diff --git a/.gitignore b/.gitignore
index 023cbee..ec7f53e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/mariadb-10.5.9.tar.gz
+SOURCES/mariadb-10.5.13-downstream_modified.tar.gz
diff --git a/.mariadb.metadata b/.mariadb.metadata
index 032702d..4f2d986 100644
--- a/.mariadb.metadata
+++ b/.mariadb.metadata
@@ -1 +1 @@
-73767fac3d1c504298259708272fb6a58e644967 SOURCES/mariadb-10.5.9.tar.gz
+ace36fe1a0ebba69b7cab359cb9a51c5b9fecbb4 SOURCES/mariadb-10.5.13-downstream_modified.tar.gz
diff --git a/SOURCES/README.wsrep_sst_rsync_tunnel b/SOURCES/README.wsrep_sst_rsync_tunnel
new file mode 100644
index 0000000..0222b34
--- /dev/null
+++ b/SOURCES/README.wsrep_sst_rsync_tunnel
@@ -0,0 +1,132 @@
+socat tunnel for encrypted rsync SST
+====================================
+
+`wsrep_sst_rsync_tunnel` is an extension of the rsync-based [SST](http://galeracluster.com/documentation-webpages/glossary.html#term-state-snapshot-transfer)
+implementation that ships with mariadb. Its purpose is to encrypt
+communication between the donor and the joiner during an SST.
+
+Encryption is implemented by means of a socat tunnel, using OPENSSL
+addresses. It can be configured via the regular openssl flags exposed
+by socat.
+
+
+## How to configure the script
+
+This SST script can configured by setting a few keys in your favorite
+mariadb option file in addition to the usual galera settings.
+
+    [mysqld]
+    ...
+    bind_address=<node-name>
+    wsrep_sst_method=rsync_tunnel
+    ...
+    
+    [sst]
+    tca=/path/to/your/ca-file.crt
+    tcert=/path/to/node/certificate.crt
+    tkey=/path/to/node/key.key
+    sockopt=<openssl-address-options-as-per-socat-manual>
+
+When a joiner node requests an SST, `wsrep_sst_rsync_tunnel` uses
+socat to listen to incoming SSL connections on port 4444 in lieu of
+the original rsync daemon. Received data will be forwarded to the
+rscynd daemon started locally to replicate the database.
+
+When a donor node serves the SST, `wsrep_sst_rsync_tunnel` makes
+a series of rsync calls that target a locally started socat daemon.
+The daemon tunnels all rsync traffic into an encrypted SSL connection
+that targets the joiner's end of the socat tunnel.
+
+Encryption parameters are specified under the `[sst]` group in the
+mariadb option file, where `tkey` and `tcert` are respectively the key
+and the certificate that are used by both sides of the socat tunnel.
+Each node typically has a different key and cert. Both key and
+certificate can be combined into a single PEM file and referenced by
+`tcert`. Option `tca` holds a list of the trusted signing
+certificates.
+
+In case you need to tweak the creation of the SSL connection, you can
+pass valid socat options (as per socat manual) via the `sockopt` key.
+For debugging purpose, the exact socat command that is being executed
+shows up in the mariadb log file.
+
+Note that socat verifies that the certificate's commonName matches
+that of the host that is being targeted. The target name comes from
+the value configured in `bind_address`, so it's important that it
+matches the certificate's commonName. An IP address can be used for
+`bind_address`, but you may get into trouble in case different
+hostnames resolve to the same IP (e.g. multiple networks per host).
+
+
+## Examples of use
+
+Suppose you're running a 3-node galera cluster
+`node1.my.cluster`, `node2.my.cluster`, `node3.my.cluster`.
+
+### Scenario: using self-signed certificates
+
+On each node, create a key and a certificate, and bundle them into a
+single PEM file. For instance on `node1.my.cluster`:
+
+    openssl genrsa -out /tls/mysql-$(hostname -f).key 2048
+    openssl req -new -key /tls/mysql-$(hostname -f).key -x509 -days 365000 -subj "/CN=$(hostname -f)" -out /tls/mysql-$(hostname -f).crt -batch
+    cat /tls/mysql-$(hostname -f).key /tls/mysql-$(hostname -f).crt > /tls/mysql.pem
+
+Then, on each node, create a cafile that will contain all the certs to
+trust:
+
+    for n in node1.my.cluster node2.my.cluster node3.my.cluster; do
+       ssh $n 'cat /tls/mysql-$(hostname -f).crt' >> /tls/all-mysql.crt
+    done
+
+Once you have those two files on each host, you can configure the SST
+appropriately. For instance from `/etc/my.cnf.d/galera.cnf`:
+
+    [mysqld]
+    ...
+    
+    [sst]
+    tca=/tls/all-mysql.crt
+    tcert=/tls/mysql.pem
+
+### Scenario: using self-signed certificates, without verification
+
+By default, when socat tries to establish a SSL connection to a peer,
+it also verifies that it can trust the peer's certificate. If for some
+reason you need to disable that feature, you can amend the previous
+configuration with a sockopt option:
+
+    [mysqld]
+    ...
+    
+    [sst]
+    tca=/tls/all-mysql.crt
+    tcert=/tls/mysql.pem
+    sockopt="verify=0"
+
+The associated sockopt value is passed to socat when
+the donor or the joiner configures his part of the tunnel.
+
+Note: please do not do so in production, this is inherently insecure
+as you will not verify the identity of the peer you're connecting to!
+
+### Scenario: using certificates from a CA
+
+Suppose you have a FreeIPA service which generated a key file and a
+certificate file for the three galera nodes, respectively located at
+/tls/mysql.key and /tls/mysql.crt.
+
+Assuming that the certificate for the FreeIPA server is available at
+/etc/ipa/ca.crt, you can configure you galera servers as follows:
+
+    [sst]
+    tca=/etc/ipa/ca.crt
+    tcert=/tls/mysql.crt
+    tkey=/tls/mysql.key
+
+## License
+
+Copyright © 2017 [Damien Ciabrini](https://github.com/dciabrin).
