diff --git a/.PackageKit.metadata b/.PackageKit.metadata
index e174da1..dd5f809 100644
--- a/.PackageKit.metadata
+++ b/.PackageKit.metadata
@@ -1 +1 @@
-b7805e8ddd6cee697575afe0931f10ab2e09aed0 SOURCES/PackageKit-1.1.5.tar.xz
+f749fa7a4e2c88f705ba80bae309ae257d7027fb SOURCES/PackageKit-1.1.10.tar.xz
diff --git a/.gitignore b/.gitignore
index b5a0163..3ee46b6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/PackageKit-1.1.5.tar.xz
+SOURCES/PackageKit-1.1.10.tar.xz
diff --git a/SOURCES/0001-Do-not-set-JUST_REINSTALL-on-any-kind-of-auth-failur.patch b/SOURCES/0001-Do-not-set-JUST_REINSTALL-on-any-kind-of-auth-failur.patch
deleted file mode 100644
index cb98d62..0000000
--- a/SOURCES/0001-Do-not-set-JUST_REINSTALL-on-any-kind-of-auth-failur.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From bb9f9a8fb451d7a2d81f7390993db75491224729 Mon Sep 17 00:00:00 2001
-From: Richard Hughes <richard@hughsie.com>
-Date: Mon, 9 Apr 2018 16:39:56 +0100
-Subject: [PATCH] Do not set JUST_REINSTALL on any kind of auth failure
-
-If we try to continue the auth queue when it has been cancelled (or failed)
-then we fall upon the obscure JUST_REINSTALL transaction flag which only the
-DNF backend actually verifies.
-
-Many thanks to Matthias Gerstner <mgerstner@suse.de> for spotting the problem.
----
- src/pk-transaction.c | 27 ++++++++-------------------
- 1 file changed, 8 insertions(+), 19 deletions(-)
-
-diff --git a/src/pk-transaction.c b/src/pk-transaction.c
-index 1d006c782..ffee29f6f 100644
---- a/src/pk-transaction.c
-+++ b/src/pk-transaction.c
-@@ -2351,25 +2351,14 @@ pk_transaction_authorize_actions_finished_cb (GObject *source_object,
- 
- 	/* did not auth */
- 	if (!polkit_authorization_result_get_is_authorized (result)) {
--		if (g_strcmp0 (action_id, "org.freedesktop.packagekit.package-install") == 0 &&
--			       pk_bitfield_contain (priv->cached_transaction_flags,
--						    PK_TRANSACTION_FLAG_ENUM_ALLOW_REINSTALL)) {
--			g_debug ("allowing just reinstallation");
--			pk_bitfield_add (priv->cached_transaction_flags,
--					 PK_TRANSACTION_FLAG_ENUM_JUST_REINSTALL);
--		} else {
--			priv->waiting_for_auth = FALSE;
--			/* emit an ::StatusChanged, ::ErrorCode() and then ::Finished() */
--			pk_transaction_status_changed_emit (data->transaction, PK_STATUS_ENUM_FINISHED);
--			pk_transaction_error_code_emit (data->transaction, PK_ERROR_ENUM_NOT_AUTHORIZED,
--							"Failed to obtain authentication.");
--			pk_transaction_finished_emit (data->transaction, PK_EXIT_ENUM_FAILED, 0);
--
--			syslog (LOG_AUTH | LOG_NOTICE,
--				"uid %i failed to obtain auth",
--				priv->uid);
--			goto out;
--		}
-+		priv->waiting_for_auth = FALSE;
-+		/* emit an ::StatusChanged, ::ErrorCode() and then ::Finished() */
-+		pk_transaction_status_changed_emit (data->transaction, PK_STATUS_ENUM_FINISHED);
-+		pk_transaction_error_code_emit (data->transaction, PK_ERROR_ENUM_NOT_AUTHORIZED,
-+						"Failed to obtain authentication.");
-+		pk_transaction_finished_emit (data->transaction, PK_EXIT_ENUM_FAILED, 0);
-+		syslog (LOG_AUTH | LOG_NOTICE, "uid %i failed to obtain auth", priv->uid);
-+		goto out;
- 	}
- 
- 	if (data->actions->len <= 1) {
--- 
-2.17.0
-
diff --git a/SOURCES/CentOS-Vendor-Branding.patch b/SOURCES/CentOS-Vendor-Branding.patch
deleted file mode 100644
index 0eca3b6..0000000
--- a/SOURCES/CentOS-Vendor-Branding.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -uNrp PackageKit-1.1.5.orig/etc/Vendor.conf PackageKit-1.1.5/etc/Vendor.conf
---- PackageKit-1.1.5.orig/etc/Vendor.conf	2016-01-05 09:48:43.000000000 +0000
-+++ PackageKit-1.1.5/etc/Vendor.conf	2018-05-09 12:02:03.199032600 +0000
-@@ -12,7 +12,7 @@
- # If the value is set to 'none' then no link is shown.
- #
- # default=http://www.packagekit.org/pk-package-not-found.html
--DefaultUrl=http://www.packagekit.org/pk-package-not-found.html
-+DefaultUrl=none
- 
- # The URL which is shown to the user when a codec could not be found.
- # It should explain why certain codecs cannot be used, and perhaps show
diff --git a/SPECS/PackageKit.spec b/SPECS/PackageKit.spec
index aae9b50..a00e2f9 100644
--- a/SPECS/PackageKit.spec
+++ b/SPECS/PackageKit.spec
@@ -5,17 +5,14 @@
 
 Summary:   Package management service
 Name:      PackageKit
-Version:   1.1.5
-Release:   2%{?dist}
+Version:   1.1.10
+Release:   1%{?dist}
 License:   GPLv2+ and LGPLv2+
 URL:       http://www.freedesktop.org/software/PackageKit/
 Source0:   http://www.freedesktop.org/software/PackageKit/releases/%{name}-%{version}.tar.xz
 
 # Fedora-specific: set Vendor.conf up for Fedora.
-
-# CVE-2018-1106
-Patch1:    0001-Do-not-set-JUST_REINSTALL-on-any-kind-of-auth-failur.patch
-Patch0:    CentOS-Vendor-Branding.patch
+Patch0:    PackageKit-0.3.8-Fedora-Vendor.conf.patch
 
 Requires: %{name}-glib%{?_isa} = %{version}-%{release}
 Requires: PackageKit-backend
@@ -160,8 +157,7 @@ using PackageKit.
 
 %prep
 %setup -q
-%patch1 -p1 -b .CVE-2018-1106
-%patch0 -p1
+%patch0 -p1 -b .fedora
 
 %build
 %configure \
@@ -304,13 +300,13 @@ systemctl disable packagekit-offline-update.service > /dev/null 2>&1 || :
 %{_datadir}/vala/vapi/packagekit-glib2.vapi
 
 %changelog
-* Tue Apr 24 2018 CentOS Sources <bugs@centos.org> - 1.1.5-2.el7.centos
-- remove old branding patch
-- Update Vendor patch to reference CentOS
+* Mon Apr 23 2018 Richard Hughes <rhughes@redhat.com> - 1.1.10-1
+- New upstream release
+- Resolves: #1576494
 
 * Tue Apr 17 2018 Richard Hughes <rhughes@redhat.com> - 1.1.5-2
 - Fixes CVE-2018-1106
-- Resolves: rhbz#1566425
+- Resolves: rhbz#1566426
 
 * Tue Feb 28 2017 Richard Hughes <rhughes@redhat.com> - 1.1.5-1
 - Update to 1.1.5