diff --git a/.gitignore b/.gitignore
index 8d9599f..79c4020 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,3 @@
-SOURCES/grafana-7.5.9.tar.gz
-SOURCES/grafana-vendor-7.5.9-2.tar.xz
-SOURCES/grafana-webpack-7.5.9-2.tar.gz
+SOURCES/grafana-7.5.11.tar.gz
+SOURCES/grafana-vendor-7.5.11-1.tar.xz
+SOURCES/grafana-webpack-7.5.11-1.tar.gz
diff --git a/.grafana.metadata b/.grafana.metadata
index af2fa86..d33b818 100644
--- a/.grafana.metadata
+++ b/.grafana.metadata
@@ -1,3 +1,3 @@
-e658bc3706a71a2a77f34755ac362fd506d7b1a0 SOURCES/grafana-7.5.9.tar.gz
-8fc46c12ac1bae0f2e0434e8fdf71e61e922c74a SOURCES/grafana-vendor-7.5.9-2.tar.xz
-28052475c9cb45ac6523479ab9fd3da4ba678400 SOURCES/grafana-webpack-7.5.9-2.tar.gz
+cd7bfb63dd91361c1bc9c46d1f889b1f54f7758a SOURCES/grafana-7.5.11.tar.gz
+d55ac0b3a8fb3a0ce772442923e2ca3cba1af78f SOURCES/grafana-vendor-7.5.11-1.tar.xz
+db79c330e9a56dac2cdcae9b7c07c86112a66237 SOURCES/grafana-webpack-7.5.11-1.tar.gz
diff --git a/SOURCES/002-manpages.patch b/SOURCES/002-manpages.patch
index ccc1385..36ca294 100644
--- a/SOURCES/002-manpages.patch
+++ b/SOURCES/002-manpages.patch
@@ -4,7 +4,7 @@ index 0000000000..7ac2af882c
 --- /dev/null
 +++ b/docs/man/man1/grafana-cli.1
 @@ -0,0 +1,60 @@
-+.TH GRAFANA "1" "June 2021" "Grafana cli version 7.5.9" "User Commands"
++.TH GRAFANA "1" "October 2021" "Grafana cli version 7.5.11" "User Commands"
 +.SH NAME
 +grafana-cli \- command line administration for the Grafana metrics dashboard and graph editor
 +.SH DESCRIPTION
@@ -70,7 +70,7 @@ index 0000000000..c616268b31
 --- /dev/null
 +++ b/docs/man/man1/grafana-server.1
 @@ -0,0 +1,72 @@
-+.TH VERSION "1" "June 2021" "Version 7.5.9" "User Commands"
++.TH VERSION "1" "October 2021" "Version 7.5.11" "User Commands"
 +.SH NAME
 +grafana-server \- back-end server for the Grafana metrics dashboard and graph editor
 +.SH DESCRIPTION
diff --git a/SOURCES/011-CVE-2021-39226.patch b/SOURCES/011-CVE-2021-39226.patch
deleted file mode 100644
index a17cd34..0000000
--- a/SOURCES/011-CVE-2021-39226.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-diff --git a/pkg/api/dashboard_snapshot.go b/pkg/api/dashboard_snapshot.go
-index 4f7a4b8d09..b500639d15 100644
---- a/pkg/api/dashboard_snapshot.go
-+++ b/pkg/api/dashboard_snapshot.go
-@@ -144,6 +144,9 @@ func CreateDashboardSnapshot(c *models.ReqContext, cmd models.CreateDashboardSna
- // GET /api/snapshots/:key
- func GetDashboardSnapshot(c *models.ReqContext) response.Response {
- 	key := c.Params(":key")
-+	if len(key) == 0 {
-+		return response.Error(404, "Snapshot not found", nil)
-+	}
- 	query := &models.GetDashboardSnapshotQuery{Key: key}
- 
- 	err := bus.Dispatch(query)
-@@ -210,6 +213,9 @@ func deleteExternalDashboardSnapshot(externalUrl string) error {
- // GET /api/snapshots-delete/:deleteKey
- func DeleteDashboardSnapshotByDeleteKey(c *models.ReqContext) response.Response {
- 	key := c.Params(":deleteKey")
-+	if len(key) == 0 {
-+		return response.Error(404, "Snapshot not found", nil)
-+	}
- 
- 	query := &models.GetDashboardSnapshotQuery{DeleteKey: key}
- 
-@@ -240,6 +246,9 @@ func DeleteDashboardSnapshotByDeleteKey(c *models.ReqContext) response.Response
- // DELETE /api/snapshots/:key
- func DeleteDashboardSnapshot(c *models.ReqContext) response.Response {
- 	key := c.Params(":key")
-+	if len(key) == 0 {
-+		return response.Error(404, "Snapshot not found", nil)
-+	}
- 
- 	query := &models.GetDashboardSnapshotQuery{Key: key}
