diff --git a/rpm-4.16.1.3-add-path-query-option.patch b/rpm-4.16.1.3-add-path-query-option.patch
new file mode 100644
index 0000000..0a44718
--- /dev/null
+++ b/rpm-4.16.1.3-add-path-query-option.patch
@@ -0,0 +1,194 @@
+From ce8af503733b5661efa046cc7f5f68ee0dad75cc Mon Sep 17 00:00:00 2001
+From: Michal Domonkos <mdomonko@redhat.com>
+Date: Mon, 16 Aug 2021 18:21:02 +0200
+Subject: [PATCH] Add support for RPMDBI_BASENAMES on file queries
+
+There are legitimate reasons (such as rhbz#1940895 or the included test)
+for wanting the former behavior where all file states were considered in
+file queries prior to commit 9ad57bda4a82b9847826daa766b4421d877bb3d9,
+so celebrate the tenth anniversary of that commit by adding a CLI switch
+(a new package selector --path), as contemplated back then.
+
+Update the man page for --file to reflect it's current behavior and make
+--path that more obvious.
+
+Resolves: rhbz#1940895
+
+Combined with d1aebda01033bc8ba0d748b49f6fad9a5c0caa3f and backported
+for 4.16.1.3.
+---
+ doc/rpm.8         |  9 ++++++--
+ lib/poptQV.c      |  6 +++++-
+ lib/query.c       |  7 +++++--
+ lib/rpmcli.h      |  1 +
+ tests/rpmquery.at | 52 +++++++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 70 insertions(+), 5 deletions(-)
+
+diff --git a/doc/rpm.8 b/doc/rpm.8
+index 80055b675..ab7364cf6 100644
+--- a/doc/rpm.8
++++ b/doc/rpm.8
+@@ -57,7 +57,7 @@ rpm \- RPM Package Manager
+ .PP
+ 
+  [\fB\fIPACKAGE_NAME\fB\fR]
+- [\fB-a,--all [\fISELECTOR\fR]\fR] [\fB-f,--file \fIFILE\fB\fR]
++ [\fB-a,--all [\fISELECTOR\fR]\fR] [\fB-f,--file \fIFILE\fB\fR] [\fB--path \fIPATH\fB\fR]
+  [\fB-g,--group \fIGROUP\fB\fR] [\fB-p,--package \fIPACKAGE_FILE\fB\fR]
+  [\fB--hdrid \fISHA1\fB\fR] [\fB--pkgid \fIMD5\fB\fR] [\fB--tid \fITID\fB\fR]
+  [\fB--querybynumber \fIHDRNUM\fB\fR] [\fB--triggeredby \fIPACKAGE_NAME\fB\fR]
+@@ -569,7 +569,7 @@ starts with "b".
+ List duplicated packages.
+ .TP
+ \fB-f, --file \fIFILE\fB\fR
+-Query package owning \fIFILE\fR.
++Query package owning installed \fIFILE\fR.
+ .TP
+ \fB--filecaps\fR
+ List file names with POSIX1.e capabilities.
+@@ -612,6 +612,11 @@ that will be expanded to paths that are substituted in place of
+ the package manifest as additional \fIPACKAGE_FILE\fR
+ arguments to the query.
+ .TP
++\fB--path \fIPATH\fB\fR
++Query package(s) owning \fIPATH\fR, whether the file is installed or not.
++Multiple packages may own a \fIPATH\fR, but the file is only owned by the
++package installed last.
++.TP
+ \fB--pkgid \fIMD5\fB\fR
+ Query package that contains a given package identifier, i.e. the
+ \fIMD5\fR digest of the combined header and
+diff --git a/lib/poptQV.c b/lib/poptQV.c
+index d9d1fad75..9b6101009 100644
+--- a/lib/poptQV.c
++++ b/lib/poptQV.c
+@@ -27,6 +27,7 @@ struct rpmQVKArguments_s rpmQVKArgs;
+ #define POPT_WHATENHANCES	-1014
+ #define POPT_WHATOBSOLETES	-1015
+ #define POPT_WHATCONFLICTS	-1016
++#define POPT_QUERYBYPATH	-1017
+ 
+ /* ========== Query/Verify/Signature source args */
+ static void rpmQVSourceArgCallback( poptContext con,
+@@ -58,6 +59,7 @@ static void rpmQVSourceArgCallback( poptContext con,
+     case POPT_WHATSUPPLEMENTS: qva->qva_source |= RPMQV_WHATSUPPLEMENTS; break;
+     case POPT_WHATENHANCES: qva->qva_source |= RPMQV_WHATENHANCES; break;
+     case POPT_TRIGGEREDBY: qva->qva_source |= RPMQV_TRIGGEREDBY; break;
++    case POPT_QUERYBYPATH: qva->qva_source |= RPMQV_PATH_ALL; break;
+     case POPT_QUERYBYPKGID: qva->qva_source |= RPMQV_PKGID; break;
+     case POPT_QUERYBYHDRID: qva->qva_source |= RPMQV_HDRID; break;
+     case POPT_QUERYBYTID: qva->qva_source |= RPMQV_TID; break;
+@@ -80,7 +82,9 @@ struct poptOption rpmQVSourcePoptTable[] = {
+  { "checksig", 'K', POPT_ARGFLAG_DOC_HIDDEN, NULL, 'K',
+ 	N_("rpm checksig mode"), NULL },
