diff --git a/SOURCES/openssh-6.3p1-krb5-use-default_ccache_name.patch b/SOURCES/openssh-6.3p1-krb5-use-default_ccache_name.patch
index dd201a4..773c788 100644
--- a/SOURCES/openssh-6.3p1-krb5-use-default_ccache_name.patch
+++ b/SOURCES/openssh-6.3p1-krb5-use-default_ccache_name.patch
@@ -52,7 +52,7 @@ diff -up openssh-6.3p1/auth-krb5.c.ccache_name openssh-6.3p1/auth-krb5.c
  
  #ifdef USE_PAM
  	if (options.use_pam)
-@@ -235,10 +256,34 @@ auth_krb5_password(Authctxt *authctxt, c
+@@ -235,10 +256,36 @@ auth_krb5_password(Authctxt *authctxt, c
  void
  krb5_cleanup_proc(Authctxt *authctxt)
  {
@@ -64,24 +64,26 @@ diff -up openssh-6.3p1/auth-krb5.c.ccache_name openssh-6.3p1/auth-krb5.c
  		krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
  		authctxt->krb5_fwd_ccache = NULL;
 +
-+		strncpy(krb5_ccname, authctxt->krb5_ccname, sizeof(krb5_ccname) - 10);
-+		krb5_ccname_dir_start = strchr(krb5_ccname, ':') + 1;
-+		*krb5_ccname_dir_start++ = '\0';
-+		if (strcmp(krb5_ccname, "DIR") == 0) {
-+
-+			strcat(krb5_ccname_dir_start, "/primary");
-+
-+			if (stat(krb5_ccname_dir_start, &krb5_ccname_stat) == 0) {
-+				if (unlink(krb5_ccname_dir_start) == 0) {
-+					krb5_ccname_dir_end = strrchr(krb5_ccname_dir_start, '/');
-+					*krb5_ccname_dir_end = '\0';
-+					if (rmdir(krb5_ccname_dir_start) == -1)
-+						debug("cache dir '%s' remove failed: %s", krb5_ccname_dir_start, strerror(errno));
++		if (authctxt->krb5_ccname != NULL) {
++			strncpy(krb5_ccname, authctxt->krb5_ccname, sizeof(krb5_ccname) - 10);
++			krb5_ccname_dir_start = strchr(krb5_ccname, ':') + 1;
++			*krb5_ccname_dir_start++ = '\0';
++			if (strcmp(krb5_ccname, "DIR") == 0) {
++
++				strcat(krb5_ccname_dir_start, "/primary");
++
++				if (stat(krb5_ccname_dir_start, &krb5_ccname_stat) == 0) {
++					if (unlink(krb5_ccname_dir_start) == 0) {
++						krb5_ccname_dir_end = strrchr(krb5_ccname_dir_start, '/');
++						*krb5_ccname_dir_end = '\0';
++						if (rmdir(krb5_ccname_dir_start) == -1)
++							debug("cache dir '%s' remove failed: %s", krb5_ccname_dir_start, strerror(errno));
++					}
++					else
++						debug("cache primary file '%s', remove failed: %s",
++							krb5_ccname_dir_start, strerror(errno)
++							);
 +				}
-+				else
-+					debug("cache primary file '%s', remove failed: %s",
-+						krb5_ccname_dir_start, strerror(errno)
-+						);
 +			}
 +		}
  	}
diff --git a/SOURCES/openssh-8.7p1-upstream-cve-2021-41617.patch b/SOURCES/openssh-8.7p1-upstream-cve-2021-41617.patch
new file mode 100644
index 0000000..36bd6c4
--- /dev/null
+++ b/SOURCES/openssh-8.7p1-upstream-cve-2021-41617.patch
@@ -0,0 +1,25 @@
+diff --git a/auth2-pubkey.c b/auth2-pubkey.c
+index b8d1040d..0134d694 100644
+--- a/auth2-pubkey.c
++++ b/auth2-pubkey.c
+@@ -56,6 +56,7 @@
+ # include <paths.h>
+ #endif
+ #include <pwd.h>
++#include <grp.h>
+ #include <signal.h>
+ #include <stdio.h>
+ #include <stdarg.h>
+@@ -2695,6 +2696,12 @@ subprocess(const char *tag, const char *command,
+ 		}
+ 		closefrom(STDERR_FILENO + 1);
+ 
++		if (geteuid() == 0 &&
++		    initgroups(pw->pw_name, pw->pw_gid) == -1) {
++			error("%s: initgroups(%s, %u): %s", tag,
++			    pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
++			_exit(1);
++		}
+		/* Don't use permanently_set_uid() here to avoid fatal() */
+ 		if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
+ 			error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec
index e1f50a5..cd9c459 100644
--- a/SPECS/openssh.spec
+++ b/SPECS/openssh.spec
@@ -64,7 +64,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 7.4p1
-%define openssh_rel 21
+%define openssh_rel 22
 %define pam_ssh_agent_ver 0.10.3
 %define pam_ssh_agent_rel 2
 
@@ -254,6 +254,8 @@ Patch960: openssh-7.5p1-sftp-empty-files.patch
 Patch961: openssh-7.4p1-CVE-2018-15473.patch
 # invalidate supplemental group cache used by temporarily_use_uid() (#1619079)
 Patch962: openssh-7.4p1-uidswap.patch
+# CVE-2021-41617
+Patch978: openssh-8.7p1-upstream-cve-2021-41617.patch
 
 License: BSD
 Group: Applications/Internet
@@ -510,6 +512,7 @@ popd
 %patch960 -p1 -b .sftp-empty
 %patch961 -p1 -b .CVE-2018-15473
 %patch962 -p1 -b .uidswap
+%patch978 -p1 -b .cve-2021-41617
 
 %patch200 -p1 -b .audit
 %patch202 -p1 -b .audit-race
@@ -835,6 +838,10 @@ getent passwd sshd >/dev/null || \
 %endif
 
 %changelog
+* Thu Sep 30 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 7.4p1-22 + 0.10.3-2
+- avoid segfault in Kerberos cache cleanup (#1999263)
+- fix CVE-2021-41617 (#2008884)
+
 * Tue Jun 25 2019 Jakub Jelen <jjelen@redhat.com> - 7.4p1-21 + 0.10.3-2
 - Avoid double comma in the default cipher list in FIPS mode (#1722446)