diff --git a/SOURCES/rpm-4.14.3-add-path-query-option.patch b/SOURCES/rpm-4.14.3-add-path-query-option.patch
new file mode 100644
index 0000000..51b37db
--- /dev/null
+++ b/SOURCES/rpm-4.14.3-add-path-query-option.patch
@@ -0,0 +1,194 @@
+From 5e26aa82fb1792c0441131db8dc87976d2d653bb Mon Sep 17 00:00:00 2001
+From: Michal Domonkos <mdomonko@redhat.com>
+Date: Mon, 16 Aug 2021 18:21:02 +0200
+Subject: [PATCH] Add support for RPMDBI_BASENAMES on file queries
+
+There are legitimate reasons (such as rhbz#1940895 or the included test)
+for wanting the former behavior where all file states were considered in
+file queries prior to commit 9ad57bda4a82b9847826daa766b4421d877bb3d9,
+so celebrate the tenth anniversary of that commit by adding a CLI switch
+(a new package selector --path), as contemplated back then.
+
+Update the man page for --file to reflect it's current behavior and make
+--path that more obvious.
+
+Resolves: rhbz#1940895
+
+Combined with d1aebda01033bc8ba0d748b49f6fad9a5c0caa3f and backported
+for 4.14.3.
+---
+ doc/rpm.8         |  9 ++++++--
+ lib/poptQV.c      |  6 +++++-
+ lib/query.c       |  7 +++++--
+ lib/rpmcli.h      |  1 +
+ tests/rpmquery.at | 52 +++++++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 70 insertions(+), 5 deletions(-)
+
+diff --git a/doc/rpm.8 b/doc/rpm.8
+index 15a3db25f..74604c8ec 100644
+--- a/doc/rpm.8
++++ b/doc/rpm.8
+@@ -57,7 +57,7 @@ rpm \- RPM Package Manager
+ .PP
+ 
+  [\fB\fIPACKAGE_NAME\fB\fR]
+- [\fB-a,--all [\fISELECTOR\fR]\fR] [\fB-f,--file \fIFILE\fB\fR]
++ [\fB-a,--all [\fISELECTOR\fR]\fR] [\fB-f,--file \fIFILE\fB\fR] [\fB--path \fIPATH\fB\fR]
+  [\fB-g,--group \fIGROUP\fB\fR] {\fB-p,--package \fIPACKAGE_FILE\fB\fR]
+  [\fB--hdrid \fISHA1\fB\fR] [\fB--pkgid \fIMD5\fB\fR] [\fB--tid \fITID\fB\fR]
+  [\fB--querybynumber \fIHDRNUM\fB\fR] [\fB--triggeredby \fIPACKAGE_NAME\fB\fR]
+@@ -555,7 +555,7 @@ starts with "b".
+ List duplicated packages.
+ .TP
+ \fB-f, --file \fIFILE\fB\fR
+-Query package owning \fIFILE\fR.
++Query package owning installed \fIFILE\fR.
+ .TP
+ \fB--filecaps\fR
+ List file names with POSIX1.e capabilities.
+@@ -598,6 +598,11 @@ that will be expanded to paths that are substituted in place of
+ the package manifest as additional \fIPACKAGE_FILE\fR
+ arguments to the query.
+ .TP
++\fB--path \fIPATH\fB\fR
++Query package(s) owning \fIPATH\fR, whether the file is installed or not.
++Multiple packages may own a \fIPATH\fR, but the file is only owned by the
++package installed last.
