diff --git a/SOURCES/ldns-1.7.1-Support-sysconfig-python-module-in-python_devel.patch b/SOURCES/ldns-1.7.1-Support-sysconfig-python-module-in-python_devel.patch
new file mode 100644
index 0000000..e6b2ccf
--- /dev/null
+++ b/SOURCES/ldns-1.7.1-Support-sysconfig-python-module-in-python_devel.patch
@@ -0,0 +1,248 @@
+--- a/m4/ax_python_devel.m4	2019-07-26 17:07:44.000000000 +0200
++++ b/m4/ax_python_devel.m4	2022-02-15 10:29:28.876543000 +0100
+@@ -1,5 +1,5 @@
+ # ===========================================================================
+-#      http://www.gnu.org/software/autoconf-archive/ax_python_devel.html
++#     https://www.gnu.org/software/autoconf-archive/ax_python_devel.html
+ # ===========================================================================
+ #
+ # SYNOPSIS
+@@ -12,8 +12,8 @@
+ #   in your configure.ac.
+ #
+ #   This macro checks for Python and tries to get the include path to
+-#   'Python.h'. It provides the $(PYTHON_CPPFLAGS) and $(PYTHON_LDFLAGS)
+-#   output variables. It also exports $(PYTHON_EXTRA_LIBS) and
++#   'Python.h'. It provides the $(PYTHON_CPPFLAGS) and $(PYTHON_LIBS) output
++#   variables. It also exports $(PYTHON_EXTRA_LIBS) and
+ #   $(PYTHON_EXTRA_LDFLAGS) for embedding Python in your code.
+ #
+ #   You can search for some particular version of Python by passing a
+@@ -52,7 +52,7 @@
+ #   Public License for more details.
+ #
+ #   You should have received a copy of the GNU General Public License along
+-#   with this program. If not, see <http://www.gnu.org/licenses/>.
++#   with this program. If not, see <https://www.gnu.org/licenses/>.
+ #
+ #   As a special exception, the respective Autoconf Macro's copyright owner
+ #   gives unlimited permission to copy, distribute and modify the configure
+@@ -67,7 +67,7 @@
+ #   modified version of the Autoconf Macro, you may extend this special
+ #   exception to the GPL to apply to your modified version as well.
+ 
+-#serial 16
++#serial 23
+ 
+ AU_ALIAS([AC_PYTHON_DEVEL], [AX_PYTHON_DEVEL])
+ AC_DEFUN([AX_PYTHON_DEVEL],[
+@@ -99,7 +99,7 @@
+ This version of the AC@&t@_PYTHON_DEVEL macro
+ doesn't work properly with versions of Python before
+ 2.1.0. You may need to re-run configure, setting the
+-variables PYTHON_CPPFLAGS, PYTHON_LDFLAGS, PYTHON_SITE_PKG,
++variables PYTHON_CPPFLAGS, PYTHON_LIBS, PYTHON_SITE_PKG,
+ PYTHON_EXTRA_LIBS and PYTHON_EXTRA_LDFLAGS by hand.
+ Moreover, to disable this check, set PYTHON_NOVERSIONCHECK
+ to something else than an empty string.
+@@ -135,16 +135,25 @@
+ 	#
+ 	# Check if you have distutils, else fail
+ 	#
+-	AC_MSG_CHECKING([for the distutils Python package])
+-	ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`
+-	if test -z "$ac_distutils_result"; then
++	AC_MSG_CHECKING([for the sysconfig Python package])
++	ac_sysconfig_result=`$PYTHON -c "import sysconfig" 2>&1`
++	if test $? -eq 0; then
+ 		AC_MSG_RESULT([yes])
++		IMPORT_SYSCONFIG="import sysconfig"
+ 	else
+ 		AC_MSG_RESULT([no])
+-		AC_MSG_ERROR([cannot import Python module "distutils".
++
++		AC_MSG_CHECKING([for the distutils Python package])
++		ac_sysconfig_result=`$PYTHON -c "from distutils import sysconfig" 2>&1`
++		if test $? -eq 0; then
++			AC_MSG_RESULT([yes])
++			IMPORT_SYSCONFIG="from distutils import sysconfig"
++		else
++			AC_MSG_ERROR([cannot import Python module "distutils".