+This work is derived from the original `wsrep_rsync_sst`, copyright
+© 2010-2014 [Codership Oy](https://github.com/codership).
+Released under the GNU GPLv2.
diff --git a/SOURCES/mariadb-openssl3.patch b/SOURCES/mariadb-openssl3.patch
new file mode 100644
index 0000000..0b69969
--- /dev/null
+++ b/SOURCES/mariadb-openssl3.patch
@@ -0,0 +1,378 @@
+From c80991c79f701dac42c630af4bd39593b0c7efb4 Mon Sep 17 00:00:00 2001
+From: Vladislav Vaintroub <wlad@mariadb.com>
+Date: Mon, 8 Nov 2021 18:48:19 +0100
+Subject: [PATCH] MDEV-25785 Add support for OpenSSL 3.0
+
+Summary of changes
+
+- MD_CTX_SIZE is increased
+
+- EVP_CIPHER_CTX_buf_noconst(ctx) does not work anymore, points
+  to nobody knows where. The assumption made previously was that
+  (since the function does not seem to be documented)
+  was that it points to the last partial source block.
+  Add own partial block buffer for NOPAD encryption instead
+
+- SECLEVEL in CipherString in openssl.cnf
+  had been downgraded to 0, from 1, to make TLSv1.0 and TLSv1.1 possible
+
+- Workaround Ssl_cipher_list issue, it now returns TLSv1.3 ciphers,
+  in addition to what was set in --ssl-cipher
+
+- ctx_buf buffer now must be aligned to 16 bytes with openssl(
+  previously with WolfSSL only), ot crashes will happen
+
+- updated aes-t , to be better debuggable
+  using function, rather than a huge multiline macro
+  added test that does "nopad" encryption piece-wise, to test
+  replacement of EVP_CIPHER_CTX_buf_noconst
+---
+ cmake/ssl.cmake                   |  19 ++++-
+ include/ssl_compat.h              |   3 +-
+ mysql-test/lib/openssl.cnf        |   2 +-
+ mysql-test/main/ssl_cipher.result |   6 +-
+ mysql-test/main/ssl_cipher.test   |   2 +-
+ mysys_ssl/my_crypt.cc             |  46 +++++++-----
+ unittest/mysys/aes-t.c            | 121 ++++++++++++++++++++++--------
+ 7 files changed, 141 insertions(+), 58 deletions(-)
+
+
+diff -up mariadb-10.5.12-downstream_modified/cmake/ssl.cmake.patch16 mariadb-10.5.12-downstream_modified/cmake/ssl.cmake
+--- mariadb-10.5.12-downstream_modified/cmake/ssl.cmake.patch16	2021-08-03 10:29:07.000000000 +0200
++++ mariadb-10.5.12-downstream_modified/cmake/ssl.cmake	2021-11-18 16:58:41.552440737 +0100
+@@ -139,9 +139,20 @@ MACRO (MYSQL_CHECK_SSL)
+       SET(SSL_INTERNAL_INCLUDE_DIRS "")
+       SET(SSL_DEFINES "-DHAVE_OPENSSL")
+ 
++      FOREACH(x INCLUDES LIBRARIES DEFINITIONS)
++        SET(SAVE_CMAKE_REQUIRED_${x} ${CMAKE_REQUIRED_${x}})
++      ENDFOREACH()
++
++      # Silence "deprecated in OpenSSL 3.0"
++      IF((NOT OPENSSL_VERSION) # 3.0 not determined by older cmake
++         OR NOT(OPENSSL_VERSION VERSION_LESS "3.0.0"))
++        SET(SSL_DEFINES "${SSL_DEFINES} -DOPENSSL_API_COMPAT=0x10100000L")
++        SET(CMAKE_REQUIRED_DEFINITIONS -DOPENSSL_API_COMPAT=0x10100000L)
++      ENDIF()
++
+       SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
+       SET(CMAKE_REQUIRED_LIBRARIES ${SSL_LIBRARIES})
+-      SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
++
+       CHECK_SYMBOL_EXISTS(ERR_remove_thread_state "openssl/err.h"
+                           HAVE_ERR_remove_thread_state)
+       CHECK_SYMBOL_EXISTS(EVP_aes_128_ctr "openssl/evp.h"
+@@ -150,8 +161,10 @@ MACRO (MYSQL_CHECK_SSL)
+                           HAVE_EncryptAes128Gcm)
+       CHECK_SYMBOL_EXISTS(X509_check_host "openssl/x509v3.h"
+                           HAVE_X509_check_host)
+-      SET(CMAKE_REQUIRED_INCLUDES)
+-      SET(CMAKE_REQUIRED_LIBRARIES)
++
++      FOREACH(x INCLUDES LIBRARIES DEFINITIONS)
++        SET(CMAKE_REQUIRED_${x} ${SAVE_CMAKE_REQUIRED_${x}})
++      ENDFOREACH()
+     ELSE()
+       IF(WITH_SSL STREQUAL "system")
+         MESSAGE(FATAL_ERROR "Cannot find appropriate system libraries for SSL. Use WITH_SSL=bundled to enable SSL support")
+diff -up mariadb-10.5.12-downstream_modified/include/ssl_compat.h.patch16 mariadb-10.5.12-downstream_modified/include/ssl_compat.h
+--- mariadb-10.5.12-downstream_modified/include/ssl_compat.h.patch16	2021-08-03 10:29:07.000000000 +0200
++++ mariadb-10.5.12-downstream_modified/include/ssl_compat.h	2021-11-18 16:58:41.552440737 +0100
+@@ -24,7 +24,7 @@
+ #define SSL_LIBRARY OpenSSL_version(OPENSSL_VERSION)
+ #define ERR_remove_state(X) ERR_clear_error()
+ #define EVP_CIPHER_CTX_SIZE 176
+-#define EVP_MD_CTX_SIZE 48
++#define EVP_MD_CTX_SIZE 72
+ #undef EVP_MD_CTX_init
+ #define EVP_MD_CTX_init(X) do { memset((X), 0, EVP_MD_CTX_SIZE); EVP_MD_CTX_reset(X); } while(0)
+ #undef EVP_CIPHER_CTX_init
+@@ -74,7 +74,6 @@
+ #endif
+ 
+ #define DH_set0_pqg(D,P,Q,G)            ((D)->p= (P), (D)->g= (G))
