diff --git a/common/contrib/htmlmail/SA-CONTRIB-2018-069.patch b/common/contrib/htmlmail/SA-CONTRIB-2018-069.patch
new file mode 100644
index 0000000000000000000000000000000000000000..bcaa4e23166f76a0ff9e18a5d6a380118128e8ac
--- /dev/null
+++ b/common/contrib/htmlmail/SA-CONTRIB-2018-069.patch
@@ -0,0 +1,40 @@
+diff --git a/htmlmail.mail.inc b/htmlmail.mail.inc
+index e1126de..d6043e2 100644
+--- a/htmlmail.mail.inc
++++ b/htmlmail.mail.inc
+@@ -262,7 +262,7 @@ class HTMLMailSystem implements MailSystemInterface {
+         // if the parameter is NULL.
+         $result = @mail($to, $subject, $body, $txt_headers);
+       }
+-      else {
++      elseif ((variable_get('site_mail', ini_get('sendmail_from')) == $message['headers']['Return-Path'] || self::_isShellSafe($message['headers']['Return-Path']))) {
+         // On most non-Windows systems, the "-f" option to the sendmail command
+         // is used to set the Return-Path.
+         $extra = '-f' . $message['headers']['Return-Path'];
+@@ -319,4 +319,26 @@ class HTMLMailSystem implements MailSystemInterface {
+     }
+     return implode("\n", $output);
+   }
++
++  /**
++   * Disallows potentially unsafe shell characters.
++   *
++   * @param string $string
++   *   The string to be validated.
++   *
++   * @return bool
++   *   True if the string is shell-safe.
++   *
++   * @see https://api.drupal.org/api/drupal/modules%21system%21system.mail.inc/7.x
++   */
++  protected static function _isShellSafe($string) {
++    if (escapeshellcmd($string) !== $string || !in_array(escapeshellarg($string), array("'$string'", "\"$string\""))) {
++      return FALSE;
++    }
++    if (preg_match('/[^a-zA-Z0-9@_\-.]/', $string) !== 0) {
++      return FALSE;
++    }
++    return TRUE;
++  }
++
+ }
diff --git a/common/core/SA-CORE-2018-006.patch b/common/core/SA-CORE-2018-006.patch
new file mode 100644
index 0000000000000000000000000000000000000000..f975964f0bd9647975009e87b1c1b59b1eeec2da
--- /dev/null
+++ b/common/core/SA-CORE-2018-006.patch
@@ -0,0 +1,15 @@
+diff --git a/includes/common.inc b/includes/common.inc
+index 9a28c06..56e493b 100644
+--- a/includes/common.inc
++++ b/includes/common.inc
+@@ -1558,6 +1558,10 @@ function url($path = NULL, $options = array()) {
+   }
+   elseif (!empty($path) && !$options['alias']) {
+     $path = drupal_get_path_alias($path, isset($options['language']) ? $options['language']->language : '');
++    // Strip leading slashes from internal paths to prevent them becoming external
++    // URLs without protocol. /example.com should not be turned into
++    // //example.com.
++    $path = ltrim($path, '/');
+   }
+ 
+   if (function_exists('custom_url_rewrite_outbound')) {