diff --git a/.gitignore b/.gitignore
index c967c17..ac7caae 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/libarchive-3.3.2.tar.gz
+SOURCES/libarchive-3.3.3.tar.gz
diff --git a/.libarchive.metadata b/.libarchive.metadata
index f60f161..026496c 100644
--- a/.libarchive.metadata
+++ b/.libarchive.metadata
@@ -1 +1 @@
-580064227105e30322caa6c67b59e8c8e6060027 SOURCES/libarchive-3.3.2.tar.gz
+499a8f48a895faff4151d7398b24070d578f0b2e SOURCES/libarchive-3.3.3.tar.gz
diff --git a/SOURCES/libarchive-3.1.2-CVE-2017-14503.patch b/SOURCES/libarchive-3.1.2-CVE-2017-14503.patch
deleted file mode 100644
index deebbed..0000000
--- a/SOURCES/libarchive-3.1.2-CVE-2017-14503.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 2c8c83b9731ff822fad6cc8c670ea5519c366a14 Mon Sep 17 00:00:00 2001
-From: Joerg Sonnenberger <joerg@bec.de>
-Date: Thu, 19 Jul 2018 21:14:53 +0200
-Subject: [PATCH] Reject LHA archive entries with negative size.
-
----
- libarchive/archive_read_support_format_lha.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/libarchive/archive_read_support_format_lha.c b/libarchive/archive_read_support_format_lha.c
-index b8ef4ae1..95c99bb1 100644
---- a/libarchive/archive_read_support_format_lha.c
-+++ b/libarchive/archive_read_support_format_lha.c
-@@ -701,6 +701,12 @@ archive_read_format_lha_read_header(struct archive_read *a,
- 	 * Prepare variables used to read a file content.
- 	 */
- 	lha->entry_bytes_remaining = lha->compsize;
-+	if (lha->entry_bytes_remaining < 0) {
-+		archive_set_error(&a->archive,
-+		    ARCHIVE_ERRNO_FILE_FORMAT,
-+		    "Invalid LHa entry size");
-+		return (ARCHIVE_FATAL);
-+	}
- 	lha->entry_offset = 0;
- 	lha->entry_crc_calculated = 0;
- 
--- 
-2.20.1
-
diff --git a/SOURCES/libarchive-3.3.2-CVE-2019-18408.patch b/SOURCES/libarchive-3.3.2-CVE-2019-18408.patch
index 1811e77..854322c 100644
--- a/SOURCES/libarchive-3.3.2-CVE-2019-18408.patch
+++ b/SOURCES/libarchive-3.3.2-CVE-2019-18408.patch
@@ -20,7 +20,7 @@ index cbb14c32..9c26ef97 100644
      ret = read_data_compressed(a, buff, size, offset);
 -    if (ret != ARCHIVE_OK && ret != ARCHIVE_WARN)
 +    if (ret != ARCHIVE_OK && ret != ARCHIVE_WARN) {
-       __archive_ppmd7_functions.Ppmd7_Free(&rar->ppmd7_context, &g_szalloc);
+       __archive_ppmd7_functions.Ppmd7_Free(&rar->ppmd7_context);
 +      rar->start_new_table = 1;
 +    }
      break;
diff --git a/SOURCES/libarchive-3.3.3-fixed-zstd_test.patch b/SOURCES/libarchive-3.3.3-fixed-zstd_test.patch
new file mode 100644
index 0000000..ea78f9a
--- /dev/null
+++ b/SOURCES/libarchive-3.3.3-fixed-zstd_test.patch
@@ -0,0 +1,114 @@
+From 1bb2ec24b433bf87fed40e207c61c6aa8790e793 Mon Sep 17 00:00:00 2001
+From: Ondrej Dubaj <odubaj@redhat.com>
+Date: Mon, 18 Nov 2019 12:41:07 +0100
+Subject: [PATCH] test_write_filter_zstd: size @ lvl=20 < default < lvl=1
+
+Raise compression on the second test to level=20, and perform a
+third at level=1. Expect the output archive sizes to line up
+based on compression level. Reduces test susceptibility to small
+output size variations from different libzstd releases.
+---
+ libarchive/test/test_write_filter_zstd.c      | 66 +++++++++++++++++--
+ 1 file changed, 60 insertions(+), 6 deletions(-)
+
+diff --git a/libarchive/test/test_write_filter_zstd.c b/libarchive/test/test_write_filter_zstd.c
+index da3c806..13de134 100644
+--- a/libarchive/test/test_write_filter_zstd.c
++++ b/libarchive/test/test_write_filter_zstd.c
+@@ -34,7 +34,7 @@ DEFINE_TEST(test_write_filter_zstd)
+ 	char *buff, *data;
+ 	size_t buffsize, datasize;
+ 	char path[16];
+-	size_t used1, used2;
++	size_t used1, used2, used3;
+ 	int i, r;
+ 
+ 	buffsize = 2000000;
