diff --git a/SOURCES/0004-advisory-upgrade-filter-out-advPkgs-with-different-a.patch b/SOURCES/0004-advisory-upgrade-filter-out-advPkgs-with-different-a.patch
new file mode 100644
index 0000000..70705d9
--- /dev/null
+++ b/SOURCES/0004-advisory-upgrade-filter-out-advPkgs-with-different-a.patch
@@ -0,0 +1,100 @@
+From 35a3cebb3b23b3ba9001e3d4f9f0ef5e59c499f0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= <amatej@redhat.com>
+Date: Mon, 30 May 2022 08:59:41 +0200
+Subject: [PATCH 4/5] advisory upgrade: filter out advPkgs with different arch
+
+This prevents a situation in security upgrades where libsolv cannot
+upgrade dependent pkgs because we ask for an upgrade of different arch:
+
+We can get the following testcase if libdnf has filtered out
+json-c-2-2.el8.x86_64@rhel-8-for-x86_64-baseos-rpms
+(because there is an advisory for already installed json-c-1-1.el8.x86_64) but
+json-c-2-2.el8.i686@rhel-8-for-x86_64-baseos-rpms is not filtered out because
+it has different architecture. The resulting transaction doesn't work.
+
+```
+repo @System -99.-1000 testtags <inline>
+#>=Pkg: bind-libs-lite 1 1.el8 x86_64
+#>=Pkg: json-c 1 1.el8 x86_64
+
+repo rhel-8-for-x86_64-baseos-rpms -99.-1000 testtags <inline>
+#>=Pkg: json-c 2 2.el8 x86_64
+#>=Prv: libjson-c.so.4()(64bit)
+#>
+#>=Pkg: json-c 2 2.el8 i686
+#>=Prv: libjson-c.so.4()
+#>
+#>=Pkg: bind-libs-lite 2 2.el8 x86_64
+#>=Req: libjson-c.so.4()(64bit)
+system x86_64 rpm @System
+job update oneof json-c-1-1.el8.x86_64@@System json-c-2-2.el8.i686@rhel-8-for-x86_64-baseos-rpms bind-libs-lite-2-2.el8.x86_64@rhel-8-for-x86_64-baseos-rpms [forcebest,targeted,setevr,setarch]
+result transaction,problems <inline>
+#>problem f06d81a4 info package bind-libs-lite-2-2.el8.x86_64 requires libjson-c.so.4()(64bit), but none of the providers can be installed
+#>problem f06d81a4 solution 96f9031b allow bind-libs-lite-1-1.el8.x86_64@@System
+#>problem f06d81a4 solution c8daf94f allow json-c-2-2.el8.x86_64@rhel-8-for-x86_64-baseos-rpms
+#>upgrade bind-libs-lite-1-1.el8.x86_64@@System bind-libs-lite-2-2.el8.x86_64@rhel-8-for-x86_64-baseos-rpms
+#>upgrade json-c-1-1.el8.x86_64@@System json-c-2-2.el8.x86_64@rhel-8-for-x86_64-baseos-rpms```
+```
+
+= changelog =
+msg: Filter out advisory pkgs with different arch during advisory upgrade, fixes possible problems in dependency resulution.
+type: bugfix
+resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2088149
+---
+ libdnf/sack/query.cpp | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/libdnf/sack/query.cpp b/libdnf/sack/query.cpp
+index ac2736b5..03d39659 100644
+--- a/libdnf/sack/query.cpp
++++ b/libdnf/sack/query.cpp
+@@ -1877,12 +1877,6 @@ Query::Impl::filterAdvisory(const Filter & f, Map *m, int keyname)
+ std::vector<Solvable *> candidates;
+ std::vector<Solvable *> installed_solvables;
+
+- Id id = -1;
+- while ((id = resultPset->next(id)) != -1) {
+- candidates.push_back(pool_id2solvable(pool, id));
+- }
+- NameArchEVRComparator cmp_key(pool);
+-
+ if (cmp_type & HY_UPGRADE) {
+ Query installed(sack, ExcludeFlags::IGNORE_EXCLUDES);
+ installed.installed();
+@@ -1893,6 +1887,18 @@ Query::Impl::filterAdvisory(const Filter & f, Map *m, int keyname)
+ installed_solvables.push_back(pool_id2solvable(pool, installed_id));
+ }
+ std::sort(installed_solvables.begin(), installed_solvables.end(), NameArchSolvableComparator);
++ Id id = -1;
++ while ((id = resultPset->next(id)) != -1) {
++ Solvable * s = pool_id2solvable(pool, id);
++ // When doing HY_UPGRADE consider only candidate pkgs that have matching Name and Arch
++ // with some already installed pkg (in other words: some other version of the pkg is already installed).