+  { "file", 'f', 0, 0, 'f',
+-	N_("query/verify package(s) owning file"), "FILE" },
++	N_("query/verify package(s) owning installed file"), "FILE" },
++ { "path", '\0', 0, 0, POPT_QUERYBYPATH,
++	N_("query/verify package(s) owning path, installed or not"), "PATH" },
+  { "group", 'g', 0, 0, 'g',
+ 	N_("query/verify package(s) in group"), "GROUP" },
+  { "package", 'p', 0, 0, 'p',
+diff --git a/lib/query.c b/lib/query.c
+index fdabe6e52..9a71f0dc5 100644
+--- a/lib/query.c
++++ b/lib/query.c
+@@ -445,6 +445,7 @@ static rpmdbMatchIterator initQueryIterator(QVA_t qva, rpmts ts, const char * ar
+ 	}
+ 	/* fallthrough on absolute and relative paths */
+     case RPMQV_PATH:
++    case RPMQV_PATH_ALL:
+     {   char * fn;
+ 
+ 	for (s = arg; *s != '\0'; s++)
+@@ -463,8 +464,10 @@ static rpmdbMatchIterator initQueryIterator(QVA_t qva, rpmts ts, const char * ar
+ 	    fn = xstrdup(arg);
+ 	(void) rpmCleanPath(fn);
+ 
+-	/* XXX Add a switch to enable former BASENAMES behavior? */
+-	mi = rpmtsInitIterator(ts, RPMDBI_INSTFILENAMES, fn, 0);
++	rpmDbiTagVal tag = RPMDBI_INSTFILENAMES;
++	if (qva->qva_source == RPMQV_PATH_ALL)
++	    tag = RPMDBI_BASENAMES;
++	mi = rpmtsInitIterator(ts, tag, fn, 0);
+ 	if (mi == NULL)
+ 	    mi = rpmtsInitIterator(ts, RPMDBI_PROVIDENAME, fn, 0);
+ 
+diff --git a/lib/rpmcli.h b/lib/rpmcli.h
+index 4886c2453..8ef992ff2 100644
+--- a/lib/rpmcli.h
++++ b/lib/rpmcli.h
+@@ -81,6 +81,7 @@ rpmcliFini(poptContext optCon);
+ enum rpmQVSources_e {
+     RPMQV_PACKAGE = 0,	/*!< ... from package name db search. */
+     RPMQV_PATH,		/*!< ... from file path db search. */
++    RPMQV_PATH_ALL,	/*!< ... from file path db search (all states). */
+     RPMQV_ALL,		/*!< ... from each installed package. */
+     RPMQV_RPM, 		/*!< ... from reading binary rpm package. */
+     RPMQV_GROUP,	/*!< ... from group db search. */
+diff --git a/tests/rpmquery.at b/tests/rpmquery.at
+index 9a4f1cb76..335d5ee0d 100644
+--- a/tests/rpmquery.at
++++ b/tests/rpmquery.at
+@@ -201,6 +201,58 @@ runroot rpm \
+ 
+ AT_CLEANUP
+ 
++# ------------------------------
++# query a package by a file
++AT_SETUP([rpm -qf])
++AT_KEYWORDS([query])
++AT_CHECK([
++RPMDB_INIT
++runroot rpm \
++  --nodeps \
++  -i /data/RPMS/hello-1.0-1.i386.rpm
++runroot rpm \
++  -qf /usr/local/bin/hello
++],
++[0],
++[hello-1.0-1.i386
++],
++[])
++AT_CLEANUP
++
++AT_SETUP([rpm -qf on non-installed file])
++AT_KEYWORDS([query])
++AT_CHECK([
++RPMDB_INIT
++runroot rpm \
++  --nodeps \
++  --excludedocs \
++  -i /data/RPMS/hello-1.0-1.i386.rpm
++runroot rpm \
++  -qf /usr/share/doc/hello-1.0/FAQ
++],
++[1],
++[],
++[error: file /usr/share/doc/hello-1.0/FAQ: No such file or directory
++])
++AT_CLEANUP
++
++AT_SETUP([rpm -q --path on non-installed file])
++AT_KEYWORDS([query])
++AT_CHECK([
++RPMDB_INIT
++runroot rpm \
++  --nodeps \
++  --excludedocs \
++  -i /data/RPMS/hello-1.0-1.i386.rpm
++runroot rpm \
++  -q --path /usr/share/doc/hello-1.0/FAQ
++],
++[0],
++[hello-1.0-1.i386
++],
++[])
++AT_CLEANUP
++
+ # ------------------------------
+ AT_SETUP([integer array query])
+ AT_KEYWORDS([query])
+-- 
+2.34.1
+
diff --git a/rpm-4.16.1.3-bump-rpmdb-cookie-hash-to-SHA256-for-FIPS.patch b/rpm-4.16.1.3-bump-rpmdb-cookie-hash-to-SHA256-for-FIPS.patch
new file mode 100644
index 0000000..998e1f8
--- /dev/null
+++ b/rpm-4.16.1.3-bump-rpmdb-cookie-hash-to-SHA256-for-FIPS.patch
@@ -0,0 +1,32 @@
+From a26f6655546158153807017e7ded2aff5e4e10e4 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Mon, 31 Jan 2022 11:13:35 +0200
+Subject: [PATCH] Bump hash for rpmdb cookie to SHA256 to appease FIPS
+
+The rpmdb cookie is not a security feature, but as these existing
+hashes are more convenient than coming up with our own... we then