+ Please check your Python installation. The error was:
+-$ac_distutils_result])
+-		PYTHON_VERSION=""
++$ac_sysconfig_result])
++			PYTHON_VERSION=""
++		fi
+ 	fi
+ 
+ 	#
+@@ -152,10 +161,19 @@
+ 	#
+ 	AC_MSG_CHECKING([for Python include path])
+ 	if test -z "$PYTHON_CPPFLAGS"; then
+-		python_path=`$PYTHON -c "import distutils.sysconfig; \
+-			print (distutils.sysconfig.get_python_inc ());"`
+-		plat_python_path=`$PYTHON -c "import distutils.sysconfig; \
+-			print (distutils.sysconfig.get_python_inc (plat_specific=1));"`
++		if test "$IMPORT_SYSCONFIG" = "import sysconfig"; then
++			# sysconfig module has different functions
++			python_path=`$PYTHON -c "$IMPORT_SYSCONFIG; \
++				print (sysconfig.get_path ('include'));"`
++			plat_python_path=`$PYTHON -c "$IMPORT_SYSCONFIG; \
++				print (sysconfig.get_path ('platinclude'));"`
++		else
++			# old distutils way
++			python_path=`$PYTHON -c "$IMPORT_SYSCONFIG; \
++				print (sysconfig.get_python_inc ());"`
++			plat_python_path=`$PYTHON -c "$IMPORT_SYSCONFIG; \
++				print (sysconfig.get_python_inc (plat_specific=1));"`
++		fi
+ 		if test -n "${python_path}"; then
+ 			if test "${plat_python_path}" != "${python_path}"; then
+ 				python_path="-I$python_path -I$plat_python_path"
+@@ -172,14 +190,14 @@
+ 	# Check for Python library path
+ 	#
+ 	AC_MSG_CHECKING([for Python library path])
+-	if test -z "$PYTHON_LDFLAGS"; then
++	if test -z "$PYTHON_LIBS"; then
+ 		# (makes two attempts to ensure we've got a version number
+ 		# from the interpreter)
+ 		ac_python_version=`cat<<EOD | $PYTHON -
+ 
+ # join all versioning strings, on some systems
+ # major/minor numbers could be in different list elements
+-from distutils.sysconfig import *
++from sysconfig import *
+ e = get_config_var('VERSION')
+ if e is not None:
+ 	print(e)
+@@ -202,8 +220,8 @@
+ 		ac_python_libdir=`cat<<EOD | $PYTHON -
+ 
+ # There should be only one
+-import distutils.sysconfig
+-e = distutils.sysconfig.get_config_var('LIBDIR')
++$IMPORT_SYSCONFIG
++e = sysconfig.get_config_var('LIBDIR')
+ if e is not None:
+ 	print (e)
+ EOD`
+@@ -211,8 +229,8 @@
+ 		# Now, for the library:
+ 		ac_python_library=`cat<<EOD | $PYTHON -
+ 
+-import distutils.sysconfig
+-c = distutils.sysconfig.get_config_vars()
++$IMPORT_SYSCONFIG
++c = sysconfig.get_config_vars()
+ if 'LDVERSION' in c:
+ 	print ('python'+c[['LDVERSION']])
+ else:
+@@ -227,45 +245,51 @@
+ 		then
+ 			# use the official shared library
+ 			ac_python_library=`echo "$ac_python_library" | sed "s/^lib//"`
+-			PYTHON_LDFLAGS="-L$ac_python_libdir -l$ac_python_library"
++			PYTHON_LIBS="-L$ac_python_libdir -l$ac_python_library"
+ 		else
+ 			# old way: use libpython from python_configdir
+ 			ac_python_libdir=`$PYTHON -c \
+-			  "from distutils.sysconfig import get_python_lib as f; \
++			  "from sysconfig import get_python_lib as f; \
+ 			  import os; \
+ 			  print (os.path.join(f(plat_specific=1, standard_lib=1), 'config'));"`
+-			PYTHON_LDFLAGS="-L$ac_python_libdir -lpython$ac_python_version"
++			PYTHON_LIBS="-L$ac_python_libdir -lpython$ac_python_version"
+ 		fi
+ 
+-		if test -z "PYTHON_LDFLAGS"; then
++		if test -z "PYTHON_LIBS"; then
+ 			AC_MSG_ERROR([
+   Cannot determine location of your Python DSO. Please check it was installed with
+-  dynamic libraries enabled, or try setting PYTHON_LDFLAGS by hand.
++  dynamic libraries enabled, or try setting PYTHON_LIBS by hand.
