diff --git a/pkgs/applications/virtualization/xen/4.5.nix b/pkgs/applications/virtualization/xen/4.5.nix
index dc9d92534f00..bc8d89af5b2a 100644
--- a/pkgs/applications/virtualization/xen/4.5.nix
+++ b/pkgs/applications/virtualization/xen/4.5.nix
@@ -41,6 +41,20 @@ let
                   rev = "refs/tags/qemu-xen-${version}";
                   sha256 = "014s755slmsc7xzy7qhk9i3kbjr2grxb5yznjp71dl6xxfvnday2";
                 };
+          patches = [
+            (xsaPatch {
+              name = "197-4.5-qemuu";
+              sha256 = "09gp980qdlfpfmxy0nk7ncyaa024jnrpzx9gpq2kah21xygy5myx";
+            })
+            (xsaPatch {
+              name = "208-qemuu-4.7";
+              sha256 = "0z9b1whr8rp2riwq7wndzcnd7vw1ckwx0vbk098k2pcflrzppgrb";
+            })
+            (xsaPatch {
+              name = "209-qemuu";
+              sha256 = "05df4165by6pzxrnizkw86n2f77k9i1g4fqqpws81ycb9ng4jzin";
+            })
+          ];
         }
         { git = { name = "qemu-xen-traditional";
                   url = https://xenbits.xen.org/git-http/qemu-xen-traditional.git;
@@ -48,6 +62,24 @@ let
                   rev = "refs/tags/xen-${version}";
                   sha256 = "0n0ycxlf1wgdjkdl8l2w1i0zzssk55dfv67x8i6b2ima01r0k93r";
                 };
+          patches = [
+            (xsaPatch {
+              name = "197-4.5-qemut";
+              sha256 = "17l7npw00gyhqzzaqamwm9cawfvzm90zh6jjyy95dmqbh7smvy79";
+            })
+            (xsaPatch {
+              name = "199-trad";
+              sha256 = "0dfw6ciycw9a9s97sbnilnzhipnzmdm9f7xcfngdjfic8cqdcv42";
+            })
+            (xsaPatch {
+              name = "208-qemut";
+              sha256 = "0960vhchixp60j9h2lawgbgzf6mpcdk440kblk25a37bd6172l54";
+            })
+            (xsaPatch {
+              name = "209-qemut";
+              sha256 = "1hq8ghfzw6c47pb5vf9ngxwgs8slhbbw6cq7gk0nam44rwvz743r";
+            })
+          ];
         }
         { git = { name = "xen-libhvm";
                   url = https://github.com/ts468/xen-libhvm;
@@ -63,12 +95,6 @@ let
         }
       ];
 
-      # Note this lacks patches for:
-      # XSA-201
-      # XSA-199
-      # XSA-197
-      # they didn't apply, and there are plenty of other patches here
-      # to get this deployed as-is.
       xenPatches = [ ./0001-libxl-Spice-image-compression-setting-support-for-up.patch
                      ./0002-libxl-Spice-streaming-video-setting-support-for-upst.patch
                      ./0003-Add-qxl-vga-interface-support-for-upstream-qem.patch
@@ -116,6 +142,10 @@ let
                        name = "204-4.5";
                        sha256 = "083z9pbdz3f532fnzg7n2d5wzv6rmqc0f4mvc3mnmkd0rzqw8vcp";
                      })
+                     (xsaPatch {
+                       name = "207";
+                       sha256 = "0wdlhijmw9mdj6a82pyw1rwwiz605dwzjc392zr3fpb2jklrvibc";
+                     })
                    ];
   };