+-#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf)
+ #define EVP_CIPHER_CTX_encrypting(ctx)  ((ctx)->encrypt)
+ #define EVP_CIPHER_CTX_SIZE             sizeof(EVP_CIPHER_CTX)
+ 
+diff -up mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf.patch16 mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf
+--- mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf.patch16	2021-08-03 10:29:07.000000000 +0200
++++ mariadb-10.5.12-downstream_modified/mysql-test/lib/openssl.cnf	2021-11-18 16:58:41.552440737 +0100
+@@ -9,4 +9,4 @@ ssl_conf = ssl_section
+ system_default = system_default_section
+ 
+ [system_default_section]
+-CipherString = ALL:@SECLEVEL=1
++CipherString = ALL:@SECLEVEL=0
+diff -up mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result.patch16 mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result
+--- mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result.patch16	2021-08-03 10:29:08.000000000 +0200
++++ mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.result	2021-11-18 16:58:41.552440737 +0100
+@@ -61,8 +61,8 @@ connect  ssl_con,localhost,root,,,,,SSL;
+ SHOW STATUS LIKE 'Ssl_cipher';
+ Variable_name	Value
+ Ssl_cipher	AES128-SHA
+-SHOW STATUS LIKE 'Ssl_cipher_list';
+-Variable_name	Value
+-Ssl_cipher_list	AES128-SHA
++SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
++VARIABLE_VALUE like '%AES128-SHA%'
++1
+ disconnect ssl_con;
+ connection default;
+diff -up mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test.patch16 mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test
+--- mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test.patch16	2021-11-18 16:58:41.552440737 +0100
++++ mariadb-10.5.12-downstream_modified/mysql-test/main/ssl_cipher.test	2021-11-18 17:00:47.753839711 +0100
+@@ -100,6 +100,6 @@ connect (ssl_con,localhost,root,,,,,SSL)
+ --replace_regex /TLS_AES_.*/AES128-SHA/
+ SHOW STATUS LIKE 'Ssl_cipher';
+ --replace_regex /TLS_AES_.*/AES128-SHA/
+-SHOW STATUS LIKE 'Ssl_cipher_list';
++SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
+ disconnect ssl_con;
+ connection default;
+diff -up mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc.patch16 mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc
+--- mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc.patch16	2021-08-03 10:29:08.000000000 +0200
++++ mariadb-10.5.12-downstream_modified/mysys_ssl/my_crypt.cc	2021-11-18 16:58:41.552440737 +0100
+@@ -29,11 +29,7 @@
+ #include <ssl_compat.h>
+ #include <cstdint>
+ 
+-#ifdef HAVE_WOLFSSL
+ #define CTX_ALIGN 16
+-#else
+-#define CTX_ALIGN 0
+-#endif
+ 
+ class MyCTX
+ {
+@@ -100,8 +96,9 @@ class MyCTX_nopad : public MyCTX
+ {
+ public:
+   const uchar *key;
+-  uint klen, buf_len;
++  uint klen, source_tail_len;
+   uchar oiv[MY_AES_BLOCK_SIZE];
++  uchar source_tail[MY_AES_BLOCK_SIZE];
+ 
+   MyCTX_nopad() : MyCTX() { }
+   ~MyCTX_nopad() { }
+@@ -112,7 +109,7 @@ public:
+     compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_nopad));
+     this->key= key;
+     this->klen= klen;
+-    this->buf_len= 0;
++    this->source_tail_len= 0;
+     if (ivlen)
+       memcpy(oiv, iv, ivlen);
+     DBUG_ASSERT(ivlen == 0 || ivlen == sizeof(oiv));
+@@ -123,26 +120,41 @@ public:
+     return res;
+   }
+ 
++  /** Update last partial source block, stored in source_tail array. */
++  void update_source_tail(const uchar* src, uint slen)
++  {
++    if (!slen)
++      return;
++    uint new_tail_len= (source_tail_len + slen) % MY_AES_BLOCK_SIZE;
++    if (new_tail_len)
++    {
++      if (slen + source_tail_len < MY_AES_BLOCK_SIZE)
++      {
++        memcpy(source_tail + source_tail_len, src, slen);
++      }
++      else
++      {
++        DBUG_ASSERT(slen > new_tail_len);
++        memcpy(source_tail, src + slen - new_tail_len, new_tail_len);
++      }
++    }
++    source_tail_len= new_tail_len;
++  }
++
+   int update(const uchar *src, uint slen, uchar *dst, uint *dlen)
+   {
+-    buf_len+= slen;
++    update_source_tail(src, slen);
+     return MyCTX::update(src, slen, dst, dlen);
+   }
+ 
+   int finish(uchar *dst, uint *dlen)
+   {
+-    buf_len %= MY_AES_BLOCK_SIZE;
+-    if (buf_len)
++    if (source_tail_len)
+     {
+-      uchar *buf= EVP_CIPHER_CTX_buf_noconst(ctx);
+       /*
+         Not much we can do, block ciphers cannot encrypt data that aren't
+         a multiple of the block length. At least not without padding.
+         Let's do something CTR-like for the last partial block.
+-
+-        NOTE this assumes that there are only buf_len bytes in the buf.
+-        If OpenSSL will change that, we'll need to change the implementation
+-        of this class too.