++.TP
+ \fB--pkgid \fIMD5\fB\fR
+ Query package that contains a given package identifier, i.e. the
+ \fIMD5\fR digest of the combined header and
+diff --git a/lib/poptQV.c b/lib/poptQV.c
+index 9021d7b3c..f752d8b82 100644
+--- a/lib/poptQV.c
++++ b/lib/poptQV.c
+@@ -27,6 +27,7 @@ struct rpmQVKArguments_s rpmQVKArgs;
+ #define POPT_WHATENHANCES	-1014
+ #define POPT_WHATOBSOLETES	-1015
+ #define POPT_WHATCONFLICTS	-1016
++#define POPT_QUERYBYPATH	-1017
+ 
+ /* ========== Query/Verify/Signature source args */
+ static void rpmQVSourceArgCallback( poptContext con,
+@@ -58,6 +59,7 @@ static void rpmQVSourceArgCallback( poptContext con,
+     case POPT_WHATSUPPLEMENTS: qva->qva_source |= RPMQV_WHATSUPPLEMENTS; break;
+     case POPT_WHATENHANCES: qva->qva_source |= RPMQV_WHATENHANCES; break;
+     case POPT_TRIGGEREDBY: qva->qva_source |= RPMQV_TRIGGEREDBY; break;
++    case POPT_QUERYBYPATH: qva->qva_source |= RPMQV_PATH_ALL; break;
+     case POPT_QUERYBYPKGID: qva->qva_source |= RPMQV_PKGID; break;
+     case POPT_QUERYBYHDRID: qva->qva_source |= RPMQV_HDRID; break;
+     case POPT_QUERYBYTID: qva->qva_source |= RPMQV_TID; break;
+@@ -80,7 +82,9 @@ struct poptOption rpmQVSourcePoptTable[] = {
+  { "checksig", 'K', POPT_ARGFLAG_DOC_HIDDEN, NULL, 'K',
+ 	N_("rpm checksig mode"), NULL },
+  { "file", 'f', 0, 0, 'f',
+-	N_("query/verify package(s) owning file"), "FILE" },
++	N_("query/verify package(s) owning installed file"), "FILE" },
++ { "path", '\0', 0, 0, POPT_QUERYBYPATH,
++	N_("query/verify package(s) owning path, installed or not"), "PATH" },
+  { "group", 'g', 0, 0, 'g',
+ 	N_("query/verify package(s) in group"), "GROUP" },
+  { "package", 'p', 0, 0, 'p',
+diff --git a/lib/query.c b/lib/query.c
+index 26cdecf10..e6ea1fa2d 100644
+--- a/lib/query.c
++++ b/lib/query.c
+@@ -440,6 +440,7 @@ static rpmdbMatchIterator initQueryIterator(QVA_t qva, rpmts ts, const char * ar
+ 	}
+ 	/* fallthrough on absolute and relative paths */
+     case RPMQV_PATH:
++    case RPMQV_PATH_ALL:
+     {   char * fn;
+ 
+ 	for (s = arg; *s != '\0'; s++)
+@@ -458,8 +459,10 @@ static rpmdbMatchIterator initQueryIterator(QVA_t qva, rpmts ts, const char * ar
+ 	    fn = xstrdup(arg);
+ 	(void) rpmCleanPath(fn);
+ 
+-	/* XXX Add a switch to enable former BASENAMES behavior? */
+-	mi = rpmtsInitIterator(ts, RPMDBI_INSTFILENAMES, fn, 0);
++	rpmDbiTagVal tag = RPMDBI_INSTFILENAMES;
++	if (qva->qva_source == RPMQV_PATH_ALL)
++	    tag = RPMDBI_BASENAMES;
++	mi = rpmtsInitIterator(ts, tag, fn, 0);
+ 	if (mi == NULL)
+ 	    mi = rpmtsInitIterator(ts, RPMDBI_PROVIDENAME, fn, 0);
+ 
+diff --git a/lib/rpmcli.h b/lib/rpmcli.h
+index 99af2585a..330fd956f 100644
+--- a/lib/rpmcli.h
++++ b/lib/rpmcli.h
+@@ -82,6 +82,7 @@ rpmcliFini(poptContext optCon);
+ enum rpmQVSources_e {
+     RPMQV_PACKAGE = 0,	/*!< ... from package name db search. */
+     RPMQV_PATH,		/*!< ... from file path db search. */
++    RPMQV_PATH_ALL,	/*!< ... from file path db search (all states). */
+     RPMQV_ALL,		/*!< ... from each installed package. */
+     RPMQV_RPM, 		/*!< ... from reading binary rpm package. */
+     RPMQV_GROUP,	/*!< ... from group db search. */