- 
-diff --git a/vendor/gopkg.in/macaron.v1/router.go b/vendor/gopkg.in/macaron.v1/router.go
-index df593d669a..46cb0c160f 100644
---- a/vendor/gopkg.in/macaron.v1/router.go
-+++ b/vendor/gopkg.in/macaron.v1/router.go
-@@ -289,10 +289,12 @@ func (r *Router) SetHandlerWrapper(f func(Handler) Handler) {
- func (r *Router) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
- 	if t, ok := r.routers[req.Method]; ok {
- 		// Fast match for static routes
--		leaf := r.getLeaf(req.Method, req.URL.Path)
--		if leaf != nil {
--			leaf.handle(rw, req, nil)
--			return
-+		if !strings.ContainsAny(req.URL.Path, ":*") {
-+			leaf := r.getLeaf(req.Method, req.URL.Path)
-+			if leaf != nil {
-+				leaf.handle(rw, req, nil)
-+				return
-+			}
- 		}
- 
- 		h, p, ok := t.Match(req.URL.EscapedPath())
diff --git a/SOURCES/011-CVE-2021-43813.patch b/SOURCES/011-CVE-2021-43813.patch
new file mode 100644
index 0000000..375b364
--- /dev/null
+++ b/SOURCES/011-CVE-2021-43813.patch
@@ -0,0 +1,52 @@
+commit ea77415cfe2cefe46ffce233076a1409abaa8df7
+Author: Will Browne <wbrowne@users.noreply.github.com>
+Date:   Fri Dec 10 11:29:12 2021 +0000
+
+    apply fix (#42969)
+
+diff --git a/pkg/plugins/plugins.go b/pkg/plugins/plugins.go
+index e6370a29e7..c7199c716e 100644
+--- a/pkg/plugins/plugins.go
++++ b/pkg/plugins/plugins.go
+@@ -491,15 +491,15 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
+ 	}
+ 
+ 	// nolint:gosec
+-	// We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based
+-	// on plugin the folder structure on disk and not user input.
+-	path := filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToUpper(name)))
++	// We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
++	// use this with a prefix of the plugin's directory, which is set during plugin loading
++	path := filepath.Join(plug.PluginDir, mdFilepath(strings.ToUpper(name)))
+ 	exists, err := fs.Exists(path)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+ 	if !exists {
+-		path = filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToLower(name)))
++		path = filepath.Join(plug.PluginDir, mdFilepath(strings.ToLower(name)))
+ 	}
+ 
+ 	exists, err = fs.Exists(path)
+@@ -511,8 +511,8 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
+ 	}
+ 
+ 	// nolint:gosec
+-	// We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based
+-	// on plugin the folder structure on disk and not user input.
++	// We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently
++	// use this with a prefix of the plugin's directory, which is set during plugin loading
+ 	data, err := ioutil.ReadFile(path)
+ 	if err != nil {
+ 		return nil, err
+@@ -520,6 +520,10 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) {
+ 	return data, nil
+ }
+ 
++func mdFilepath(mdFilename string) string {
++	return filepath.Clean(filepath.Join("/", fmt.Sprintf("%s.md", mdFilename)))
++}
++
+ // gets plugin filenames that require verification for plugin signing
+ func collectPluginFilesWithin(rootDir string) ([]string, error) {
+ 	var files []string
diff --git a/SOURCES/Makefile b/SOURCES/Makefile
index acd932c..dab531d 100644
--- a/SOURCES/Makefile
+++ b/SOURCES/Makefile
@@ -1,19 +1,24 @@
-ifndef VER
-  $(error VER is undefined)
-endif
-ifndef REL
-  $(error REL is undefined)
-endif
+VERSION := $(shell rpm --specfile *.spec --qf '%{VERSION}\n' | head -1)
+RELEASE := $(shell rpm --specfile *.spec --qf '%{RELEASE}\n' | head -1 | cut -d. -f1)
 