+run into the great big wall of FIPS which in its current incarnation
+disallows use of SHA1. And so rpmdbCookie() fails under current FIPS.
+
+Just bumping the algorithm to SHA256 seems the path of lowest
+resistance, whether that algo makes sense for this purpose or not.
+---
+ lib/rpmdb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/rpmdb.c b/lib/rpmdb.c
+index 01d49a641..00bd4236f 100644
+--- a/lib/rpmdb.c
++++ b/lib/rpmdb.c
+@@ -2642,7 +2642,7 @@ char *rpmdbCookie(rpmdb db)
+     rpmdbIndexIterator ii = rpmdbIndexIteratorInit(db, RPMDBI_NAME);
+ 
+     if (ii) {
+-	DIGEST_CTX ctx = rpmDigestInit(PGPHASHALGO_SHA1, RPMDIGEST_NONE);
++	DIGEST_CTX ctx = rpmDigestInit(PGPHASHALGO_SHA256, RPMDIGEST_NONE);
+ 	const void *key = 0;
+ 	size_t keylen = 0;
+ 	while ((rpmdbIndexIteratorNext(ii, &key, &keylen)) == 0) {
+-- 
+2.34.1
+
diff --git a/rpm-4.16.1.3-skip-recorded-symlinks-in-setperms.patch b/rpm-4.16.1.3-skip-recorded-symlinks-in-setperms.patch
new file mode 100644
index 0000000..6e3acf8
--- /dev/null
+++ b/rpm-4.16.1.3-skip-recorded-symlinks-in-setperms.patch
@@ -0,0 +1,40 @@
+From 6cdcdd8770d1f0b9ba706dcc1e6392a59dbe3fe5 Mon Sep 17 00:00:00 2001
+From: Michal Domonkos <mdomonko@redhat.com>
+Date: Tue, 7 Dec 2021 08:08:37 +0100
+Subject: [PATCH] Skip recorded symlinks in --setperms (RhBug:1900662)
+
+If a package contains a symlink in the buildroot which is declared as a
+ghost or config file but is a regular file or directory on the system
+where it's installed, a --setperms call will reset its permissions to
+those of a symlink (777 on Linux), which almost certainly is not the
+correct thing to do.
+
+To fix that, just skip files that were recorded as symlinks.
+
+This is a special case of a general issue in --setperms; since file
+permission semantics may change depending on the file type, to stay on
+the safe side, any (ghost or config) file whose type changes after
+installation should probably be skipped.  However, symlinks are the most
+prominent case here, so let's just focus on that now and avoid adding
+too much cleverness to a popt alias (this got us into trouble not too
+long ago, see commits 38c2f6e and 0d83637).  We may revisit this in the
+eventual C implementation.
+---
+ rpmpopt.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/rpmpopt.in b/rpmpopt.in
+index 27d298651..d5a6b140b 100644
+--- a/rpmpopt.in
++++ b/rpmpopt.in
+@@ -44,6 +44,7 @@ rpm	alias --scripts --qf '\
+ 	--POPTdesc=$"list install/erase scriptlets from package(s)"
+ 
+ rpm	alias --setperms -q --qf '[\[ -L %{FILENAMES:shescape} \] || \
++        \[ -n %{FILELINKTOS:shescape} \] || \
+         ( \[ $((%{FILEFLAGS} & 2#1001000)) != 0 \] && \[ ! -e %{FILENAMES:shescape} \] ) || \
+         chmod %7{FILEMODES:octal} %{FILENAMES:shescape}\n]' \
+ 		   --pipe "grep -v \(none\) | grep '^. -L ' | sed 's/chmod .../chmod /' | sh" \
+-- 
+2.34.1
+
diff --git a/rpm-4.16.1.3-validate-and-require-subkey-binding-sigs.patch b/rpm-4.16.1.3-validate-and-require-subkey-binding-sigs.patch
index a1753a4..878f6e4 100644
--- a/rpm-4.16.1.3-validate-and-require-subkey-binding-sigs.patch
+++ b/rpm-4.16.1.3-validate-and-require-subkey-binding-sigs.patch
@@ -1,4 +1,4 @@
-From a73895e6f03bef5e95a738ff680f7c42151f3959 Mon Sep 17 00:00:00 2001
+From 32b21da4bae5b8fbe0f42c31b723c4963b4b2512 Mon Sep 17 00:00:00 2001
 From: Demi Marie Obenour <demi@invisiblethingslab.com>
 Date: Thu, 6 May 2021 18:34:45 -0400
 Subject: [PATCH] Validate and require subkey binding signatures on PGP public
@@ -18,22 +18,25 @@ Combined with:
 5ff86764b17f31535cb247543a90dd739076ec38
 b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8
 9f03f42e2614a68f589f9db8fe76287146522c0c
+b6dffb6dc5ffa2ddc389743f0507876cab341315 (mem-leak fix)
+ae3d2d234ae47ff85229d3fce97a266fa1aa5a61 (use-after-free fix)
 
