c..033632387 100644
+--- a/base/gdevprn.c
++++ b/base/gdevprn.c
+@@ -1271,6 +1271,7 @@ gdev_prn_open_printer_seekable(gx_device *pdev, bool binary_mode,
+               && !IS_LIBCTX_STDERR(pdev->memory, gp_get_file(ppdev->file))) {
+ 
+                 code = gx_device_close_output_file(pdev, ppdev->fname, ppdev->file);
++                ppdev->file = NULL;
+                 if (code < 0)
+                     return code;
+             }
+diff --git a/devices/gdevtsep.c b/devices/gdevtsep.c
+index 7fd3c5518..f7a1b174b 100644
+--- a/devices/gdevtsep.c
++++ b/devices/gdevtsep.c
+@@ -737,6 +737,7 @@ tiffsep_initialize_device_procs(gx_device *dev)
+ {
+     gdev_prn_initialize_device_procs(dev);
+ 
++    set_dev_proc(dev, output_page, gdev_prn_output_page_seekable);
+     set_dev_proc(dev, open_device, tiffsep_prn_open);
+     set_dev_proc(dev, close_device, tiffsep_prn_close);
+     set_dev_proc(dev, map_color_rgb, tiffsep_decode_color);
+-- 
+2.34.1
diff --git a/fix-cve-2023-52722.patch b/fix-cve-2023-52722.patch
index 2ffdac4b7f7fb620a65cde99dffdaf60d14e96bc..e99147b7f30d7535c617da8ffe9b7767772e493a 100644
--- a/fix-cve-2023-52722.patch
+++ b/fix-cve-2023-52722.patch
@@ -34,5 +34,5 @@ index 3c47e99..81556ac 100644
       * If we're reading a .PFB file, let the filter know about it,
       * so it can read recklessly to the end of the binary section.
 -- 
-2.27.0
+2.43.0
 
diff --git a/ghostscript.spec b/ghostscript.spec
index 8585f07c01eadadf7c6615947ffbcda7be359dbf..0aa4bd4e8053168f024caa00d3b840d95c0e69cb 100644
--- a/ghostscript.spec
+++ b/ghostscript.spec
@@ -9,7 +9,7 @@
 
 Name:             ghostscript
 Version:          9.55.0
-Release:          8
+Release:          9
 Summary:          An interpreter for PostScript and PDF files
 License:          AGPLv3+
 URL:              https://ghostscript.com/
@@ -21,11 +21,12 @@ Patch2:  backport-CVE-2022-2085.patch
 Patch3:  CVE-2023-38559.patch
 Patch4:  CVE-2023-28879.patch
 Patch5:  CVE-2023-36664.patch
-Patch6:  CVE-2023-46751.patch
-Patch7:  fix-cve-2023-52722.patch
-Patch8:  fix-CVE-2024-29510.patch
-Patch9:  fix-CVE-2024-33869.patch
-Patch10:  fix-CVE-2024-33870.patch
+Patch6:  backport-CVE-2023-43115-Bug707051-IJS-device-try-and-secure-the-IJS-server-startup.patch
+Patch7:  backport-CVE-2023-46751.patch
+Patch8:  fix-cve-2023-52722.patch
+Patch9:  fix-CVE-2024-29510.patch
+Patch10:  fix-CVE-2024-33869.patch
+Patch11:  fix-CVE-2024-33870.patch
 
 BuildRequires:    automake gcc
 BuildRequires:    adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@@ -186,20 +187,29 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
 %{_bindir}/dvipdf
 
 %changelog
-* Sun May 26 2024 xuchenchen <xuchenchen@kylinos.cn> - 9.55.0-8
+* Sun May 26 2024 xuchenchen <xuchenchen@kylinos.cn> - 9.55.0-9
 - Type:CVE
 - ID:NA
 - SUG:NA
 - DECS: fix CVE-2024-29510 CVE-2024-33869 CVE-2024-33870
 
-* Mon May 6 2024 xuchenchen <xuchenchen@kylinos.cn> - 9.55.0-7
+* Mon May 6 2024 xuchenchen <xuchenchen@kylinos.cn> - 9.55.0-8
 - Type:CVE
 - ID:NA
 - SUG:NA
 - DECS: fix CVE-2023-52722
 
-* Mon Dec 25 2023 liningjie <liningjie@xfusion.com> - 9.55.0-6
-- fix CVE-2023-46751
+* Mon Dec 25 2023 liningjie <liningjie@xfusion.com> - 9.55.0-7
+- Type:CVE
+- ID:CVE-2023-46751
+- SUG:NA
+- DESC:fix CVE-2023-46751
+
+* Fri Sep 22 2023 dillon chen <dillon.chen@gmail.com> - 9.55.0-6
+- Type:CVE
+- ID:CVE-2023-43115
+- SUG:NA
+- DESC:fix CVE-2023-43115
 
 * Wed Sep 6 2023 liningjie <liningjie@xfusion.com> - 9.55.0-5
 - fix CVE-2023-36664