+       */
+       uchar mask[MY_AES_BLOCK_SIZE];
+       uint mlen;
+@@ -154,10 +166,10 @@ public:
+         return rc;
+       DBUG_ASSERT(mlen == sizeof(mask));
+ 
+-      for (uint i=0; i < buf_len; i++)
+-        dst[i]= buf[i] ^ mask[i];
++      for (uint i=0; i < source_tail_len; i++)
++        dst[i]= source_tail[i] ^ mask[i];
+     }
+-    *dlen= buf_len;
++    *dlen= source_tail_len;
+     return MY_AES_OK;
+   }
+ };
+diff -up mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c.patch16 mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c
+--- mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c.patch16	2021-08-03 10:29:10.000000000 +0200
++++ mariadb-10.5.12-downstream_modified/unittest/mysys/aes-t.c	2021-11-18 16:58:41.553440740 +0100
+@@ -21,27 +21,96 @@
+ #include <string.h>
+ #include <ctype.h>
+ 
+-#define DO_TEST(mode, nopad, slen, fill, dlen, hash)                    \
+-  SKIP_BLOCK_IF(mode == 0xDEADBEAF, nopad ? 4 : 5, #mode " not supported")     \
+-  {                                                                     \
+-    memset(src, fill, src_len= slen);                                   \
+-    ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT,              \
+-                    src, src_len, dst, &dst_len,                        \
+-                    key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK,     \
+-      "encrypt " #mode " %u %s", src_len, nopad ? "nopad" : "pad");     \
+-    if (!nopad)                                                         \
+-      ok (dst_len == my_aes_get_size(mode, src_len), "my_aes_get_size");\
+-    my_md5(md5, (char*)dst, dst_len);                                   \
+-    ok(dst_len == dlen && memcmp(md5, hash, sizeof(md5)) == 0, "md5");  \
+-    ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT,              \
+-                    dst, dst_len, ddst, &ddst_len,                      \
+-                    key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK,     \
+-       "decrypt " #mode " %u", dst_len);                                \
+-    ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp"); \
++
++/** Test streaming encryption, bytewise update.*/
++static int aes_crypt_bytewise(enum my_aes_mode mode, int flags, const unsigned char *src,
++                 unsigned int slen, unsigned char *dst, unsigned int *dlen,
++                 const unsigned char *key, unsigned int klen,
++                 const unsigned char *iv, unsigned int ivlen)
++{
++  /* Allocate context on odd address on stack, in order to
++   catch misalignment errors.*/
++  void *ctx= (char *)alloca(MY_AES_CTX_SIZE+1)+1;
++
++  int res1, res2;
++  uint d1= 0, d2;
++  uint i;
++
++  if ((res1= my_aes_crypt_init(ctx, mode, flags, key, klen, iv, ivlen)))
++    return res1;
++  for (i= 0; i < slen; i++)
++  {
++    uint tmp_d1=0;
++    res1= my_aes_crypt_update(ctx, src+i,1, dst, &tmp_d1);
++    if (res1)
++      return res1;
++    d1+= tmp_d1;
++    dst+= tmp_d1;
++  }
++  res2= my_aes_crypt_finish(ctx, dst, &d2);
++  *dlen= d1 + d2;
++  return res1 ? res1 : res2;
++}
++
++
++#ifndef HAVE_EncryptAes128Ctr
++const uint MY_AES_CTR=0xDEADBEAF;
++#endif
++#ifndef HAVE_EncryptAes128Gcm
++const uint MY_AES_GCM=0xDEADBEAF;
++#endif
++
++#define MY_AES_UNSUPPORTED(x)  (x == 0xDEADBEAF)
++
++static void do_test(uint mode, const char *mode_str, int nopad, uint slen,
++                    char fill, size_t dlen, const char *hash)
++{
++  uchar key[16]= {1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6};
++  uchar iv[16]= {2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7};
++  uchar src[1000], dst[1100], dst2[1100], ddst[1000];
++  uchar md5[MY_MD5_HASH_SIZE];
++  uint src_len, dst_len, dst_len2, ddst_len;
++  int result;
++
++  if (MY_AES_UNSUPPORTED(mode))
++  {
++    skip(nopad?7:6, "%s not supported", mode_str);
++    return;
++  }
++  memset(src, fill, src_len= slen);
++  result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src, src_len,
++                       dst, &dst_len, key, sizeof(key), iv, sizeof(iv));
++  ok(result == MY_AES_OK, "encrypt %s %u %s", mode_str, src_len,
++     nopad ? "nopad" : "pad");
++
++  if (nopad)
++  {
++    result= aes_crypt_bytewise(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src,
++                                src_len, dst2, &dst_len2, key, sizeof(key),
++                                iv, sizeof(iv));
++    ok(result == MY_AES_OK, "encrypt bytewise %s %u", mode_str, src_len);
++    /* Compare with non-bytewise encryption result*/
++    ok(dst_len == dst_len2 && memcmp(dst, dst2, dst_len) == 0,
