diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 784cd9a..694581c 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -2,7 +2,7 @@
 %bcond_without ipatests
 # default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml
 # On RHEL 8 we should use --with ipa_join_xml
-%bcond_without ipa_join_xml
+%bcond_with ipa_join_xml
 # Linting is disabled by default, needed for upstream testing
 %bcond_with lint
@@ -49,9 +49,9 @@
 # lint is not executed during rpmbuild
 # %%global with_lint 1
 %if %{with lint}
-    %global linter_options --enable-pylint --with-jslint
+    %global linter_options --enable-pylint --without-jslint --enable-rpmlint
-    %global linter_options --disable-pylint --without-jslint
+    %global linter_options --disable-pylint --without-jslint --disable-rpmlint
 # Include SELinux subpackage
@@ -73,10 +73,13 @@
 %global selinux_policy_version 3.14.3-52
 %global slapi_nis_version 0.56.4
 %global python_ldap_version 3.1.0-1
-# python3-lib389
-# Fix for "Installation fails: Replica Busy"
-# https://pagure.io/389-ds-base/issue/49818
-%global ds_version
+%if 0%{?rhel} < 9
+# Bug 1929067 - PKI instance creation failed with new 389-ds-base build
+%global ds_version
+%global ds_version 2.0.3-3
 # Fix for TLS 1.3 PHA, RHBZ#1775158
 %global httpd_version 2.4.37-21
 %global bind_version 9.11.20-6
@@ -101,9 +104,13 @@
 # fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
 %global python_ldap_version 3.1.0-1
-# 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry
-# https://pagure.io/freeipa/issue/8515
-%global ds_version 1.4.3
+# Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4609
+%if 0%{?fedora} < 34
+%global ds_version %{lua: local v={}; v['32']=''; v['33']=''; print(v[rpm.expand('%{fedora}')])}
+%global ds_version 2.0.4-1
 # Fix for TLS 1.3 PHA, RHBZ#1775146
 %global httpd_version 2.4.41-9
@@ -126,13 +133,11 @@
 %if 0%{?rhel} == 8
-# PKIConnection has been modified to always validate certs.
-# https://pagure.io/freeipa/issue/8379
-%global pki_version 10.9.0-0.4
+# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609
+%global pki_version 10.10.5
-# New KRA profile, ACME support
-# https://pagure.io/freeipa/issue/8545
-%global pki_version 10.10.0-2
+# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609
+%global pki_version 10.10.5
 # RHEL 8.3+, F32+ has 0.79.13
@@ -155,6 +160,16 @@
 %global systemd_version 239
+# augeas support for new chrony options
+# see https://pagure.io/freeipa/issue/8676
+# Note: will need to be updated for RHEL9 when a fix is available for
+# https://bugzilla.redhat.com/show_bug.cgi?id=1931787
+%if 0%{?fedora} >= 33
+%global augeas_version 1.12.0-6
+%global augeas_version 1.12.0-3
 %global plugin_dir %{_libdir}/dirsrv/plugins
 %global etc_systemd_dir %{_sysconfdir}/systemd/system
 %global gettext_domain ipa
@@ -163,7 +178,7 @@
 # Work-around fact that RPM SPEC parser does not accept
 # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
-%define IPA_VERSION 4.9.2
+%define IPA_VERSION 4.9.6
 # Release candidate version -- uncomment with one percent for RC versions
 #%%global rc_version %%nil
 %define AT_SIGN @
@@ -176,7 +191,7 @@
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        1%{?rc_version:.%rc_version}%{?dist}
+Release:        4%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 License:        GPLv3+
@@ -196,12 +211,17 @@ Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
 # RHEL spec file only: START
 %if 0%{?rhel} >= 8
+Patch0001:      0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch
+Patch0002:      0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch
+Patch0003:      0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch
+Patch0004:      0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch
+Patch0005:      0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch
+Patch0006:      0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 # RHEL spec file only: END
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@@ -305,7 +325,10 @@ BuildRequires: python3-m2r
 %if %{with lint}
 BuildRequires:  git
+%if 0%{?fedora} < 34
+# jsl is orphaned in Fedora 34+
 BuildRequires:  jsl
 BuildRequires:  nss-tools
 BuildRequires:  rpmlint
 BuildRequires:  softhsm
@@ -337,12 +360,8 @@ BuildRequires:  python3-polib
 BuildRequires:  python3-pyasn1
 BuildRequires:  python3-pyasn1-modules
 BuildRequires:  python3-pycodestyle
-%if 0%{?fedora} || 0%{?rhel} > 8
-# https://bugzilla.redhat.com/show_bug.cgi?id=1648299
-BuildRequires:  python3-pylint >= 2.1.1-2
-BuildRequires:  python3-pylint >= 1.7
+# .wheelconstraints.in limits pylint version in Azure and tox tests