+diff --git a/tests/rpmquery.at b/tests/rpmquery.at
+index 36c62339a..ad580f664 100644
+--- a/tests/rpmquery.at
++++ b/tests/rpmquery.at
+@@ -194,6 +194,58 @@ runroot rpm \
+ 
+ AT_CLEANUP
+ 
++# ------------------------------
++# query a package by a file
++AT_SETUP([rpm -qf])
++AT_KEYWORDS([query])
++AT_CHECK([
++RPMDB_INIT
++runroot rpm \
++  --nodeps \
++  -i /data/RPMS/hello-1.0-1.i386.rpm
++runroot rpm \
++  -qf /usr/local/bin/hello
++],
++[0],
++[hello-1.0-1.i386
++],
++[])
++AT_CLEANUP
++
++AT_SETUP([rpm -qf on non-installed file])
++AT_KEYWORDS([query])
++AT_CHECK([
++RPMDB_INIT
++runroot rpm \
++  --nodeps \
++  --excludedocs \
++  -i /data/RPMS/hello-1.0-1.i386.rpm
++runroot rpm \
++  -qf /usr/share/doc/hello-1.0/FAQ
++],
++[1],
++[],
++[error: file /usr/share/doc/hello-1.0/FAQ: No such file or directory
++])
++AT_CLEANUP
++
++AT_SETUP([rpm -q --path on non-installed file])
++AT_KEYWORDS([query])
++AT_CHECK([
++RPMDB_INIT
++runroot rpm \
++  --nodeps \
++  --excludedocs \
++  -i /data/RPMS/hello-1.0-1.i386.rpm
++runroot rpm \
++  -q --path /usr/share/doc/hello-1.0/FAQ
++],
++[0],
++[hello-1.0-1.i386
++],
++[])
++AT_CLEANUP
++
+ # ------------------------------
+ AT_SETUP([integer array query])
+ AT_KEYWORDS([query])
+-- 
+2.33.1
+
diff --git a/SOURCES/rpm-4.14.3-macroize-find-debuginfo-script-location.patch b/SOURCES/rpm-4.14.3-macroize-find-debuginfo-script-location.patch
new file mode 100644
index 0000000..2fd8e44
--- /dev/null
+++ b/SOURCES/rpm-4.14.3-macroize-find-debuginfo-script-location.patch
@@ -0,0 +1,38 @@
+From 77007d68782b66f2d00d7b200516731246876dca Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 27 May 2021 13:58:58 +0300
+Subject: [PATCH] Macroize find-debuginfo script location
+
+Makes it easier to handle varying paths, mainly in preparation for the
+next step.
+
+Backported for 4.14.3.
+---
+ macros.in | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/macros.in b/macros.in
+index a6069ee4d..be28a3b28 100644
+--- a/macros.in
++++ b/macros.in
+@@ -82,6 +82,8 @@
+ %__remsh		%{__rsh}
+ %__strip		@__STRIP@
+ 
++%__find_debuginfo	%{_rpmconfigdir}/find-debuginfo.sh
++
+ # XXX avoid failures if tools are not installed when rpm is built.
+ %__libtoolize		libtoolize
+ %__aclocal		aclocal
+@@ -177,7 +179,7 @@
+ #	the script.  See the script for details.
+ #
+ %__debug_install_post   \
+-    %{_rpmconfigdir}/find-debuginfo.sh \\\
++    %{__find_debuginfo} \\\
+     %{?_smp_mflags} \\\
+     %{?_missing_build_ids_terminate_build:--strict-build-id} \\\
+     %{?_no_recompute_build_ids:-n} \\\
+-- 
+2.33.1
+
diff --git a/SOURCES/rpm-4.14.3-preserve-kmod-secure-boot-signature.patch b/SOURCES/rpm-4.14.3-preserve-kmod-secure-boot-signature.patch
deleted file mode 100644
index c85d990..0000000
--- a/SOURCES/rpm-4.14.3-preserve-kmod-secure-boot-signature.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-commit cfdb8300f6e3aed0abc41406a3c4737eb1192067
-Author: Michal Domonkos <mdomonko@redhat.com>
-Date:   Sun Jul 11 18:08:26 2021 +0200
-
-    Don't brp-strip .ko files
-    
-    Otherwise SecureBoot signatures may be stripped too.