 Fixes CVE-2021-3521.
 ---
- rpmio/rpmpgp.c                                | 123 +++++++++++++++---
+ rpmio/rpmpgp.c                                | 122 +++++++++++++++---
+ sign/rpmgensig.c                              |   2 +-
  tests/Makefile.am                             |   3 +
  tests/data/keys/CVE-2021-3521-badbind.asc     |  25 ++++
  .../data/keys/CVE-2021-3521-nosubsig-last.asc |  25 ++++
  tests/data/keys/CVE-2021-3521-nosubsig.asc    |  37 ++++++
  tests/rpmsigdig.at                            |  28 ++++
- 6 files changed, 224 insertions(+), 17 deletions(-)
+ 7 files changed, 224 insertions(+), 18 deletions(-)
  create mode 100644 tests/data/keys/CVE-2021-3521-badbind.asc
  create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig-last.asc
  create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig.asc
 
 diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
-index d0688ebe9..b12410d67 100644
+index d0688ebe9..3372d577d 100644
 --- a/rpmio/rpmpgp.c
 +++ b/rpmio/rpmpgp.c
 @@ -515,7 +515,7 @@ pgpDigAlg pgpDigAlgFree(pgpDigAlg alg)
@@ -76,7 +79,7 @@ index d0688ebe9..b12410d67 100644
      }	break;
      default:
  	rpmlog(RPMLOG_WARNING, _("Unsupported version of key: V%d\n"), version);
-@@ -1041,36 +1039,128 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype)
+@@ -1041,36 +1039,127 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype)
      return algo;
  }
  