+BuildRequires:  python3-pylint
 BuildRequires:  python3-pytest-multihost
 BuildRequires:  python3-pytest-sourceorder
 BuildRequires:  python3-qrcode-core >= 5.0.0
@@ -429,7 +448,12 @@ Requires(pre): certmonger >= %{certmonger_version}
 Requires(pre): 389-ds-base >= %{ds_version}
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
+%if 0%{?fedora} >= 32 || 0%{?rhel} >= 9
+# https://pagure.io/freeipa/issue/8632
+Requires: openssl > 1.1.1i
 Requires: openssl
 Requires: softhsm >= 2.0.0rc1-1
 Requires: p11-kit
 Requires: %{etc_systemd_dir}
@@ -481,6 +505,7 @@ Requires: %{name}-common = %{version}-%{release}
 # we need pre-requires since earlier versions may break upgrade
 Requires(pre): python3-ldap >= %{python_ldap_version}
 Requires: python3-augeas
+Requires: augeas-libs >= %{augeas_version}
 Requires: python3-custodia >= 0.3.1
 Requires: python3-dbus
 Requires: python3-dns >= 1.15
@@ -516,8 +541,8 @@ Requires: %{name}-client-common = %{version}-%{release}
 Requires: httpd >= %{httpd_version}
 Requires: systemd-units >= %{systemd_version}
 Requires: custodia >= 0.3.1
-%if 0%{?rhel} >= 8
-Requires: redhat-logos-ipa >= 80.4
+%if 0%{?rhel} >= 8 && ! 0%{?eln}
+Requires: system-logos-ipa >= 80.4
 Provides: %{alt_name}-server-common = %{version}
@@ -571,6 +596,7 @@ Requires: %{name}-common = %{version}-%{release}
 Requires: samba >= %{samba_version}
 Requires: samba-winbind
+Requires: sssd-winbind-idmap
 Requires: libsss_idmap
 %if 0%{?rhel}
 Obsoletes: ipa-idoverride-memberof-plugin <= 0.1
@@ -635,6 +661,11 @@ Requires: nfs-utils
 Requires: sssd-tools >= %{sssd_version}
 Requires(post): policycoreutils
+# https://pagure.io/freeipa/issue/8530
+Recommends: libsss_sudo
+Recommends: sudo
+Requires: (libsss_sudo if sudo)
 Provides: %{alt_name}-client = %{version}
 Conflicts: %{alt_name}-client
 Obsoletes: %{alt_name}-client < %{version}
@@ -699,6 +730,7 @@ Requires: %{name}-client-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python3-ipalib = %{version}-%{release}
 Requires: python3-augeas
+Requires: augeas-libs >= %{augeas_version}
 Requires: python3-dns >= 1.15
 Requires: python3-jinja2
@@ -793,7 +825,7 @@ Requires: python3-requests
 Requires: python3-six
 Requires: python3-sss-murmur
 Requires: python3-yubico >= 1.3.2-7
-%if 0%{?rhel} && 0%{?rhel} >= 8
+%if 0%{?rhel} && 0%{?rhel} == 8
 Requires: platform-python-setuptools
 Requires: python3-setuptools
@@ -1670,6 +1702,61 @@ fi
+* Thu Jul 22 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-4
+- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL
+  Resolves: RHBZ#1982956
+* Thu Jul 15 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-3
+- man page: update ipa-server-upgrade.1
+  Resolves: RHBZ#1973273
+- Fall back to krbprincipalname when validating host auth indicators
+  Resolves: RHBZ#1979625
+- Add dependency for sssd-winbind-idmap to server-trust-ad
+  Resolves: RHBZ#1982211
+* Thu Jul  8 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-2
+- IPA server in debug mode fails to run because time.perf_counter_ns is
+  Python 3.7+
+  Resolves: RHBZ#1974822
+- Add checks to prevent assigning authentication indicators to internal IPA
+  services
+  Resolves: RHBZ#1979625
+- Unable to set ipaUserAuthType with stageuser-add
+  Resolves: RHBZ#1979605
+* Thu Jul  1 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-1
+- Upstream release FreeIPA 4.9.6
+  Related: RHBZ#1945038
+- Revise PKINIT upgrade code
+  Resolves: RHBZ#1886837
+- ipa-cert-fix man page: add note about certmonger renewal
+  Resolves: RHBZ#1780317
+- Certificate Serial Number issue
+  Resolves: RHBZ#1919384
+* Mon Jun 14 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.5-1
+- Upstream release FreeIPA 4.9.5
+  Related: RHBZ#1945038
+- IPA to allow setting a new range type
+  Resolves: RHBZ#1688267
+- ipa-server-install displays debug output when --debug output is not
+  specified.
+  Resolves: RHBZ#1943151
+- ACME fails to generate a cert on migrated RHEL8.4 server
+  Resolves: RHBZ#1934991
+- Switch ipa-client to use the JSON API
+  Resolves: RHBZ#1937856
+- IDM - Allow specifying permanent logging settings for BIND
+  Resolves: RHBZ#1951511
+- Cache LDAP data within a request
+  Resolves: RHBZ#1953656
+- ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4
+  Resolves: RHBZ#1957768
+* Wed Mar 31 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.3-1
+- Upstream release FreeIPA 4.9.3
+  Resolves: RHBZ#1945038
 * Mon Feb 15 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.2-1
 - Upstream release FreeIPA 4.9.2
   Related: RHBZ#1891832