-    
-    We used to exclude shared libraries from this strip as they were
-    supposed to be covered by another brp script (brp-strip-shared), however
-    it turned out the latter was never really used, so we removed the
-    exclusion in commit 0ab151ab138fd4fb6d3176fd0270d9cc6f4623f3.
-    
-    As it turns out, that was a little too ambitious, since we may now
-    inadvertently strip SecureBoot signatures from kernel modules too,
-    provided that they're made during the build, prior to the invocation of
-    brp-strip.
-    
-    Note that this regression currently does *not* affect the following two
-    cases on Fedora/RHEL systems with redhat-rpm-config installed:
-    
-      - in-tree kernel modules; these are built from kernel.spec which
-        already contains a hack ensuring that module signing only happens
-        *after* any stripping (see %__modsign_install_post in kernel.spec)
-    
-      - out-of-tree kernel modules built with debuginfo enabled; this is
-        because brp-strip is only called when %debug_package is set to
-        %{nil}
-    
-    Any other combinations may be affected, depending on the macros and
-    .spec files used, so let's fix this by effectively "reverting" said
-    commit for .ko files only.
-    
-    Fixes: rhbz#1967291
-
-    Backported into 4.14.3
-diff -up rpm-4.14.3/scripts/brp-strip.orig rpm-4.14.3/scripts/brp-strip
---- rpm-4.14.3/scripts/brp-strip.orig	2021-07-12 17:21:04.446396789 +0200
-+++ rpm-4.14.3/scripts/brp-strip	2021-07-12 17:21:20.673633783 +0200
-@@ -12,7 +12,7 @@ Darwin*) exit 0 ;;
- esac
- 
- # Strip ELF binaries
--for f in `find "$RPM_BUILD_ROOT" -type f -exec file {} \; | \
-+for f in `find "$RPM_BUILD_ROOT" -type f \! -name "*.ko" -exec file {} \; | \
-         grep -v "^${RPM_BUILD_ROOT}/\?usr/lib/debug"  | \
- 	sed -n -e 's/^\(.*\):[ 	]*ELF.*, not stripped.*/\1/p'`; do
- 	$STRIP -g "$f" || :
diff --git a/SOURCES/rpm-4.14.3-validate-and-require-subkey-binding-sigs.patch b/SOURCES/rpm-4.14.3-validate-and-require-subkey-binding-sigs.patch
new file mode 100644
index 0000000..7d4e85b
--- /dev/null
+++ b/SOURCES/rpm-4.14.3-validate-and-require-subkey-binding-sigs.patch
@@ -0,0 +1,401 @@
+From 82c53e4b7f720012a391d8f6e5da9ee3c4f22bed Mon Sep 17 00:00:00 2001
+From: Demi Marie Obenour <demi@invisiblethingslab.com>
+Date: Thu, 6 May 2021 18:34:45 -0400
+Subject: [PATCH] Validate and require subkey binding signatures on PGP public
+ keys
+
+All subkeys must be followed by a binding signature by the primary key
+as per the OpenPGP RFC, enforce the presence and validity in the parser.
+
+The implementation is as kludgey as they come to work around our
+simple-minded parser structure without touching API, to maximise
+backportability. Store all the raw packets internally as we decode them
+to be able to access previous elements at will, needed to validate ordering
+and access the actual data. Add testcases for manipulated keys whose
+import previously would succeed.
+
+Combined with:
+5ff86764b17f31535cb247543a90dd739076ec38
+b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8
+9f03f42e2614a68f589f9db8fe76287146522c0c
+b6dffb6dc5ffa2ddc389743f0507876cab341315 (mem-leak fix)
+ae3d2d234ae47ff85229d3fce97a266fa1aa5a61 (use-after-free fix)
+
+Fixes CVE-2021-3521.