++ // Otherwise a pkg with different Arch than installed can end up in upgrade set which is wrong.
++ // It can result in dependency issues, reported as: RhBug:2088149.
++ auto low = std::lower_bound(installed_solvables.begin(), installed_solvables.end(), s, NameArchSolvableComparator);
++ if (low != installed_solvables.end() && s->name == (*low)->name && s->arch == (*low)->arch) {
++ candidates.push_back(s);
++ }
++ }
+
+ // Apply security filters only to packages with lower priority - to unify behaviour upgrade
+ // and upgrade-minimal
+@@ -1915,7 +1921,14 @@ Query::Impl::filterAdvisory(const Filter & f, Map *m, int keyname)
+ }
+ }
+ std::swap(candidates, priority_candidates);
++ } else {
++ Id id = -1;
++ while ((id = resultPset->next(id)) != -1) {
++ candidates.push_back(pool_id2solvable(pool, id));
++ }
+ }
++
++ NameArchEVRComparator cmp_key(pool);
+ std::sort(candidates.begin(), candidates.end(), cmp_key);
+ for (auto & advisoryPkg : pkgs) {
+ if (cmp_type & HY_UPGRADE) {
+--
+2.37.1
+
diff --git a/SOURCES/0005-Add-obsoletes-to-filtering-for-advisory-candidates.patch b/SOURCES/0005-Add-obsoletes-to-filtering-for-advisory-candidates.patch
new file mode 100644
index 0000000..467ccb9
--- /dev/null
+++ b/SOURCES/0005-Add-obsoletes-to-filtering-for-advisory-candidates.patch
@@ -0,0 +1,71 @@
+From 83d6c019360823504fe27284fdf4804943bb2033 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= <amatej@redhat.com>
+Date: Tue, 5 Jul 2022 09:02:22 +0200
+Subject: [PATCH 5/5] Add obsoletes to filtering for advisory candidates
+
+Patch https://github.com/rpm-software-management/libdnf/pull/1526
+introduced a regression where we no longer do a security upgrade if a
+package A is installed and package B obsoletes A and B is available in two
+versions while there is an advisory for the second version.
+
+Test: https://github.com/rpm-software-management/ci-dnf-stack/pull/1130
+---
+ libdnf/sack/query.cpp | 32 ++++++++++++++++++++++++++++----
+ 1 file changed, 28 insertions(+), 4 deletions(-)
+
+diff --git a/libdnf/sack/query.cpp b/libdnf/sack/query.cpp
+index 03d39659..5355f9f7 100644
+--- a/libdnf/sack/query.cpp
++++ b/libdnf/sack/query.cpp
+@@ -1878,6 +1878,13 @@ Query::Impl::filterAdvisory(const Filter & f, Map *m, int keyname)
+ std::vector<Solvable *> installed_solvables;
+
+ if (cmp_type & HY_UPGRADE) {
++ // When doing HY_UPGRADE consider only candidate pkgs that have matching Name and Arch with:
++ // * some already installed pkg (in other words: some other version of the pkg is already installed)
++ // or
++ // * with pkg that obsoletes some already installed (or to be installed in this transaction) pkg
++ // Otherwise a pkg with different Arch than installed can end up in upgrade set which is wrong.
++ // It can result in dependency issues, reported as: RhBug:2088149.