 NAME       := grafana
 RPM_NAME   := $(NAME)
-SOURCE_DIR := $(NAME)-$(VER)
-SOURCE_TAR := $(NAME)-$(VER).tar.gz
-VENDOR_TAR := $(RPM_NAME)-vendor-$(VER)-$(REL).tar.xz
-WEBPACK_TAR := $(RPM_NAME)-webpack-$(VER)-$(REL).tar.gz
+SOURCE_DIR := $(NAME)-$(VERSION)
+SOURCE_TAR := $(NAME)-$(VERSION).tar.gz
+VENDOR_TAR := $(RPM_NAME)-vendor-$(VERSION)-$(RELEASE).tar.xz
+WEBPACK_TAR := $(RPM_NAME)-webpack-$(VERSION)-$(RELEASE).tar.gz
+
+# patches which must be applied before creating the vendor tarball, for example:
+# - changes in dependency versions
+# - changes in Go module imports (which affect the vendored Go modules)
+PATCHES_PRE_VENDOR := \
+	005-remove-unused-dependencies.patch \
+	008-remove-unused-frontend-crypto.patch
+
+# patches which must be applied before creating the webpack, for example:
+# - changes in Node.js sources or vendored dependencies
+PATCHES_PRE_WEBPACK :=
 
-ALL_PATCHES := $(wildcard *.patch)
-PATCHES_TO_APPLY := $(filter-out 009-patch-unused-backend-crypto.patch 010-fips.patch,$(ALL_PATCHES))
 
 all: $(SOURCE_TAR) $(VENDOR_TAR) $(WEBPACK_TAR)
 
@@ -21,43 +26,52 @@ $(SOURCE_TAR):
 	spectool -g $(RPM_NAME).spec
 
 $(VENDOR_TAR): $(SOURCE_TAR)
-	rm -rf grafana-$(VER)
-	tar xfz grafana-$(VER).tar.gz
+	# start with a clean state
+	rm -rf $(SOURCE_DIR)
+	tar xf $(SOURCE_TAR)
 
-	# patches can affect Go or Node.js dependencies, or the webpack
-	for patch in $(PATCHES_TO_APPLY); do patch -d grafana-$(VER) -p1 --fuzz=0 < $$patch; done
+	# Patches to apply before vendoring
+	for patch in $(PATCHES_PRE_VENDOR); do echo applying $$patch ...; patch -d $(SOURCE_DIR) -p1 --fuzz=0 < $$patch; done
 
 	# Go
-	cd grafana-$(VER) && go mod vendor -v
+	cd $(SOURCE_DIR) && go mod vendor -v
 	# Remove unused crypto
-	rm grafana-$(VER)/vendor/golang.org/x/crypto/cast5/cast5.go
-	rm grafana-$(VER)/vendor/golang.org/x/crypto/ed25519/ed25519.go
-	rm grafana-$(VER)/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/const.go
-	rm grafana-$(VER)/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/edwards25519.go
-	rm grafana-$(VER)/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go
-	rm grafana-$(VER)/vendor/golang.org/x/crypto/openpgp/packet/ocfb.go
-	awk '$$2~/^v/ && $$4 != "indirect" {print "Provides: bundled(golang(" $$1 ")) = " substr($$2, 2)}' grafana-$(VER)/go.mod | \
+	rm $(SOURCE_DIR)/vendor/golang.org/x/crypto/cast5/cast5.go
+	rm $(SOURCE_DIR)/vendor/golang.org/x/crypto/ed25519/ed25519.go
+	rm $(SOURCE_DIR)/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/const.go
+	rm $(SOURCE_DIR)/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/edwards25519.go
+	rm $(SOURCE_DIR)/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go
+	rm $(SOURCE_DIR)/vendor/golang.org/x/crypto/openpgp/packet/ocfb.go
+	awk '$$2~/^v/ && $$4 != "indirect" {print "Provides: bundled(golang(" $$1 ")) = " substr($$2, 2)}' $(SOURCE_DIR)/go.mod | \
 		sed -E 's/=(.*)-(.*)-(.*)/=\1-\2.\3/g' > $@.manifest
 
 	# Node.js
-	cd grafana-$(VER) && yarn install --pure-lockfile
+	cd $(SOURCE_DIR) && yarn install --pure-lockfile
 	# Remove files with licensing issues
-	find grafana-$(VER) -type d -name 'node-notifier' -prune -exec rm -r {} \;
-	find grafana-$(VER) -type d -name 'property-information' -prune -exec rm -r {} \;
-	find grafana-$(VER) -type f -name '*.exe' -delete
-	rm -r grafana-$(VER)/node_modules/visjs-network/examples
-	./list_bundled_nodejs_packages.py grafana-$(VER)/ >> $@.manifest
+	find $(SOURCE_DIR) -type d -name 'node-notifier' -prune -exec rm -r {} \;
+	find $(SOURCE_DIR) -type d -name 'property-information' -prune -exec rm -r {} \;
+	find $(SOURCE_DIR) -type f -name '*.exe' -delete
+	rm -r $(SOURCE_DIR)/node_modules/visjs-network/examples
+	./list_bundled_nodejs_packages.py $(SOURCE_DIR) >> $@.manifest
 
 	# Create tarball
-	XZ_OPT=-9 tar cfJ $@ \
-		grafana-$(VER)/vendor \
-		$$(find grafana-$(VER) -type d -name "node_modules" -prune)
+	XZ_OPT=-9 time -p tar cJf $@ \
+		$(SOURCE_DIR)/vendor \
+		$$(find $(SOURCE_DIR) -type d -name "node_modules" -prune)
 