+---
+ rpmio/rpmpgp.c                                | 122 +++++++++++++++---
+ sign/rpmgensig.c                              |   2 +-
+ tests/Makefile.am                             |   3 +
+ tests/data/keys/CVE-2021-3521-badbind.asc     |  25 ++++
+ .../data/keys/CVE-2021-3521-nosubsig-last.asc |  25 ++++
+ tests/data/keys/CVE-2021-3521-nosubsig.asc    |  37 ++++++
+ tests/rpmsigdig.at                            |  28 ++++
+ 7 files changed, 224 insertions(+), 18 deletions(-)
+ create mode 100644 tests/data/keys/CVE-2021-3521-badbind.asc
+ create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig-last.asc
+ create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig.asc
+
+diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
+index 46cd0f31a..bd4992ec7 100644
+--- a/rpmio/rpmpgp.c
++++ b/rpmio/rpmpgp.c
+@@ -511,7 +511,7 @@ pgpDigAlg pgpDigAlgFree(pgpDigAlg alg)
+     return NULL;
+ }
+ 
+-static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
++static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo,
+ 		const uint8_t *p, const uint8_t *h, size_t hlen,
+ 		pgpDigParams sigp)
+ {
+@@ -524,10 +524,8 @@ static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
+ 	int mpil = pgpMpiLen(p);
+ 	if (p + mpil > pend)
+ 	    break;
+-	if (sigtype == PGPSIGTYPE_BINARY || sigtype == PGPSIGTYPE_TEXT) {
+-	    if (sigalg->setmpi(sigalg, i, p))
+-		break;
+-	}
++	if (sigalg->setmpi(sigalg, i, p))
++	    break;
+ 	p += mpil;
+     }
+ 
+@@ -600,7 +598,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
+ 	}
+ 
+ 	p = ((uint8_t *)v) + sizeof(*v);
+-	rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
++	rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp);
+     }	break;
+     case 4:
+     {   pgpPktSigV4 v = (pgpPktSigV4)h;
+@@ -658,7 +656,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
+ 	if (p > (h + hlen))
+ 	    return 1;
+ 
+-	rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
++	rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp);
+     }	break;
+     default:
+ 	rpmlog(RPMLOG_WARNING, _("Unsupported version of key: V%d\n"), version);
+@@ -999,36 +997,127 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype)
+     return algo;
+ }
+ 
++static pgpDigParams pgpDigParamsNew(uint8_t tag)
++{
++    pgpDigParams digp = xcalloc(1, sizeof(*digp));
++    digp->tag = tag;
++    return digp;
++}
++
++static int hashKey(DIGEST_CTX hash, const struct pgpPkt *pkt, int exptag)
++{
++    int rc = -1;
++    if (pkt->tag == exptag) {
++	uint8_t head[] = {
++	    0x99,
++	    (pkt->blen >> 8),
++	    (pkt->blen     ),
++	};
++
++	rpmDigestUpdate(hash, head, 3);
++	rpmDigestUpdate(hash, pkt->body, pkt->blen);
++	rc = 0;
++    }
++    return rc;
++}
++
++static int pgpVerifySelf(pgpDigParams key, pgpDigParams selfsig,
++			const struct pgpPkt *all, int i)
++{
++    int rc = -1;
++    DIGEST_CTX hash = NULL;
++
++    switch (selfsig->sigtype) {
++    case PGPSIGTYPE_SUBKEY_BINDING:
++	hash = rpmDigestInit(selfsig->hash_algo, 0);
++	if (hash) {
++	    rc = hashKey(hash, &all[0], PGPTAG_PUBLIC_KEY);
++	    if (!rc)
++		rc = hashKey(hash, &all[i-1], PGPTAG_PUBLIC_SUBKEY);
++	}
++	break;
++    default:
++	/* ignore types we can't handle */
++	rc = 0;
++	break;
++    }
++
++    if (hash && rc == 0)
++	rc = pgpVerifySignature(key, selfsig, hash);
++
++    rpmDigestFinal(hash, NULL, NULL, 0);
++
++    return rc;
++}
++
+ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
+ 		 pgpDigParams * ret)
+ {
+     const uint8_t *p = pkts;
+     const uint8_t *pend = pkts + pktlen;
+     pgpDigParams digp = NULL;
+-    struct pgpPkt pkt;
++    pgpDigParams selfsig = NULL;
++    int i = 0;
++    int alloced = 16; /* plenty for normal cases */
++    struct pgpPkt *all = xmalloc(alloced * sizeof(*all));
+     int rc = -1; /* assume failure */
++    int expect = 0;
++    int prevtag = 0;
+ 
+     while (p < pend) {
+-	if (decodePkt(p, (pend - p), &pkt))
++	struct pgpPkt *pkt = &all[i];
++	if (decodePkt(p, (pend - p), pkt))
+ 	    break;
+ 
+ 	if (digp == NULL) {
+-	    if (pkttype && pkt.tag != pkttype) {
++	    if (pkttype && pkt->tag != pkttype) {
+ 		break;
+ 	    } else {