++
+ Query installed(sack, ExcludeFlags::IGNORE_EXCLUDES);
+ installed.installed();
+ installed.addFilter(HY_PKG_LATEST_PER_ARCH, HY_EQ, 1);
+@@ -1887,13 +1894,30 @@ Query::Impl::filterAdvisory(const Filter & f, Map *m, int keyname)
+ installed_solvables.push_back(pool_id2solvable(pool, installed_id));
+ }
+ std::sort(installed_solvables.begin(), installed_solvables.end(), NameArchSolvableComparator);
++
++ Query obsoletes(sack, ExcludeFlags::IGNORE_EXCLUDES);
++ obsoletes.addFilter(HY_PKG, HY_EQ, resultPset);
++ obsoletes.available();
++
++ Query possibly_obsoleted(sack, ExcludeFlags::IGNORE_EXCLUDES);
++ possibly_obsoleted.addFilter(HY_PKG, HY_EQ, resultPset);
++ possibly_obsoleted.addFilter(HY_PKG_UPGRADES, HY_EQ, 1);
++ possibly_obsoleted.queryUnion(installed);
++ possibly_obsoleted.apply();
++
++ obsoletes.addFilter(HY_PKG_OBSOLETES, HY_EQ, possibly_obsoleted.runSet());
++ obsoletes.apply();
++ Id obsoleted_id = -1;
++ // Add to candidates resultPset pkgs that obsolete some installed (or to be installed in this transaction) pkg
++ while ((obsoleted_id = obsoletes.pImpl->result->next(obsoleted_id)) != -1) {
++ Solvable * s = pool_id2solvable(pool, obsoleted_id);
++ candidates.push_back(s);
++ }
++
+ Id id = -1;
++ // Add to candidates resultPset pkgs that match name and arch with some already installed pkg
+ while ((id = resultPset->next(id)) != -1) {
+ Solvable * s = pool_id2solvable(pool, id);
+- // When doing HY_UPGRADE consider only candidate pkgs that have matching Name and Arch
+- // with some already installed pkg (in other words: some other version of the pkg is already installed).
+- // Otherwise a pkg with different Arch than installed can end up in upgrade set which is wrong.
+- // It can result in dependency issues, reported as: RhBug:2088149.
+ auto low = std::lower_bound(installed_solvables.begin(), installed_solvables.end(), s, NameArchSolvableComparator);
+ if (low != installed_solvables.end() && s->name == (*low)->name && s->arch == (*low)->arch) {
+ candidates.push_back(s);
+--
+2.37.1
+
diff --git a/SPECS/libdnf.spec b/SPECS/libdnf.spec
index dbb0e58..b7bc0c8 100644
--- a/SPECS/libdnf.spec
+++ b/SPECS/libdnf.spec
@@ -56,7 +56,7 @@
Name: libdnf
Version: %{libdnf_major_version}.%{libdnf_minor_version}.%{libdnf_micro_version}
-Release: 5%{?dist}
+Release: 5.1%{?dist}
Summary: Library providing simplified C and Python API to libsolv
License: LGPLv2+
URL: https://github.com/rpm-software-management/libdnf
@@ -64,6 +64,9 @@ Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
Patch1: 0001-Use-rpmdbCookie-from-librpm-remove-hawkey.Sack._rpmd.patch
Patch2: 0002-Skip-rich-deps-for-autodetection-of-unmet-dependencies-RhBug2033130-2048394.patch
Patch3: 0003-Update-translations-RhBug-2017349.patch
+Patch4: 0004-advisory-upgrade-filter-out-advPkgs-with-different-a.patch
+Patch5: 0005-Add-obsoletes-to-filtering-for-advisory-candidates.patch
+
BuildRequires: cmake
BuildRequires: gcc
@@ -307,6 +310,10 @@ popd
%endif
%changelog
+* Wed Aug 17 2022 Lukas Hrazky <lhrazky@redhat.com> - 0.65.0-5.1
+- advisory upgrade: filter out advPkgs with different arch
+- Add obsoletes to filtering for advisory candidates
+
* Mon Mar 21 2022 Marek Blaha <mblaha@redhat.com> - 0.65.0-5
- Update translations