diff --git a/pkgs/applications/networking/sniffers/ettercap/default.nix b/pkgs/applications/networking/sniffers/ettercap/default.nix
index cc8e5dc4de08..13d536ccf1bb 100644
--- a/pkgs/applications/networking/sniffers/ettercap/default.nix
+++ b/pkgs/applications/networking/sniffers/ettercap/default.nix
@@ -1,5 +1,6 @@
-{ stdenv, fetchFromGitHub, cmake, libpcap, libnet, zlib, curl, pcre,
-  openssl, ncurses, glib, gtk2, atk, pango, flex, bison }:
+{ stdenv, fetchFromGitHub, cmake, libpcap, libnet, zlib, curl, pcre
+, openssl, ncurses, glib, gtk2, atk, pango, flex, bison
+, fetchpatch }:
 
 stdenv.mkDerivation rec {
   name = "ettercap-${version}";
@@ -12,6 +13,19 @@ stdenv.mkDerivation rec {
     sha256 = "1kvrzv2f8kxy7pndfadkzv10cs5wsyfkaa1ski20r2mq4wrvd0cd";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2017-8366.patch";
+      url = "https://github.com/Ettercap/ettercap/commit/1083d604930ebb9f350126b83802ecd2cbc17f90.patch";
+      sha256 = "1ff6fp8fxisvd3fkkd01y4fjykgcj414kczzpfscdmi52ridwg8m";
+    })
+    (fetchpatch {
+      name = "CVE-2017-6430.patch";
+      url = "https://github.com/Ettercap/ettercap/commit/7f50c57b2101fe75592c8dc9960883bbd1878bce.patch";
+      sha256 = "0s13nc9yzxzp611rixsd1c8aw1b57q2lnvfq8wawxyrw07h7b2j4";
+    })
+  ];
+
   buildInputs = [
     cmake libpcap libnet zlib curl pcre openssl ncurses
     glib gtk2 atk pango flex bison