+-		digp = xcalloc(1, sizeof(*digp));
+-		digp->tag = pkt.tag;
++		digp = pgpDigParamsNew(pkt->tag);
+ 	    }
+ 	}
+ 
+-	if (pgpPrtPkt(&pkt, digp))
++	if (expect) {
++	    if (pkt->tag != expect)
++		break;
++	    selfsig = pgpDigParamsNew(pkt->tag);
++	}
++
++	if (pgpPrtPkt(pkt, selfsig ? selfsig : digp))
+ 	    break;
+ 
+-	p += (pkt.body - pkt.head) + pkt.blen;
++	if (selfsig) {
++	    /* subkeys must be followed by binding signature */
++	    int xx = 1; /* assume failure */
++
++	    if (!(prevtag == PGPTAG_PUBLIC_SUBKEY &&
++		  selfsig->sigtype != PGPSIGTYPE_SUBKEY_BINDING))
++		xx = pgpVerifySelf(digp, selfsig, all, i);
++
++	    selfsig = pgpDigParamsFree(selfsig);
++	    if (xx)
++		break;
++	    expect = 0;
++	}
++
++	if (pkt->tag == PGPTAG_PUBLIC_SUBKEY)
++	    expect = PGPTAG_SIGNATURE;
++	prevtag = pkt->tag;
++
++	i++;
++	p += (pkt->body - pkt->head) + pkt->blen;
++	if (pkttype == PGPTAG_SIGNATURE)
++	    break;
++
++	if (alloced <= i) {
++	    alloced *= 2;
++	    all = xrealloc(all, alloced * sizeof(*all));
++	}
+     }
+ 
+-    rc = (digp && (p == pend)) ? 0 : -1;
++    rc = (digp && (p == pend) && expect == 0) ? 0 : -1;
+ 
++    free(all);
+     if (ret && rc == 0) {
+ 	*ret = digp;
+     } else {
+@@ -1063,8 +1152,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
+ 		digps = xrealloc(digps, alloced * sizeof(*digps));
+ 	    }
+ 
+-	    digps[count] = xcalloc(1, sizeof(**digps));
+-	    digps[count]->tag = PGPTAG_PUBLIC_SUBKEY;
++	    digps[count] = pgpDigParamsNew(PGPTAG_PUBLIC_SUBKEY);
+ 	    /* Copy UID from main key to subkey */
+ 	    digps[count]->userid = xstrdup(mainkey->userid);
+ 
+diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
+index 771d01098..b33fe996c 100644
+--- a/sign/rpmgensig.c
++++ b/sign/rpmgensig.c
+@@ -409,7 +409,7 @@ static int haveSignature(rpmtd sigtd, Header h)
+ 	pgpPrtParams(oldtd.data, oldtd.count, PGPTAG_SIGNATURE, &sig2);
+ 	if (pgpDigParamsCmp(sig1, sig2) == 0)
+ 	    rc = 1;
+-	pgpDigParamsFree(sig2);
++	sig2 = pgpDigParamsFree(sig2);
+     }
+     pgpDigParamsFree(sig1);
+     rpmtdFreeData(&oldtd);
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 5f5207e56..309347262 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -87,6 +87,9 @@ EXTRA_DIST += data/SPECS/hello-config-buildid.spec
+ EXTRA_DIST += data/SPECS/hello-cd.spec
+ EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.pub
+ EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.secret
++EXTRA_DIST += data/keys/CVE-2021-3521-badbind.asc
++EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig.asc
++EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig-last.asc
+ EXTRA_DIST += data/macros.testfile
+ 
+ # testsuite voodoo
+diff --git a/tests/data/keys/CVE-2021-3521-badbind.asc b/tests/data/keys/CVE-2021-3521-badbind.asc
+new file mode 100644
+index 000000000..aea00f9d7
+--- /dev/null
++++ b/tests/data/keys/CVE-2021-3521-badbind.asc
+@@ -0,0 +1,25 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Version: rpm-4.17.90 (NSS-3)
++
++mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
++HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
++91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
++eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
++7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
++1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
++c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
++CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
++Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
++BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
++XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
++fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
+++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
++BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
++zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
++iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
++Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
++KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
++L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE=
++=WCfs
++-----END PGP PUBLIC KEY BLOCK-----
++