++       "memcmp bytewise  %s %u", mode_str, src_len);
+   }
++  else
++  {
++    int dst_len_real= my_aes_get_size(mode, src_len);
++    ok(dst_len_real= dst_len, "my_aes_get_size");
++  }
++  my_md5(md5, (char *) dst, dst_len);
++  ok(dst_len == dlen, "md5 len");
++  ok(memcmp(md5, hash, sizeof(md5)) == 0, "md5");
++  result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT,
++                       dst, dst_len, ddst, &ddst_len, key, sizeof(key), iv,
++                       sizeof(iv));
++
++  ok(result == MY_AES_OK, "decrypt %s %u", mode_str, dst_len);
++  ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp");
++}
+ 
+-#define DO_TEST_P(M,S,F,D,H) DO_TEST(M,0,S,F,D,H)
+-#define DO_TEST_N(M,S,F,D,H) DO_TEST(M,ENCRYPTION_FLAG_NOPAD,S,F,D,H)
++#define DO_TEST_P(M, S, F, D, H) do_test(M, #M, 0, S, F, D, H)
++#define DO_TEST_N(M, S, F, D, H) do_test(M, #M, ENCRYPTION_FLAG_NOPAD, S, F, D, H)
+ 
+ /* useful macro for debugging */
+ #define PRINT_MD5()                                     \
+@@ -53,25 +122,15 @@
+     printf("\"\n");                                     \
+   } while(0);
+ 
+-#ifndef HAVE_EncryptAes128Ctr
+-const uint MY_AES_CTR=0xDEADBEAF;
+-#endif
+-#ifndef HAVE_EncryptAes128Gcm
+-const uint MY_AES_GCM=0xDEADBEAF;
+-#endif
+ 
+ int
+ main(int argc __attribute__((unused)),char *argv[])
+ {
+-  uchar key[16]= {1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6};
+-  uchar iv[16]=  {2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7};
+-  uchar src[1000], dst[1100], ddst[1000];
+-  uchar md5[MY_MD5_HASH_SIZE];
+-  uint src_len, dst_len, ddst_len;
+ 
+   MY_INIT(argv[0]);
+ 
+-  plan(87);
++  plan(122);
++
+   DO_TEST_P(MY_AES_ECB, 200, '.', 208, "\xd8\x73\x8e\x3a\xbc\x66\x99\x13\x7f\x90\x23\x52\xee\x97\x6f\x9a");
+   DO_TEST_P(MY_AES_ECB, 128, '?', 144, "\x19\x58\x33\x85\x4c\xaa\x7f\x06\xd1\xb2\xec\xd7\xb7\x6a\xa9\x5b");
+   DO_TEST_P(MY_AES_CBC, 159, '%', 160, "\x4b\x03\x18\x3d\xf1\xa7\xcd\xa1\x46\xb3\xc6\x8a\x92\xc0\x0f\xc9");
diff --git a/SOURCES/rh-skipped-tests-base.list b/SOURCES/rh-skipped-tests-base.list
index 40d5384..30c8097 100644
--- a/SOURCES/rh-skipped-tests-base.list
+++ b/SOURCES/rh-skipped-tests-base.list
@@ -58,3 +58,7 @@ main.myisampack                              :
 
 # Fails everywhere in 10.5.8
 rpl.rpl_innodb_mixed_dml                     :
+
+# Since 10.5.10
+sys_vars.tcp_nodelay                         :
+innodb.restart                               :
diff --git a/SOURCES/rh-skipped-tests-ppc.list b/SOURCES/rh-skipped-tests-ppc.list
index ceff217..f51ee05 100644
--- a/SOURCES/rh-skipped-tests-ppc.list
+++ b/SOURCES/rh-skipped-tests-ppc.list
@@ -1,2 +1,11 @@
 # Fails on ppc64le since 10.4.12
 oqgraph.social : 
+
+# Fails since 10.5.13
+encryption.create_or_replace_big : 
+rpl.rpl_parallel_optimistic_xa_lsu_off : 
+rpl.rpl_parallel_optimistic_xa : 
+innodb.innodb_defrag_concurrent : 
+rpl.rpl_parallel_xa_same_xid : 
+parts.part_supported_sql_func_innodb : 
+parts.partition_alter2_1_1_innodb : 
diff --git a/SOURCES/upstream_5cc2096f93b7f130b36f8bc0fc43440db9a848e4.patch b/SOURCES/upstream_5cc2096f93b7f130b36f8bc0fc43440db9a848e4.patch
index f1c2f19..0f104ea 100644
--- a/SOURCES/upstream_5cc2096f93b7f130b36f8bc0fc43440db9a848e4.patch
+++ b/SOURCES/upstream_5cc2096f93b7f130b36f8bc0fc43440db9a848e4.patch
@@ -297,19 +297,6 @@ index 2001efae3929..6b4d758a5131 100644
  		    $opt_user,
  		    $opt_password,
  		    { PrintError => 0})
-diff --git a/scripts/mysql_setpermission.sh b/scripts/mysql_setpermission.sh
-index 71462d286229..66decbd69af7 100644
---- a/scripts/mysql_setpermission.sh
-+++ b/scripts/mysql_setpermission.sh
-@@ -86,7 +86,7 @@ if ($opt_password eq '')
- 
- 
- # make the connection to MariaDB
--$dbh= DBI->connect("DBI:mysql:mysql:host=$sqlhost:port=$opt_port:mysql_socket=$opt_socket",$opt_user,$opt_password, {PrintError => 0}) ||
-+$dbh= DBI->connect("DBI:MariaDB:mysql:host=$sqlhost:port=$opt_port:mariadb_socket=$opt_socket",$opt_user,$opt_password, {PrintError => 0}) ||
-   die("Can't make a connection to the mysql server.\n The error: $DBI::errstr");
- 
- # the start of the program
 diff --git a/scripts/mysqlhotcopy.sh b/scripts/mysqlhotcopy.sh
 index c56cdea470c0..94e577a94a7f 100644
 --- a/scripts/mysqlhotcopy.sh
@@ -339,33 +326,6 @@ index c56cdea470c0..94e577a94a7f 100644
  	    ($master_host, $log_file, $log_pos ) 
  	      = @{$row_hash}{ qw / Master_Host Log_File Pos / };
  	} else {
-diff --git a/scripts/mytop.sh b/scripts/mytop.sh
-index 3ef0a59f27f7..1c4d7a502f51 100644
---- a/scripts/mytop.sh
-+++ b/scripts/mytop.sh
-@@ -230,11 +230,11 @@ my $dsn;
- 
- ## Socket takes precedence.
