diff --git a/patches/patch.2018.h2.txt b/patches/patch.2018.h2.txt
new file mode 100644
index 0000000..9c5efde
--- /dev/null
+++ b/patches/patch.2018.h2.txt
@@ -0,0 +1,81 @@
+--- src/http/v2/ngx_http_v2.c
++++ src/http/v2/ngx_http_v2.c
+@@ -662,6 +662,7 @@ ngx_http_v2_handle_connection(ngx_http_v2_connection_t *h2c)
+ 
+     h2c->pool = NULL;
+     h2c->free_frames = NULL;
++    h2c->frames = 0;
+     h2c->free_fake_connections = NULL;
+ 
+ #if (NGX_HTTP_SSL)
+@@ -2895,7 +2896,7 @@ ngx_http_v2_get_frame(ngx_http_v2_connection_t *h2c, size_t length,
+ 
+         frame->blocked = 0;
+ 
+-    } else {
++    } else if (h2c->frames < 10000) {
+         pool = h2c->pool ? h2c->pool : h2c->connection->pool;
+ 
+         frame = ngx_pcalloc(pool, sizeof(ngx_http_v2_out_frame_t));
+@@ -2919,6 +2920,15 @@ ngx_http_v2_get_frame(ngx_http_v2_connection_t *h2c, size_t length,
+         frame->last = frame->first;
+ 
+         frame->handler = ngx_http_v2_frame_handler;
++
++        h2c->frames++;
++
++    } else {
++        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
++                      "http2 flood detected");
++
++        h2c->connection->error = 1;
++        return NULL;
+     }
+ 
+ #if (NGX_DEBUG)
+--- src/http/v2/ngx_http_v2.h
++++ src/http/v2/ngx_http_v2.h
+@@ -120,6 +120,7 @@ struct ngx_http_v2_connection_s {
+     ngx_http_connection_t           *http_connection;
+ 
+     ngx_uint_t                       processing;
++    ngx_uint_t                       frames;
+ 
+     ngx_uint_t                       pushing;
+     ngx_uint_t                       concurrent_pushes;
+--- src/http/v2/ngx_http_v2.c
++++ src/http/v2/ngx_http_v2.c
+@@ -4511,12 +4511,19 @@ ngx_http_v2_idle_handler(ngx_event_t *rev)
+ 
+ #endif
+ 
+-    c->destroyed = 0;
+-    ngx_reusable_connection(c, 0);
+-
+     h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx,
+                                          ngx_http_v2_module);
+ 
++    if (h2c->idle++ > 10 * h2scf->max_requests) {
++        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
++                      "http2 flood detected");
++        ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_NO_ERROR);
++        return;
++    }
++
++    c->destroyed = 0;
++    ngx_reusable_connection(c, 0);
++
+     h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log);
+     if (h2c->pool == NULL) {
+         ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_INTERNAL_ERROR);
+--- src/http/v2/ngx_http_v2.h
++++ src/http/v2/ngx_http_v2.h
+@@ -121,6 +121,7 @@ struct ngx_http_v2_connection_s {
+ 
+     ngx_uint_t                       processing;
+     ngx_uint_t                       frames;
++    ngx_uint_t                       idle;
+ 
+     ngx_uint_t                       pushing;
+     ngx_uint_t                       concurrent_pushes;
+
diff --git a/util/mirror-tarballs b/util/mirror-tarballs
index 116fe61..0a59e1b 100755
--- a/util/mirror-tarballs
+++ b/util/mirror-tarballs
@@ -404,6 +404,23 @@ if [ "$main_ver" = "1.13.6" ]; then
     echo
 fi
 
+answer=`$root/util/ver-ge "$main_ver" 1.9.5`
+if [ "$answer" = "Y" ]; then
+    answer=`$root/util/ver-ge "$main_ver" 1.14.1`
+    if [ "$answer" = "N" ]; then
+        echo "$info_txt applying the patch for nginx security advisory (CVE-2018-16843 CVE-2018-16844)"
+        patch -p0 < $root/patches/patch.2018.h2.txt || exit 1
+        echo
+    else
+        answer=`$root/util/ver-ge "$main_ver" 1.15.6`
+        if [ "$answer" = "N" ]; then
+            echo "$info_txt applying the patch for nginx security advisory (CVE-2018-16843 CVE-2018-16844)"
+            patch -p0 < $root/patches/patch.2018.h2.txt || exit 1
+            echo
+        fi
+    fi
+fi
+
 answer=`$root/util/ver-ge "$main_ver" 1.14.1`
 if [ "$answer" = "N" ]; then
     echo "$info_txt applying the patch for nginx security advisory (CVE-2018-16845)"