 $(WEBPACK_TAR): $(VENDOR_TAR)
-	cd grafana-$(VER) && \
+	# start with a clean state
+	rm -rf $(SOURCE_DIR)
+	tar xf $(SOURCE_TAR)
+	tar xf $(VENDOR_TAR)
+
+	# Patches to apply before creating the webpack
+	for patch in $(PATCHES_PRE_WEBPACK); do echo applying $$patch ...; patch -d $(SOURCE_DIR) -p1 --fuzz=0 < $$patch; done
+
+	cd $(SOURCE_DIR) && \
 		../build_frontend.sh
 
-	tar cfz $@ grafana-$(VER)/public/build grafana-$(VER)/public/views grafana-$(VER)/plugins-bundled
+	tar cfz $@ $(SOURCE_DIR)/public/build $(SOURCE_DIR)/public/views $(SOURCE_DIR)/plugins-bundled
 
 clean:
 	rm -rf *.tar.gz *.tar.xz *.manifest *.rpm $(NAME)-*/
diff --git a/SPECS/grafana.spec b/SPECS/grafana.spec
index 0da9ff2..218af28 100644
--- a/SPECS/grafana.spec
+++ b/SPECS/grafana.spec
@@ -1,3 +1,13 @@
+# gobuild and gotest macros are not available on CentOS Stream
+# remove once BZ 1965292 is resolved
+# definitions lifted from Fedora 34 podman.spec
+%if ! 0%{?gobuild:1}
+%define gobuild(o:) GO111MODULE=off go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '" -a -v -x %{?**};
+%endif
+%if ! 0%{?gotest:1}
+%define gotest() GO111MODULE=off go test -buildmode pie -compiler gc -ldflags "${LDFLAGS:-} -extldflags '-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '" %{?**};
+%endif
+
 %global grafana_arches %{lua: go_arches = {}
   for arch in rpm.expand("%{go_arches}"):gmatch("%S+") do
     go_arches[arch] = 1
@@ -19,8 +29,8 @@ end}
 %endif
 
 Name:             grafana
-Version:          7.5.9
-Release:          5%{?dist}
+Version:          7.5.11
+Release:          2%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          ASL 2.0
 URL:              https://grafana.org
@@ -30,14 +40,14 @@ Source0:          https://github.com/grafana/grafana/archive/v%{version}/%{name}
 
 # Source1 contains the bundled Go and Node.js dependencies
 # Note: In case there were no changes to this tarball, the NVR of this tarball
-# lags behind the NVR of the Grafana package.
-Source1:          grafana-vendor-%{version}-2.tar.xz
+# lags behind the NVR of this package.
+Source1:          grafana-vendor-%{version}-1.tar.xz
 
 %if %{compile_frontend} == 0
 # Source2 contains the precompiled frontend
 # Note: In case there were no changes to this tarball, the NVR of this tarball
-# lags behind the NVR of the Grafana package.
-Source2:          grafana-webpack-%{version}-2.tar.gz
+# lags behind the NVR of this package.
+Source2:          grafana-webpack-%{version}-1.tar.gz
 %endif
 
 # Source3 contains Grafana configuration defaults for distributions
@@ -81,8 +91,7 @@ Patch9:           009-patch-unused-backend-crypto.patch
 # if FIPS mode is enabled.
 Patch10:          010-fips.patch
 
-# Patch for CVE-2021-39226
-Patch11:          011-CVE-2021-39226.patch
+Patch11:          011-CVE-2021-43813.patch
 
 # Intersection of go_arches and nodejs_arches
 ExclusiveArch:    %{grafana_arches}
@@ -610,6 +619,10 @@ export GOPATH=%{_builddir}
 # let's set the time zone to a time zone without daylight saving time
 export TZ=GMT
 
+# GO111MODULE=on automatically skips vendored macaron sources in pkg/macaron
+# GO111MODULE=off doesn't skip them, and fails with an error due to the canoncial import path
+rm -r pkg/macaron
+
 %gotest ./pkg/...
 
 %if %{enable_fips_mode}
@@ -661,12 +674,17 @@ GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryption
 
 
 %changelog
-* Tue Dec 21 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.9-5
+* Thu Dec 16 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.11-2
 - resolve CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache
+- resolve CVE-2021-43813 grafana: directory traversal vulnerability for *.md files
 
-* Wed Oct 06 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.9-4
+* Mon Oct 11 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.11-1
+- update to 7.5.11 tagged upstream community sources, see CHANGELOG
 - resolve CVE-2021-39226
 
+* Thu Sep 30 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.10-1
+- update to 7.5.10 tagged upstream community sources, see CHANGELOG
+
 * Mon Aug 16 2021 Andreas Gerstmayr <agerstmayr@redhat.com> 7.5.9-3
 - rebuild to resolve CVE-2021-34558