- 
--$dsn ="DBI:mysql:database=$config{db};mysql_read_default_group=mytop;";
-+$dsn ="DBI:MariaDB:database=$config{db};mariadb_read_default_group=mytop;";
- 
- if ($config{socket} and -S $config{socket})
- {
--    $dsn .= "mysql_socket=$config{socket}";
-+    $dsn .= "mariadb_socket=$config{socket}";
- }
- else
- {
-@@ -1877,7 +1877,7 @@ following:
- 
-   * Perl 5.005 or newer
-   * Getopt::Long
--  * DBI and DBD::mysql
-+  * DBI and DBD::MariaDB
-   * Term::ReadKey from CPAN
- 
- Most systems are likely to have all of those installed--except for
 diff --git a/sql-bench/server-cfg.sh b/sql-bench/server-cfg.sh
 index 3991d16c6b18..6ef39c4d91f8 100644
 --- a/sql-bench/server-cfg.sh
@@ -781,28 +741,6 @@ index c844d2908345..a2b465734dc5 100644
  		      $opt_user, $opt_password,
  		    { PrintError => 0}) || die $DBI::errstr;
  
-diff --git a/tests/grant.pl b/tests/grant.pl
-index cd6516433166..f8cdc1af4d55 100755
---- a/tests/grant.pl
-+++ b/tests/grant.pl
-@@ -60,7 +60,7 @@
- # clear grant tables
- #
- 
--$dbh = DBI->connect("DBI:mysql:mysql:$opt_host",
-+$dbh = DBI->connect("DBI:MariaDB:mysql:$opt_host",
- 		    $opt_root_user,$opt_password,
- 		    { PrintError => 0}) || die "Can't connect to mysql server with user '$opt_root_user': $DBI::errstr\n";
- 
-@@ -653,7 +653,7 @@ sub user_connect
-   print "Connecting $opt_user\n" if ($opt_verbose);
-   $user_dbh->disconnect if (defined($user_dbh));
- 
--  $user_dbh=DBI->connect("DBI:mysql:$opt_database:$opt_host",$opt_user,
-+  $user_dbh=DBI->connect("DBI:MariaDB:$opt_database:$opt_host",$opt_user,
- 			 $password, { PrintError => 0});
-   if (!$user_dbh)
-   {
 diff --git a/tests/index_corrupt.pl b/tests/index_corrupt.pl
 index 6b04ce8a59c5..6f31b85bd614 100755
 --- a/tests/index_corrupt.pl
diff --git a/SOURCES/wsrep_sst_rsync_tunnel b/SOURCES/wsrep_sst_rsync_tunnel
new file mode 100644
index 0000000..f537249
--- /dev/null
+++ b/SOURCES/wsrep_sst_rsync_tunnel
@@ -0,0 +1,492 @@
+#!/bin/bash -ue
+
+# Copyright (C) 2010-2014 Codership Oy
+# Copyright (C) 2017-2020 Damien Ciabrini <damien.ciabrini@gmail.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; see the file COPYING. If not, write to the
+# Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston
+# MA  02110-1301  USA.
+
+# This is a reference script for rsync-based state snapshot tansfer
+# over an encrypted communication channel, managed by socat
+
+RSYNC_PID=                                      # rsync pid file
+RSYNC_CONF=                                     # rsync configuration file
+RSYNC_REAL_PID=                                 # rsync process id
+
+SOCAT_PID=                                      # socat pid file
+SOCAT_REAL_PID=                                 # socat process id
+
+SOCAT_OPTS=                                     # openssl connection args
+
+MODULE="rsync_tunnel_sst"
+
+OS=$(uname)
+[ "$OS" == "Darwin" ] && export -n LD_LIBRARY_PATH
+
+# Setting the path for lsof on CentOS
+export PATH="/usr/sbin:/sbin:$PATH"
+
+. $(dirname $0)/wsrep_sst_common
+
+wsrep_check_programs rsync socat
+
+cleanup_pid()
+{
+    local real_pid=$1
+    [ "0" != "$real_pid" ]            && \
+    kill $real_pid                    && \
+    sleep 0.5                         && \
+    kill -9 $real_pid >/dev/null 2>&1 || \
+    :
+}
+
+cleanup_tunnel()
+{
+    if [ -n "$SOCAT_REAL_PID" ] && ps -p "$SOCAT_REAL_PID" >/dev/null 2>&1; then
+	wsrep_log_info "cleanup socat PID: $SOCAT_REAL_PID"
+	cleanup_pid $SOCAT_REAL_PID
+    fi
+    rm -rf "$SOCAT_PID"
+}
+
+cleanup_joiner()
+{
+    wsrep_log_info "Joiner cleanup. rsync PID: $RSYNC_REAL_PID"
+    [ -n "$RSYNC_REAL_PID" ] && cleanup_pid $RSYNC_REAL_PID
+    rm -rf "$RSYNC_CONF"
+    rm -rf "$MAGIC_FILE"
+    rm -rf "$RSYNC_PID"
+
+    cleanup_tunnel
+
+    wsrep_log_info "Joiner cleanup done."
+    if [ "${WSREP_SST_OPT_ROLE}" = "joiner" ];then
+        wsrep_cleanup_progress_file
+    fi
+}
+
+# Check whether process is still running.
+check_pid()
+{
+    local pid_file=$1
+    [ -r "$pid_file" ] && ps -p $(cat $pid_file) >/dev/null 2>&1
+}
+
+check_pid_and_port()
+{
+    local pid_file=$1
+    local service_pid=$2
+    local service_port=$3
+    local service_host=$4
+    local service_name=$5
+
+    if ! which lsof > /dev/null; then
+      wsrep_log_error "lsof tool not found in PATH! Make sure you have it installed."