+@@ -125,7 +125,7 @@ DEFINE_TEST(test_write_filter_zstd)
+ 	assertEqualIntA(a, ARCHIVE_OK,
+ 	    archive_write_set_filter_option(a, NULL, "compression-level", "9"));
+ 	assertEqualIntA(a, ARCHIVE_OK,
+-	    archive_write_set_filter_option(a, NULL, "compression-level", "6"));
++	    archive_write_set_filter_option(a, NULL, "compression-level", "20"));
+ 	assertEqualIntA(a, ARCHIVE_OK, archive_write_open_memory(a, buff, buffsize, &used2));
+ 	for (i = 0; i < 100; i++) {
+ 		sprintf(path, "file%03d", i);
+@@ -140,10 +140,6 @@ DEFINE_TEST(test_write_filter_zstd)
+ 	assertEqualIntA(a, ARCHIVE_OK, archive_write_close(a));
+ 	assertEqualInt(ARCHIVE_OK, archive_write_free(a));
+ 
+-	failure("compression-level=6 wrote %d bytes, default wrote %d bytes",
+-	    (int)used2, (int)used1);
+-	assert(used2 < used1);
+-
+ 	assert((a = archive_read_new()) != NULL);
+ 	assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a));
+ 	r = archive_read_support_filter_zstd(a);
+@@ -167,6 +163,64 @@ DEFINE_TEST(test_write_filter_zstd)
+ 	}
+ 	assertEqualInt(ARCHIVE_OK, archive_read_free(a));
+ 
++	/*
++	 * One more time at level 1
++	 */
++	assert((a = archive_write_new()) != NULL);
++	assertEqualIntA(a, ARCHIVE_OK, archive_write_set_format_ustar(a));
++	assertEqualIntA(a, ARCHIVE_OK,
++	    archive_write_set_bytes_per_block(a, 10));
++	assertEqualIntA(a, ARCHIVE_OK, archive_write_add_filter_zstd(a));
++	assertEqualIntA(a, ARCHIVE_OK,
++	    archive_write_set_filter_option(a, NULL, "compression-level", "1"));
++	assertEqualIntA(a, ARCHIVE_OK, archive_write_open_memory(a, buff, buffsize, &used3));
++	assert((ae = archive_entry_new()) != NULL);
++	archive_entry_set_filetype(ae, AE_IFREG);
++	archive_entry_set_size(ae, datasize);
++	for (i = 0; i < 100; i++) {
++		sprintf(path, "file%03d", i);
++		archive_entry_copy_pathname(ae, path);
++		assertEqualIntA(a, ARCHIVE_OK, archive_write_header(a, ae));
++		assertA(datasize == (size_t)archive_write_data(a, data, datasize));
++	}
++	archive_entry_free(ae);
++	assertEqualIntA(a, ARCHIVE_OK, archive_write_close(a));
++	assertEqualInt(ARCHIVE_OK, archive_write_free(a));
++
++	assert((a = archive_read_new()) != NULL);
++	assertEqualIntA(a, ARCHIVE_OK, archive_read_support_format_all(a));
++	r = archive_read_support_filter_zstd(a);
++	if (r == ARCHIVE_WARN) {
++		skipping("zstd reading not fully supported on this platform");
++	} else {
++		assertEqualIntA(a, ARCHIVE_OK,
++		    archive_read_support_filter_all(a));
++		assertEqualIntA(a, ARCHIVE_OK,
++		    archive_read_open_memory(a, buff, used3));
++		for (i = 0; i < 100; i++) {
++			sprintf(path, "file%03d", i);
++			failure("Trying to read %s", path);
++			if (!assertEqualIntA(a, ARCHIVE_OK,
++				archive_read_next_header(a, &ae)))
++				break;
++			assertEqualString(path, archive_entry_pathname(ae));
++			assertEqualInt((int)datasize, archive_entry_size(ae));
++		}
++		assertEqualIntA(a, ARCHIVE_OK, archive_read_close(a));
++	}
++	assertEqualInt(ARCHIVE_OK, archive_read_free(a));
++
++	/*
++	 * Check output sizes for various compression levels, expectation
++	 * is that archive size for level=20 < default < level=1
++	 */
++	failure("compression-level=20 wrote %d bytes, default wrote %d bytes",
++	    (int)used2, (int)used1);
++	assert(used2 < used1);
++	failure("compression-level=1 wrote %d bytes, default wrote %d bytes",
++	    (int)used3, (int)used1);
++	assert(used1 < used3);
++
+ 	/*
+ 	 * Test various premature shutdown scenarios to make sure we
+ 	 * don't crash or leak memory.
+-- 
+2.19.1
+
diff --git a/SPECS/libarchive.spec b/SPECS/libarchive.spec
index 8f58511..bb5334a 100644
--- a/SPECS/libarchive.spec
+++ b/SPECS/libarchive.spec
@@ -1,15 +1,14 @@
 %bcond_without check
 