+diff --git a/tests/data/keys/CVE-2021-3521-nosubsig-last.asc b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc
+new file mode 100644
+index 000000000..aea00f9d7
+--- /dev/null
++++ b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc
+@@ -0,0 +1,25 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Version: rpm-4.17.90 (NSS-3)
++
++mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
++HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
++91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
++eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
++7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
++1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
++c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
++CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
++Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
++BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
++XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
++fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
+++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
++BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
++zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
++iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
++Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
++KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
++L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE=
++=WCfs
++-----END PGP PUBLIC KEY BLOCK-----
++
+diff --git a/tests/data/keys/CVE-2021-3521-nosubsig.asc b/tests/data/keys/CVE-2021-3521-nosubsig.asc
+new file mode 100644
+index 000000000..3a2e7417f
+--- /dev/null
++++ b/tests/data/keys/CVE-2021-3521-nosubsig.asc
+@@ -0,0 +1,37 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Version: rpm-4.17.90 (NSS-3)
++
++mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
++HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
++91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
++eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
++7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
++1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
++c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
++CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
++Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
++BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
++XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
++fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
+++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
++BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
++zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
++iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
++Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
++KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
++L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAG5AQ0EWOY5GAEIAKT68NmshdC4
++VcRhOhlXBvZq23NtskkKoPvW+ZlMuxbRDG48pGBtxhjOngriVUGceEWsXww5Q7En
++uRBYglkxkW34ENym0Ji6tsPYfhbbG+dZWKIL4vMIzPOIwlPrXrm558vgkdMM/ELZ
++8WIz3KtzvYubKUk2Qz+96lPXbwnlC/SBFRpBseJC5LoOb/5ZGdR/HeLz1JXiacHF
++v9Nr3cZWqg5yJbDNZKfASdZgC85v3kkvhTtzknl//5wqdAMexbuwiIh2xyxbO+B/
++qqzZFrVmu3sV2Tj5lLZ/9p1qAuEM7ULbixd/ld8yTmYvQ4bBlKv2bmzXtVfF+ymB
++Tm6BzyQEl/MAEQEAAYkBHwQYAQgACQUCWOY5GAIbDAAKCRBDRFkeGWTF/PANB/9j
++mifmj6z/EPe0PJFhrpISt9PjiUQCt0IPtiL5zKAkWjHePIzyi+0kCTBF6DDLFxos
++3vN4bWnVKT1kBhZAQlPqpJTg+m74JUYeDGCdNx9SK7oRllATqyu+5rncgxjWVPnQ
++zu/HRPlWJwcVFYEVXYL8xzfantwQTqefjmcRmBRdA2XJITK+hGWwAmrqAWx+q5xX
++Pa8wkNMxVzNS2rUKO9SoVuJ/wlUvfoShkJ/VJ5HDp3qzUqncADfdGN35TDzscngQ
++gHvnMwVBfYfSCABV1hNByoZcc/kxkrWMmsd/EnIyLd1Q1baKqc3cEDuC6E6/o4yJ
++E4XX4jtDmdZPreZALsiB
++=rRop
++-----END PGP PUBLIC KEY BLOCK-----
++
+diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
+index 09fcdd525..a74f400ae 100644
+--- a/tests/rpmsigdig.at
++++ b/tests/rpmsigdig.at
+@@ -212,6 +212,34 @@ UNW2iqnN3BA7guhOv6OMiROF1+I7Q5nWT63mQC7IgQ==
+ [])
+ AT_CLEANUP
+ 
++AT_SETUP([rpmkeys --import invalid keys])
++AT_KEYWORDS([rpmkeys import])
++RPMDB_INIT
++
++AT_CHECK([
++runroot rpmkeys --import /data/keys/CVE-2021-3521-badbind.asc
++],
++[1],
++[],
++[error: /data/keys/CVE-2021-3521-badbind.asc: key 1 import failed.]
