diff --git a/.flatpak.metadata b/.flatpak.metadata
index abf3c92..793a70b 100644
--- a/.flatpak.metadata
+++ b/.flatpak.metadata
@@ -1 +1 @@
-d2ebda16446fbd28d78d2f7df5ccb77c34f2874c SOURCES/flatpak-1.0.6.tar.xz
+51317ee7abeb09fc68c924ee74463185be901658 SOURCES/flatpak-1.0.9.tar.xz
diff --git a/.gitignore b/.gitignore
index 8b49271..a16c229 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/flatpak-1.0.6.tar.xz
+SOURCES/flatpak-1.0.9.tar.xz
diff --git a/SOURCES/flatpak-1.0.6-CVE-2019-10063.patch b/SOURCES/flatpak-1.0.6-CVE-2019-10063.patch
deleted file mode 100644
index a713027..0000000
--- a/SOURCES/flatpak-1.0.6-CVE-2019-10063.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 77f076712949c13b9bcecc02d043cbd6de6e291e Mon Sep 17 00:00:00 2001
-From: Ryan Gonzalez <rymg19@gmail.com>
-Date: Mon, 25 Mar 2019 13:00:15 -0500
-Subject: [PATCH] run: Only compare the lowest 32 ioctl arg bits for TIOCSTI
-
-Closes #2782.
-
-Closes: #2783
-Approved by: alexlarsson
----
- common/flatpak-run.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/common/flatpak-run.c b/common/flatpak-run.c
-index 90b435fe..d1acd9f2 100644
---- a/common/flatpak-run.c
-+++ b/common/flatpak-run.c
-@@ -2147,7 +2147,7 @@ setup_seccomp (FlatpakBwrap   *bwrap,
-     {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
- 
-     /* Don't allow faking input to the controlling tty (CVE-2017-5226) */
--    {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_EQ, (int) TIOCSTI)},
-+    {SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},
-   };
- 
-   struct
--- 
-2.21.0
-
diff --git a/SOURCES/flatpak-1.0.6-CVE-2019-5736.patch b/SOURCES/flatpak-1.0.6-CVE-2019-5736.patch
deleted file mode 100644
index 65bed56..0000000
--- a/SOURCES/flatpak-1.0.6-CVE-2019-5736.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 9cb5f1e465cf5a3e643caf7159e89530ae867be2 Mon Sep 17 00:00:00 2001
-From: Alexander Larsson <alexl@redhat.com>
-Date: Sun, 10 Feb 2019 18:23:44 +0100
-Subject: [PATCH] Don't expose /proc when running apply_extra
-
-As shown by CVE-2019-5736, it is sometimes possible for the sandbox
-app to access outside files using /proc/self/exe. This is not
-typically an issue for flatpak as the sandbox runs as the user which
-has no permissions to e.g. modify the host files.
-
-However, when installing apps using extra-data into the system repo
-we *do* actually run a sandbox as root. So, in this case we disable mounting
-/proc in the sandbox, which will neuter attacks like this.
-
-(cherry picked from commit 468858c1cbcdbcb27266deb5c7347b37adf3a9e4)
----
- common/flatpak-common-types-private.h | 1 +
- common/flatpak-dir.c                  | 2 +-
- common/flatpak-run.c                  | 6 +++++-
- 3 files changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/common/flatpak-common-types-private.h b/common/flatpak-common-types-private.h
-index e361777e1..b8f76b9c4 100644
---- a/common/flatpak-common-types-private.h
-+++ b/common/flatpak-common-types-private.h
-@@ -45,6 +45,7 @@ typedef enum {
-   FLATPAK_RUN_FLAG_NO_DOCUMENTS_PORTAL = (1 << 15),
-   FLATPAK_RUN_FLAG_BLUETOOTH          = (1 << 16),
-   FLATPAK_RUN_FLAG_CANBUS            = (1 << 17),
-+  FLATPAK_RUN_FLAG_NO_PROC            = (1 << 19),
- } FlatpakRunFlags;
- 
- typedef struct FlatpakDir          FlatpakDir;
-diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c
-index 0809a42be..7d44cfb4f 100644
---- a/common/flatpak-dir.c
-+++ b/common/flatpak-dir.c
-@@ -6507,7 +6507,7 @@ apply_extra_data (FlatpakDir   *self,
-                           NULL);
- 
-   if (!flatpak_run_setup_base_argv (bwrap, runtime_files, NULL, runtime_ref_parts[2],
--                                    FLATPAK_RUN_FLAG_NO_SESSION_HELPER,
-+                                    FLATPAK_RUN_FLAG_NO_SESSION_HELPER | FLATPAK_RUN_FLAG_NO_PROC,
-                                     error))
-     return FALSE;
- 
-diff --git a/common/flatpak-run.c b/common/flatpak-run.c
-index e8e55262e..ab167c00d 100644
---- a/common/flatpak-run.c
-+++ b/common/flatpak-run.c
-@@ -2373,9 +2373,13 @@ flatpak_run_setup_base_argv (FlatpakBwrap   *bwrap,
-     "# Disable user pkcs11 config, because the host modules don't work in the runtime\n"
-     "user-config: none\n";
- 
-+  if ((flags & FLATPAK_RUN_FLAG_NO_PROC) == 0)
-+    flatpak_bwrap_add_args (bwrap,
-+                            "--proc", "/proc",
-+                            NULL);
-+
-   flatpak_bwrap_add_args (bwrap,
-                           "--unshare-pid",
--                          "--proc", "/proc",
-                           "--dir", "/tmp",
-                           "--dir", "/var/tmp",
-                           "--dir", "/run/host",
diff --git a/SPECS/flatpak.spec b/SPECS/flatpak.spec
index eabf799..f60e7f0 100644
--- a/SPECS/flatpak.spec
+++ b/SPECS/flatpak.spec
@@ -2,8 +2,8 @@
 %global ostree_version 2018.7
 
 Name:           flatpak
-Version:        1.0.6
-Release:        4%{?dist}
+Version:        1.0.9
+Release:        1%{?dist}
 Summary:        Application deployment framework for desktop apps
 
 License:        LGPLv2+
@@ -11,10 +11,6 @@ URL:            http://flatpak.org/
 Source0:        https://github.com/flatpak/flatpak/releases/download/%{version}/%{name}-%{version}.tar.xz
 # https://bugzilla.redhat.com/show_bug.cgi?id=1657306
 Patch0:         flatpak-1.0.4-oci-fixes.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1675776
-Patch1:         flatpak-1.0.6-CVE-2019-5736.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1700654
-Patch2:         flatpak-1.0.6-CVE-2019-10063.patch
 
 BuildRequires:  pkgconfig(appstream-glib)
 BuildRequires:  pkgconfig(gio-unix-2.0)
@@ -159,6 +155,9 @@ flatpak remote-list --system &> /dev/null || :
 
 
 %changelog
+* Fri Sep 20 2019 Kalev Lember <klember@redhat.com> - 1.0.9-1
+- Update to 1.0.9 (#1753613)
+
 * Tue May 14 2019 David King <dking@redhat.com> - 1.0.6-4
 - Bump release (#1700654)