diff --git a/.gitignore b/.gitignore
index c2a86a9..3dfb968 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/lasso-2.5.0.tar.gz
+SOURCES/lasso-2.5.1.tar.gz
diff --git a/.lasso.metadata b/.lasso.metadata
index 2220fb4..06ef001 100644
--- a/.lasso.metadata
+++ b/.lasso.metadata
@@ -1 +1 @@
-5d41357e89d3a7086e2abf8d261ad851dc0c19f3 SOURCES/lasso-2.5.0.tar.gz
+fe0e68010bab6e11383003b5cf869c0447ed7a6e SOURCES/lasso-2.5.1.tar.gz
diff --git a/SOURCES/cflags.patch b/SOURCES/cflags.patch
new file mode 100644
index 0000000..38df48b
--- /dev/null
+++ b/SOURCES/cflags.patch
@@ -0,0 +1,65 @@
+From 629e05d8dc795a70fd2bcd3d0301641105bf0b06 Mon Sep 17 00:00:00 2001
+From: John Dennis <jdennis@redhat.com>
+Date: Wed, 15 Jun 2016 11:50:24 -0400
+Subject: [PATCH] enable user supplied CFLAGS
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+CFLAGS is initialized to the empty string in configure.ac, this
+effectively turned off user supplied values for CFLAGS preventing site
+specific values from being used. A further complicating factor was of
+all the user supplied values documented in Automake only CFLAGS was
+disabled allowing all other user supplied variables to take
+effect. Some variables must be coordinated (e.g. CFLAGS with LDFLAGS),
+the fact LDFLAGS was picked up from the environment but CFLAGS was
+discarded caused build failures due to incompatible combination of
+compiler and linker options.
+
+The problem was first introduced in commit: 73d9c98f "Reset CFLAGS
+when --enable-debugging is used". This patch simply removes hardcoding
+CFLAGS to the empty string and appends the debug options
+(--enable-debugging) to the existing CFLAGS.
+
+Proper use of the variables is described in the Automake documentation
+in the section "Flag Variables Ordering"
+https://www.gnu.org/software/automake/manual/html_node/Flag-Variables-Ordering.html
+
+Although the Automake documentation claims manipulating CFLAGS
+directly is improper use there are many examples of this in the
+existing configure.ac, this patch makes no attempt at addressing this
+issue, rather it makes existing usage consistent. In the particular
+case of debug flags appending to CFLAGS is probably the only valid
+solution because the debug flags must appear at the end of the list of
+flags in order to override earlier flags, CFLAGS always appears last
+in the Makefile (see above Automake doc).
+
+Signed-off-by: John Dennis <jdennis@redhat.com>
+License: MIT
+---
+ configure.ac | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 7c58870..cf86262 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -91,7 +91,6 @@ dnl
+ dnl Check for programs
+ dnl
+ AC_PROG_CC
+-CFLAGS=""
+ AM_CFLAGS=""
+ AC_HEADER_STDC
+ LT_AC_PROG_RC
+@@ -702,7 +701,7 @@ AC_ARG_ENABLE(debugging,   [  --enable-debugging      enable debuging optimizati
+ if test "z$enable_debugging" = "zyes" ; then
+     enable_debugging=yes
+     LASSO_DEFINES="$LASSO_DEFINES -DLASSO_DEBUG"
+-    AM_CFLAGS="-O0 -g -Wall -Wextra -Werror"
++    CFLAGS="$CFLAGS -O0 -g -Wall -Wextra -Werror"
+ else
+     enable_debugging=no
+ fi    
+-- 
+2.5.5
+
diff --git a/SOURCES/validate_idp_list_test.patch b/SOURCES/validate_idp_list_test.patch
new file mode 100644
index 0000000..9344fea
--- /dev/null
+++ b/SOURCES/validate_idp_list_test.patch
@@ -0,0 +1,71 @@
+commit 11ebfeb62148a89e2ebae90d7c70be918cfdc244
+Author: John Dennis <jdennis@redhat.com>
+Date:   Fri Jun 17 11:58:24 2016 -0400
+
+    Fix ecp test validate_idp_list()
+    
+    validate_idp_list was not using the correct list elements when it
+    iterated over the known_sp_provided_idp_entries_supporting_ecp list.
+    It treated them as lists of strings instead of lists of
+    LassoSamlp2IDPEntry.
+    
+    Signed-off-by: John Dennis <jdennis@redhat.com>
+    License: MIT
+
+diff --git a/tests/login_tests_saml2.c b/tests/login_tests_saml2.c
+index 84011ec..54c7fb6 100644
+--- a/tests/login_tests_saml2.c
++++ b/tests/login_tests_saml2.c
+@@ -1245,18 +1245,29 @@ static void validate_idp_list(LassoEcp *ecp, EcpIdpListVariant ecpIDPListVariant
+ 
+ 		if (ecpIDPListVariant == ECP_IDP_LIST_ECP) {
+ 			check_not_null(ecp->known_sp_provided_idp_entries_supporting_ecp);
++			check_equals(g_list_length(ecp->known_sp_provided_idp_entries_supporting_ecp),
++						 g_list_length(idp_list->IDPEntry));
++
+ 			for (ecp_iter = g_list_first(ecp->known_sp_provided_idp_entries_supporting_ecp),
+ 				 src_iter = g_list_first(idp_list->IDPEntry);
+ 				 ecp_iter && src_iter;
+ 				 ecp_iter = g_list_next(ecp_iter), src_iter = g_list_next(src_iter)) {
+-				gchar *ecp_item, *src_item;
++				LassoSamlp2IDPEntry *ecp_item, *src_item;
++
++				ecp_item = LASSO_SAMLP2_IDP_ENTRY(ecp_iter->data);
++				src_item = LASSO_SAMLP2_IDP_ENTRY(src_iter->data);
++
++				check_not_null(ecp_item->ProviderID);
++				check_not_null(src_item->ProviderID);
++				check_str_equals(ecp_item->ProviderID, src_item->ProviderID);
+ 
+-				ecp_item = ecp_iter->data;
+-				src_item = src_iter->data;
++				check_not_null(ecp_item->Name);
++				check_not_null(src_item->Name);
++				check_str_equals(ecp_item->Name, src_item->Name);
+ 
+-				check_not_null(ecp_item);
+-				check_not_null(src_item);
+-				check_str_equals(ecp_item, src_item);
++				check_not_null(ecp_item->Loc);
++				check_not_null(src_item->Loc);
++				check_str_equals(ecp_item->Loc, src_item->Loc);
+ 			}
+ 		} else {
+ 			check_null(ecp->known_sp_provided_idp_entries_supporting_ecp);
+@@ -1356,7 +1367,6 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant)
+ 	check_null(LASSO_PROFILE(spLoginContext)->msg_url);
+ 	check_not_null(strstr(spPaosRequestMsg, "RelayState"));
+ 
+-
+ 	/* Finished with SP Login Context, will create new one later */
+ 	lasso_server_destroy(spContext);
+ 	spContext = NULL;
+@@ -1388,7 +1398,7 @@ void test_ecp(EcpIdpListVariant ecpIDPListVariant)
+ 	check_str_equals(ecp->relaystate, relayState);
+ 	check_str_equals(ecp->issuer->content, "http://sp5/metadata");
+ 	check_str_equals(ecp->provider_name, provider_name);
+-    check_equals(ecp->is_passive, is_passive);
++	check_equals(ecp->is_passive, is_passive);
+ 
+ 	/* Validate ECP IdP list info & default IdP URL */
+ 	validate_idp_list(ecp, ecpIDPListVariant, idp_list);
diff --git a/SPECS/lasso.spec b/SPECS/lasso.spec
index 3e7e2ec..3c1aebf 100644
--- a/SPECS/lasso.spec
+++ b/SPECS/lasso.spec
@@ -14,8 +14,8 @@
 