++)
++AT_CHECK([
++runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig.asc
++],
++[1],
++[],
++[error: /data/keys/CVE-2021-3521-nosubsig.asc: key 1 import failed.]
++)
++
++AT_CHECK([
++runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig-last.asc
++],
++[1],
++[],
++[error: /data/keys/CVE-2021-3521-nosubsig-last.asc: key 1 import failed.]
++)
++AT_CLEANUP
++
+ # ------------------------------
+ # Test pre-built package verification
+ AT_SETUP([rpmkeys -K <signed> 1])
+-- 
+2.34.1
+
diff --git a/SPECS/rpm.spec b/SPECS/rpm.spec
index 669941a..633655d 100644
--- a/SPECS/rpm.spec
+++ b/SPECS/rpm.spec
@@ -42,7 +42,7 @@
 
 %global rpmver 4.14.3
 #global snapver rc2
-%global rel 18.2
+%global rel 21
 
 %global srcver %{version}%{?snapver:-%{snapver}}
 %global srcdir %{?snapver:testing}%{!?snapver:%{name}-%(echo %{version} | cut -d'.' -f1-2).x}
@@ -116,10 +116,12 @@ Patch151: 0001-Unblock-signals-in-forked-scriptlets.patch
 Patch152: rpm-4.14.3-fix-ambiguous-diagnostics-on-file-triggers.patch
 Patch153: rpm-4.14.3-ELF-files-strip-when-debuginfo-disabled.patch
 Patch154: rpm-4.14.3-more-careful-sig-hdr-copy.patch
-Patch155: rpm-4.14.3-preserve-kmod-secure-boot-signature.patch
 Patch156: rpm-4.14.3-hdrblobInit-add-bounds-check.patch
 Patch157: rpm-4.14.3-add-read-only-support-for-sqlite.patch
 Patch158: rpm-4.14.3-imp-covscan-fixes.patch
+Patch159: rpm-4.14.3-add-path-query-option.patch
+Patch160: rpm-4.14.3-macroize-find-debuginfo-script-location.patch
+Patch161: rpm-4.14.3-validate-and-require-subkey-binding-sigs.patch
 
 # Python 3 string API sanity
 Patch500: 0001-In-Python-3-return-all-our-string-data-as-surrogate-.patch
@@ -787,6 +789,18 @@ make check || cat tests/rpmtests.log
 %doc doc/librpm/html/*
 
 %changelog
+* Mon Jan 10 2022 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-21
+- Address covscan issues in binding sigs validation patch (#1958480)
+
+* Thu Dec 09 2021 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-20
+- Add --path query option (#1940895)
+- Macroize find-debuginfo script location (#2019540)
+- Validate and require subkey binding sigs on PGP pubkeys (#1958480)
+- Fixes CVE-2021-3521
+
+* Wed Oct 06 2021 Michal Domonkos <mdomonko@redhat.com> - 4.14.3-19
+- Unbreak in-tree kmod strip by reverting brp-strip fix (#1967291)
+
 * Thu Nov 04 2021 Matthew Almond <malmond@fb.com> - 4.14.3-18.2
 - Include PR1779