@@ -178,12 +181,11 @@ index d0688ebe9..b12410d67 100644
 -	p += (pkt.body - pkt.head) + pkt.blen;
 +	if (selfsig) {
 +	    /* subkeys must be followed by binding signature */
-+	    if (prevtag == PGPTAG_PUBLIC_SUBKEY) {
-+		if (selfsig->sigtype != PGPSIGTYPE_SUBKEY_BINDING)
-+		    break;
-+	    }
++	    int xx = 1; /* assume failure */
 +
-+	    int xx = pgpVerifySelf(digp, selfsig, all, i);
++	    if (!(prevtag == PGPTAG_PUBLIC_SUBKEY &&
++		  selfsig->sigtype != PGPSIGTYPE_SUBKEY_BINDING))
++		xx = pgpVerifySelf(digp, selfsig, all, i);
 +
 +	    selfsig = pgpDigParamsFree(selfsig);
 +	    if (xx)
@@ -213,7 +215,7 @@ index d0688ebe9..b12410d67 100644
      if (ret && rc == 0) {
  	*ret = digp;
      } else {
-@@ -1105,8 +1195,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
+@@ -1105,8 +1194,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
  		digps = xrealloc(digps, alloced * sizeof(*digps));
  	    }
  
@@ -223,6 +225,19 @@ index d0688ebe9..b12410d67 100644
  	    /* Copy UID from main key to subkey */
  	    digps[count]->userid = xstrdup(mainkey->userid);
  
+diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
+index e5d191cc0..988a0f611 100644
+--- a/sign/rpmgensig.c
++++ b/sign/rpmgensig.c
+@@ -351,7 +351,7 @@ static int haveSignature(rpmtd sigtd, Header h)
+ 	pgpPrtParams(oldtd.data, oldtd.count, PGPTAG_SIGNATURE, &sig2);
+ 	if (pgpDigParamsCmp(sig1, sig2) == 0)
+ 	    rc = 1;
+-	pgpDigParamsFree(sig2);
++	sig2 = pgpDigParamsFree(sig2);
+     }
+     pgpDigParamsFree(sig1);
+     rpmtdFreeData(&oldtd);
 diff --git a/tests/Makefile.am b/tests/Makefile.am
 index f742a9e1d..328234278 100644
 --- a/tests/Makefile.am
@@ -382,5 +397,5 @@ index e1a3ab062..705fc5870 100644
  # Test pre-built package verification
  AT_SETUP([rpmkeys -K <signed> 1])
 -- 
-2.33.1
+2.34.1
 
diff --git a/rpm.spec b/rpm.spec
index f598ac7..8c9a909 100644
--- a/rpm.spec
+++ b/rpm.spec
@@ -32,7 +32,7 @@
 
 %global rpmver 4.16.1.3
 #global snapver rc1
-%global rel 9
+%global rel 10
 %global sover 9
 
 %global srcver %{rpmver}%{?snapver:-%{snapver}}
@@ -77,6 +77,9 @@ Patch105: rpm-4.16.1.3-ELF-files-strip-when-debuginfo-disabled.patch
 Patch106: rpm-4.16.1.3-unbreak-checking-of-installed-rich-deps.patch
 Patch107: rpm-4.16.1.3-fix-IMA-sig-len-assumed-const.patch
 Patch108: rpm-4.16.1.3-validate-and-require-subkey-binding-sigs.patch
+Patch109: rpm-4.16.1.3-bump-rpmdb-cookie-hash-to-SHA256-for-FIPS.patch
+Patch110: rpm-4.16.1.3-add-path-query-option.patch
+Patch111: rpm-4.16.1.3-skip-recorded-symlinks-in-setperms.patch
 
 # These are not yet upstream
 Patch906: rpm-4.7.1-geode-i686.patch
@@ -606,6 +609,12 @@ fi
 %doc doc/librpm/html/*
 
 %changelog
+* Mon Jan 31 2022 Michal Domonkos <mdomonko@redhat.com> - 4.16.1.3-10
+- Address covscan issues in binding sigs validation patch (#1943724)
+- Bump hash for rpmdb cookie to SHA256 for FIPS (#2048455)
+- Add --path query option (#2037352)
+- Skip recorded symlinks in --setperms (#2025906)
+
 * Mon Dec 13 2021 Michal Domonkos <mdomonko@redhat.com> - 4.16.1.3-9
 - Fix-up IMA signature lengths patch (#2018937)