+ 			])
+ 		fi
+ 	fi
+-	AC_MSG_RESULT([$PYTHON_LDFLAGS])
+-	AC_SUBST([PYTHON_LDFLAGS])
++	AC_MSG_RESULT([$PYTHON_LIBS])
++	AC_SUBST([PYTHON_LIBS])
+ 
+ 	#
+ 	# Check for site packages
+ 	#
+ 	AC_MSG_CHECKING([for Python site-packages path])
+ 	if test -z "$PYTHON_SITE_PKG"; then
+-		PYTHON_SITE_PKG=`$PYTHON -c "import distutils.sysconfig; \
+-			print (distutils.sysconfig.get_python_lib(1,0));"`
++		if test "$IMPORT_SYSCONFIG" = "import sysconfig"; then
++			PYTHON_SITE_PKG=`$PYTHON -c "$IMPORT_SYSCONFIG; \
++				print (sysconfig.get_path('platlib'));"`
++		else
++			# distutils.sysconfig way
++			PYTHON_SITE_PKG=`$PYTHON -c "$IMPORT_SYSCONFIG; \
++				print (sysconfig.get_python_lib(0,0));"`
++		fi
+ 	fi
+ 	AC_MSG_RESULT([$PYTHON_SITE_PKG])
+ 	AC_SUBST([PYTHON_SITE_PKG])
+ 
+ 	#
+ 	# libraries which must be linked in when embedding
+ 	#
+ 	AC_MSG_CHECKING(python extra libraries)
+ 	if test -z "$PYTHON_EXTRA_LIBS"; then
+-	   PYTHON_EXTRA_LIBS=`$PYTHON -c "import distutils.sysconfig; \
+-                conf = distutils.sysconfig.get_config_var; \
+-                print (conf('LIBS'))"`
++	   PYTHON_EXTRA_LIBS=`$PYTHON -c "$IMPORT_SYSCONFIG; \
++                conf = sysconfig.get_config_var; \
++                print (conf('LIBS') + ' ' + conf('SYSLIBS'))"`
+ 	fi
+ 	AC_MSG_RESULT([$PYTHON_EXTRA_LIBS])
+ 	AC_SUBST(PYTHON_EXTRA_LIBS)
+@@ -275,8 +316,8 @@
+ 	#
+ 	AC_MSG_CHECKING(python extra linking flags)
+ 	if test -z "$PYTHON_EXTRA_LDFLAGS"; then
+-		PYTHON_EXTRA_LDFLAGS=`$PYTHON -c "import distutils.sysconfig; \
+-			conf = distutils.sysconfig.get_config_var; \
++		PYTHON_EXTRA_LDFLAGS=`$PYTHON -c "$IMPORT_SYSCONFIG; \
++			conf = sysconfig.get_config_var; \
+ 			print (conf('LINKFORSHARED'))"`
+ 	fi
+ 	AC_MSG_RESULT([$PYTHON_EXTRA_LDFLAGS])
+@@ -288,8 +329,10 @@
+ 	AC_MSG_CHECKING([consistency of all components of python development environment])
+ 	# save current global flags
+ 	ac_save_LIBS="$LIBS"
++	ac_save_LDFLAGS="$LDFLAGS"
+ 	ac_save_CPPFLAGS="$CPPFLAGS"
+-	LIBS="$ac_save_LIBS $PYTHON_LDFLAGS $PYTHON_EXTRA_LDFLAGS $PYTHON_EXTRA_LIBS"
++	LIBS="$ac_save_LIBS $PYTHON_LIBS $PYTHON_EXTRA_LIBS $PYTHON_EXTRA_LIBS"
++	LDFLAGS="$ac_save_LDFLAGS $PYTHON_EXTRA_LDFLAGS"
+ 	CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
+ 	AC_LANG_PUSH([C])
+ 	AC_LINK_IFELSE([
+@@ -300,6 +343,7 @@
+ 	# turn back to default flags
+ 	CPPFLAGS="$ac_save_CPPFLAGS"
+ 	LIBS="$ac_save_LIBS"
++	LDFLAGS="$ac_save_LDFLAGS"
+ 
+ 	AC_MSG_RESULT([$pythonexists])
+ 
+@@ -307,8 +351,8 @@
+ 	   AC_MSG_FAILURE([
+   Could not link test program to Python. Maybe the main Python library has been
+   installed in some non-standard library path. If so, pass it to configure,
+-  via the LDFLAGS environment variable.
+-  Example: ./configure LDFLAGS="-L/usr/non-standard-path/python/lib"
++  via the LIBS environment variable.