+      exit 2 # ENOENT
+    fi
+
+    local port_info=$(lsof -i "@"$service_host:$service_port -Pn 2>/dev/null | \
+        grep "(LISTEN)")
+    local is_service=$(echo $port_info | \
+        grep -w '^'"$service_name"'[[:space:]]\+'"$service_pid" 2>/dev/null)
+
+    if [ -n "$port_info" -a -z "$is_service" ]; then
+        wsrep_log_error "$service_name daemon port '$service_port' has been taken"
+        exit 16 # EBUSY
+    fi
+
+    if ! check_pid $pid_file; then
+        wsrep_log_error "$service_name process terminated unexpectedly"
+        exit 10 # ECHILD
+    fi
+
+    [ -n "$port_info" ] && [ -n "$is_service" ] && \
+        [ $(cat $pid_file) -eq $service_pid ]
+}
+
+config_from_cnf()
+{
+    local group=$1
+    local key=$2
+    echo $($MY_PRINT_DEFAULTS $group | grep -- "--$key=" | cut -d= -f2- | tail -1)
+}
+
+setup_tunnel_args()
+{
+    tca=$(config_from_cnf sst tca)
+    tkey=$(config_from_cnf sst tkey)
+    tcert=$(config_from_cnf sst tcert)
+    sockopt=$(config_from_cnf sst sockopt)
+
+    if [ -z "$tcert" ]; then
+        wsrep_log_error "Encryption certificate not found in my.cnf"
+        exit 3
+    else
+        SOCAT_OPTS="cert=$tcert"
+    fi
+    [ -n "$tkey" ] && SOCAT_OPTS="$SOCAT_OPTS,key=$tkey"
+    [ -n "$tca" ] && SOCAT_OPTS="$SOCAT_OPTS,cafile=$tca"
+    wsrep_log_info "Encryption setting to be used for socat tunnel: $SOCAT_OPTS"
+
+    [ -n "$sockopt" ] && SOCAT_OPTS="$SOCAT_OPTS,$sockopt"
+}
+
+MAGIC_FILE="$WSREP_SST_OPT_DATA/rsync_tunnel_sst_complete"
+rm -rf "$MAGIC_FILE"
+
+BINLOG_TAR_FILE="$WSREP_SST_OPT_DATA/wsrep_sst_binlog.tar"
+BINLOG_N_FILES=1
+rm -f "$BINLOG_TAR_FILE" || :
+
+if ! [ -z $WSREP_SST_OPT_BINLOG ]
+then
+    BINLOG_DIRNAME=$(dirname $WSREP_SST_OPT_BINLOG)
+    BINLOG_FILENAME=$(basename $WSREP_SST_OPT_BINLOG)
+fi
+
+WSREP_LOG_DIR=${WSREP_LOG_DIR:-""}
+# if WSREP_LOG_DIR env. variable is not set, try to get it from my.cnf
+if [ -z "$WSREP_LOG_DIR" ]; then
+    WSREP_LOG_DIR=$($MY_PRINT_DEFAULTS --mysqld \
+                    | grep -- '--innodb[-_]log[-_]group[-_]home[-_]dir=' \
+                    | cut -b 29- )
+fi
+
+if [ -n "$WSREP_LOG_DIR" ]; then
+    # handle both relative and absolute paths
+    WSREP_LOG_DIR=$(cd $WSREP_SST_OPT_DATA; mkdir -p "$WSREP_LOG_DIR"; cd $WSREP_LOG_DIR; pwd -P)
+else
+    # default to datadir
+    WSREP_LOG_DIR=$(cd $WSREP_SST_OPT_DATA; pwd -P)
+fi
+
+# Old filter - include everything except selected
+# FILTER=(--exclude '*.err' --exclude '*.pid' --exclude '*.sock' \
+#         --exclude '*.conf' --exclude core --exclude 'galera.*' \
+#         --exclude grastate.txt --exclude '*.pem' \
+#         --exclude '*.[0-9][0-9][0-9][0-9][0-9][0-9]' --exclude '*.index')
+
+# New filter - exclude everything except dirs (schemas) and innodb files
+FILTER=(-f '- /lost+found' -f '- /.fseventsd' -f '- /.Trashes'
+        -f '+ /wsrep_sst_binlog.tar' -f '+ /ib_lru_dump' -f '+ /ibdata*' -f '+ /*/' -f '- /*')
+
+SOCAT_PID="$WSREP_SST_OPT_DATA/$MODULE-socat.pid"
+
+if check_pid $SOCAT_PID
+then
+    wsrep_log_error "socat tunnel already running."
+    exit 114 # EALREADY
+fi
+rm -rf "$SOCAT_PID"
+
+setup_tunnel_args
+
+if [ "$WSREP_SST_OPT_ROLE" = "donor" ]
+then
+
+    SOCAT_JOINER_ADDR=$(echo $WSREP_SST_OPT_ADDR | awk -F'/' '{print $1}')
+    # map to name in case we received an IP
+    SOCAT_JOINER_HOST=$(getent hosts $SOCAT_JOINER_ADDR | awk '{ print $2 }')
+    if [ -z "$SOCAT_JOINER_HOST" ]; then
+        SOCAT_JOINER_HOST=$SOCAT_JOINER_ADDR
+    fi
+    SOCAT_PORT=$(echo $SOCAT_JOINER_ADDR | awk -F ':' '{ print $2 }')
+    if [ -z "$SOCAT_PORT" ]
+    then
+        SOCAT_PORT=4444
+    fi
+    TARGET_ADDR=localhost:$SOCAT_PORT/$MODULE
+
+    trap cleanup_tunnel EXIT
+
+    # Socat forwards rsync connections to the joiner
+    SOCAT_SRC=tcp-listen:$SOCAT_PORT,bind=localhost,reuseaddr,fork
+    SOCAT_DST=openssl:$SOCAT_JOINER_HOST,$SOCAT_OPTS
+    wsrep_log_info "Setting up tunnel for donor: socat $SOCAT_SRC $SOCAT_DST"
+    socat $SOCAT_SRC $SOCAT_DST &
+    SOCAT_REAL_PID=$!
+    # This is ok because a local galera node doesn't run SST concurrently
+    echo $SOCAT_REAL_PID >"$SOCAT_PID"
+    until check_pid_and_port $SOCAT_PID $SOCAT_REAL_PID $SOCAT_PORT localhost "socat"
+    do
+        sleep 0.2
+    done
+
+    if [ $WSREP_SST_OPT_BYPASS -eq 0 ]
+    then
+
+        FLUSHED="$WSREP_SST_OPT_DATA/tables_flushed"
+        ERROR="$WSREP_SST_OPT_DATA/sst_error"
+
+        rm -rf "$FLUSHED"
+        rm -rf "$ERROR"
+
+        # Use deltaxfer only for WAN
+        inv=$(basename $0)
+        [ "$inv" = "wsrep_sst_rsync_wan" ] && WHOLE_FILE_OPT="" \
+                                           || WHOLE_FILE_OPT="--whole-file"
+
+        echo "flush tables"
+
+        # Wait for :
+        # (a) Tables to be flushed, AND
+        # (b) Cluster state ID & wsrep_gtid_domain_id to be written to the file, OR
+        # (c) ERROR file, in case flush tables operation failed.