 Summary: Liberty Alliance Single Sign On
 Name: lasso
-Version: 2.5.0
-Release: 1%{?dist}
+Version: 2.5.1
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Libraries
 Source: http://dev.entrouvert.org/lasso/lasso-%{version}.tar.gz
@@ -26,10 +26,14 @@ BuildRequires: gtk-doc, libtool-ltdl-devel
 BuildRequires: glib2-devel >= 2.42, swig
 Requires: glib2 >= 2.42
 BuildRequires: libxml2-devel, xmlsec1-devel, openssl-devel, xmlsec1-openssl-devel
+BuildRequires: zlib-devel, check-devel
 BuildRequires: libtool autoconf automake
 BuildRequires: python-six
 Url: http://lasso.entrouvert.org/
 
+patch1: cflags.patch
+patch2: validate_idp_list_test.patch
+
 %description
 Lasso is a library that implements the Liberty Alliance Single Sign On
 standards, including the SAML and SAML2 specifications. It allows to handle
@@ -104,6 +108,8 @@ library.
 
 %prep
 %setup -q -n %{name}-%{version}
+%patch1 -p1
+%patch2 -p1
 
 %build
 autoreconf -vif
@@ -212,6 +218,15 @@ rm -fr %{buildroot}%{_defaultdocdir}/%{name}
 %endif
 
 %changelog
+* Fri Jun 17 2016 John Dennis <jdennis@redhat.com> - 2.5.1-2
+- Rebase to upstream 2.5.1
+  Resolves: #1310860
+- add validate_idp_list_test patch
+
+* Thu Jun  9 2016 John Dennis <jdennis@redhat.com> - 2.5.1-1
+- Rebase to upstream 2.5.1
+  Resolves: #1310860
+
 * Thu Sep  3 2015 John Dennis <jdennis@redhat.com> - 2.5.0-1
 - Rebase to upstream, now includes our ECP patches, no need to patch any more
   Resolves: #1205342