++  Example: ./configure LIBS="-L/usr/non-standard-path/python/lib"
+   ============================================================================
+    ERROR!
+    You probably have to install the development version of the Python package
diff --git a/SOURCES/ldns-1.7.1-Use-PYTHON_LIBS-instead-of-PYTHON_LDFLAGS.patch b/SOURCES/ldns-1.7.1-Use-PYTHON_LIBS-instead-of-PYTHON_LDFLAGS.patch
new file mode 100644
index 0000000..28beb33
--- /dev/null
+++ b/SOURCES/ldns-1.7.1-Use-PYTHON_LIBS-instead-of-PYTHON_LDFLAGS.patch
@@ -0,0 +1,32 @@
+From a5a5dd867fdb934a7ce3637dd9def598f0979247 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Thu, 3 Jun 2021 10:51:15 +0200
+Subject: [PATCH] Use PYTHON_LIBS instead of PYTHON_LDFLAGS
+
+Definition was changed to more obvious variable in ax_python_devel.m4
+---
+ Makefile.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ldns-1.7.1/Makefile.in b/ldns-1.7.1/Makefile.in
+index af529e43..2f6b1423 100644
+--- a/ldns-1.7.1/Makefile.in
++++ b/ldns-1.7.1/Makefile.in
+@@ -48,7 +48,7 @@ LIBS 		= @LIBS@
+ LIBOBJDIR	= compat/
+ LIBOBJS		= @LIBOBJS@
+ PYTHON_CPPFLAGS	= @PYTHON_CPPFLAGS@
+-PYTHON_LDFLAGS	= @PYTHON_LDFLAGS@
++PYTHON_LIBS	= @PYTHON_LIBS@
+ PYTHON_X_CFLAGS = @PYTHON_X_CFLAGS@
+ LIBSSL_CPPFLAGS = @LIBSSL_CPPFLAGS@
+ LIBSSL_LDFLAGS  = @LIBSSL_LDFLAGS@
+@@ -301,7 +301,7 @@
+ 	$(COMP_LIB) -I./include/ldns $(LIBSSL_CPPFLAGS) $(PYTHON_CPPFLAGS) $(PYTHON_X_CFLAGS) -c $(pywrapdir)/ldns_wrapper.c -o $@
+ 
+ _ldns.la: ldns_wrapper.lo libldns.la 
+-	$(LIBTOOL) --tag=CC --mode=link $(CC) $(CFLAGS) $(PYTHON_CFLAGS) $(LDFLAGS) $(PYTHON_LDFLAGS) -module -version-info $(version_info) -no-undefined -o $@ ldns_wrapper.lo -rpath $(python_site) -L. -L.libs -lldns $(LIBS)
++	$(LIBTOOL) --tag=CC --mode=link $(CC) $(CFLAGS) $(PYTHON_CFLAGS) $(LDFLAGS) -module -version-info $(version_info) -no-undefined -o $@ ldns_wrapper.lo -rpath $(python_site) -L. -L.libs -lldns $(PYTHON_LIBS) $(LIBS)
+ 
+ $(p5_dns_ldns_dir)/Makefile: $(p5_dns_ldns_dir)/Makefile.PL
+ 	BUILDDIR=`pwd`; cd $(p5_dns_ldns_dir); LD_LIBRARY_PATH="$$BUILDDIR/.libs:$$LD_LIBRARY_PATH" DYLD_LIBRARY_PATH="$$BUILDDIR/.libs:$$DYLD_LIBRARY_PATH" $(PERL) Makefile.PL LIBS="-L$$BUILDDIR/.libs -lldns" INC="-I$$BUILDDIR"
diff --git a/SOURCES/ldns-1.7.1-out-of-boud-read-vuln.patch b/SOURCES/ldns-1.7.1-out-of-boud-read-vuln.patch
new file mode 100644
index 0000000..474902c
--- /dev/null
+++ b/SOURCES/ldns-1.7.1-out-of-boud-read-vuln.patch
@@ -0,0 +1,41 @@
+From 15d96206996bea969fbc918eb0a4a346f514b9f3 Mon Sep 17 00:00:00 2001
+From: Wouter Wijngaards <wouter@nlnetlabs.nl>
+Date: Tue, 24 Sep 2019 16:50:27 +0200
+Subject: [PATCH 1/2] * bugfix #70: heap Out-of-bound Read vulnerability in  
+rr_frm_str_internal reported by pokerfacett.