 Name:           libarchive
-Version:        3.3.2
-Release:        9%{?dist}
+Version:        3.3.3
+Release:        1%{?dist}
 Summary:        A library for handling streaming archive formats
 
 License:        BSD
 URL:            http://www.libarchive.org/
 Source0:        http://www.libarchive.org/downloads/%{name}-%{version}.tar.gz
 
-Patch0:        libarchive-3.1.2-CVE-2017-14503.patch
 Patch1:        libarchive-3.1.2-CVE-2019-1000019.patch
 Patch2:        libarchive-3.1.2-CVE-2019-1000020.patch
 Patch3:        libarchive-3.3.2-CVE-2018-1000878.patch
@@ -18,6 +17,10 @@ Patch5:        fix-use-after-free-in-delayed-newc.patch
 Patch6:        fix-few-obvious-resource-leaks-covscan.patch
 Patch7:        libarchive-3.3.2-CVE-2019-18408.patch
 Patch8:        libarchive-3.3.2-CVE-2019-19221.patch
+# upstream reference
+# https://github.com/libarchive/libarchive/commit/aaacc8762fd8ced8823350edd8ce2e46b565582b#diff-bc144884a8e634e16f247e0588a266ee
+Patch9:        libarchive-3.3.3-fixed-zstd_test.patch
+
 
 BuildRequires:  gcc
 BuildRequires:  bison
@@ -33,6 +36,7 @@ BuildRequires:  openssl-devel
 BuildRequires:  libxml2-devel
 BuildRequires:  lz4-devel
 BuildRequires:  automake
+BuildRequires:  libzstd-devel
 
 
 %description
@@ -221,6 +225,9 @@ run_testsuite
 
 
 %changelog
+* Thu Apr 30 2020 Ondrej Dubaj <odubaj@redhat.com> - 3.3.3-1
+- Rebase to version 3.3.3
+
 * Tue Mar 24 2020 Ondrej Dubaj <odubaj@redhat.com> - 3.3.2-9
 - Fix out-of-bounds read (CVE-2019-19221) (#1803967)