+
+From 4e9861576a600a5ecfa16ec2de853c90dd9ce276 Mon Sep 17 00:00:00 2001
+From: Wouter Wijngaards <wouter@nlnetlabs.nl>
+Date: Tue, 24 Sep 2019 16:51:09 +0200
+Subject: [PATCH 2/2] Fix #70 fix code.
+
+diff --git a/ldns-1.7.1/rr.c b/ldns-1.7.1/rr.c
+index 6642aca7..adf67ae4 100644
+--- a/ldns-1.7.1/rr.c
++++ b/ldns-1.7.1/rr.c
+@@ -365,15 +365,18 @@ ldns_rr_new_frm_str_internal(ldns_rr **newrr, const char *str,
+ 				ldns_buffer_remaining(rd_buf) > 0){
+ 
+ 			/* skip spaces */
+-			while (*(ldns_buffer_current(rd_buf)) == ' ') {
++			while (ldns_buffer_remaining(rd_buf) > 0 &&
++				*(ldns_buffer_current(rd_buf)) == ' ') {
+ 				ldns_buffer_skip(rd_buf, 1);
+ 			}
+ 
+-			if (*(ldns_buffer_current(rd_buf)) == '\"') {
++			if (ldns_buffer_remaining(rd_buf) > 0 &&
++				*(ldns_buffer_current(rd_buf)) == '\"') {
+ 				delimiters = "\"\0";
+ 				ldns_buffer_skip(rd_buf, 1);
+ 				quoted = true;
+-			} else if (ldns_rr_descriptor_field_type(desc, r_cnt)
++			}
++			if (!quoted && ldns_rr_descriptor_field_type(desc, r_cnt)
+ 					== LDNS_RDF_TYPE_LONG_STR) {
+ 
+ 				status = LDNS_STATUS_SYNTAX_RDATA_ERR;
+-- 
+2.34.1
+
+
diff --git a/SPECS/ldns.spec b/SPECS/ldns.spec
index 25a1579..ddc15c6 100644
--- a/SPECS/ldns.spec
+++ b/SPECS/ldns.spec
@@ -39,7 +39,7 @@
 Summary: Low-level DNS(SEC) library with API
 Name: ldns
 Version: 1.7.1
-Release: 8%{?dist}
+Release: 10%{?dist}
 
 License: BSD
 Url: https://www.nlnetlabs.nl/%{name}/
@@ -50,6 +50,14 @@ Source2: https://keys.openpgp.org/vks/v1/by-fingerprint/DC34EE5DB2417BCC151E5100
 Patch1: ldns-1.7.0-multilib.patch
 # 2008445 - https://github.com/NLnetLabs/ldns/commit/12ab6f7a408cd99e9b43b7db86724c2ee66bc36e
 Patch2: ldns-1.7.1-openssl-build.patch
+# 2051211 - https://github.com/NLnetLabs/ldns/commit/15d96206996bea969fbc918eb0a4a346f514b9f3
+Patch3: ldns-1.7.1-out-of-boud-read-vuln.patch
+# https://github.com/autoconf-archive/autoconf-archive/commit/7f21e125bbe4e7c93d3bc86cda29c8b8e3b07d52
+# used 'platlib' instead of 'purelib'
+Patch4: ldns-1.7.1-Support-sysconfig-python-module-in-python_devel.patch
+# https://github.com/NLnetLabs/ldns/commit/a5a5dd867fdb934a7ce3637dd9def598f0979247
+Patch5: ldns-1.7.1-Use-PYTHON_LIBS-instead-of-PYTHON_LDFLAGS.patch
+
 
 # Only needed for builds from svn snapshot
 %if 0%{snapshot}
@@ -351,6 +359,13 @@ rm -rf doc/man
 %doc doc
 
 %changelog
+* Fri Feb 25 2022 Richard Lescak <rlescak@redhat.com> - 1.7.1-10
+- use Python LIBS instead of LDFLAGS - fix annocheck issues
+
+* Thu Feb 24 2022 Richard Lescak <rlescak@redhat.com> - 1.7.1-9
+- Fix for CVE-2020-19860 ldns: heap overread vulnerability (#2051211)
+- Added also patch for deprecated distutils Python module used in build
+
 * Wed Oct 13 2021 Richard Lescak <rlescak@redhat.com> - 1.7.1-8
 - Added patch for failing rebuild with OpenSSL 3.0.0 (#2008445)