+
+        while [ ! -r "$FLUSHED" ] && ! grep -q ':' "$FLUSHED" >/dev/null 2>&1
+        do
+            # Check whether ERROR file exists.
+            if [ -f "$ERROR" ]
+            then
+                # Flush tables operation failed.
+                rm -rf "$ERROR"
+                exit 255
+            fi
+
+            sleep 0.2
+        done
+
+        STATE="$(cat $FLUSHED)"
+        rm -rf "$FLUSHED"
+
+        sync
+
+        if ! [ -z $WSREP_SST_OPT_BINLOG ]
+        then
+            # Prepare binlog files
+            pushd $BINLOG_DIRNAME &> /dev/null
+            binlog_files_full=$(tail -n $BINLOG_N_FILES ${BINLOG_FILENAME}.index)
+            binlog_files=""
+            for ii in $binlog_files_full
+            do
+                binlog_files="$binlog_files $(basename $ii)"
+            done
+            if ! [ -z "$binlog_files" ]
+            then
+                wsrep_log_info "Preparing binlog files for transfer:"
+                tar -cvf $BINLOG_TAR_FILE $binlog_files >&2
+            fi
+            popd &> /dev/null
+        fi
+
+        # first, the normal directories, so that we can detect incompatible protocol
+        RC=0
+        rsync --owner --group --perms --links --specials \
+              --ignore-times --inplace --dirs --delete --quiet \
+              $WHOLE_FILE_OPT "${FILTER[@]}" "$WSREP_SST_OPT_DATA/" \
+              rsync://$TARGET_ADDR >&2 || RC=$?
+
+        if [ "$RC" -ne 0 ]; then
+            wsrep_log_error "rsync returned code $RC:"
+
+            case $RC in
+            12) RC=71  # EPROTO
+                wsrep_log_error \
+                "rsync server on the other end has incompatible protocol. " \
+                "Make sure you have the same version of rsync on all nodes."
+                ;;
+            22) RC=12  # ENOMEM
+                ;;
+            *)  RC=255 # unknown error
+                ;;
+            esac
+            exit $RC
+        fi
+
+        # second, we transfer InnoDB log files
+        rsync --owner --group --perms --links --specials \
+              --ignore-times --inplace --dirs --delete --quiet \
+              $WHOLE_FILE_OPT -f '+ /ib_logfile[0-9]*' -f '- **' "$WSREP_LOG_DIR/" \
+              rsync://$TARGET_ADDR-log_dir >&2 || RC=$?
+
+        if [ $RC -ne 0 ]; then
+            wsrep_log_error "rsync innodb_log_group_home_dir returned code $RC:"
+            exit 255 # unknown error
+        fi
+
+        # then, we parallelize the transfer of database directories, use . so that pathconcatenation works
+        pushd "$WSREP_SST_OPT_DATA" >/dev/null
+
+        count=1
+        [ "$OS" == "Linux" ] && count=$(grep -c processor /proc/cpuinfo)
+        [ "$OS" == "Darwin" -o "$OS" == "FreeBSD" ] && count=$(sysctl -n hw.ncpu)
+
+        find . -maxdepth 1 -mindepth 1 -type d -not -name "lost+found" -print0 | \
+             xargs -I{} -0 -P $count \
+             rsync --owner --group --perms --links --specials \
+             --ignore-times --inplace --recursive --delete --quiet \
+             $WHOLE_FILE_OPT --exclude '*/ib_logfile*' "$WSREP_SST_OPT_DATA"/{}/ \
+             rsync://$TARGET_ADDR/{} >&2 || RC=$?
+
+        popd >/dev/null
+
+        if [ $RC -ne 0 ]; then
+            wsrep_log_error "find/rsync returned code $RC:"
+            exit 255 # unknown error
+        fi
+
+    else # BYPASS
+        wsrep_log_info "Bypassing state dump."
+
+        # Store donor's wsrep GTID (state ID) and wsrep_gtid_domain_id
+        # (separated by a space).
+        STATE="$WSREP_SST_OPT_GTID $WSREP_SST_OPT_GTID_DOMAIN_ID"
+    fi
+
+    echo "continue" # now server can resume updating data
+
+    echo "$STATE" > "$MAGIC_FILE"
+    rsync --archive --quiet --checksum "$MAGIC_FILE" rsync://$TARGET_ADDR
+
+    # to avoid cleanup race, stop tunnel before declaring the SST finished.
+    # This ensures galera won't start a new SST locally before we exit.
+    cleanup_tunnel
+
+    echo "done $STATE"
+
+elif [ "$WSREP_SST_OPT_ROLE" = "joiner" ]
+then
+    wsrep_check_programs lsof socat
+
+    touch $SST_PROGRESS_FILE
+    MYSQLD_PID=$WSREP_SST_OPT_PARENT
+
+    RSYNC_PID="$WSREP_SST_OPT_DATA/$MODULE.pid"
+
+    if check_pid $RSYNC_PID
+    then
+        wsrep_log_error "rsync daemon already running."
+        exit 114 # EALREADY
+    fi
+    rm -rf "$RSYNC_PID"
+
+    ADDR=$WSREP_SST_OPT_ADDR
+    RSYNC_PORT=$(echo $ADDR | awk -F ':' '{ print $2 }')
+    if [ -z "$RSYNC_PORT" ]
+    then
+        RSYNC_PORT=4444
+        ADDR="$(echo $ADDR | awk -F ':' '{ print $1 }'):$RSYNC_PORT"
+    fi
+
+    SOCAT_ADDR=$(echo $ADDR | awk -F ':' '{ print $1 }')
+    # map to name in case we received an IP
+    SOCAT_HOST=$(getent hosts $SOCAT_ADDR | awk '{ print $2 }')
+    if [ -z "$SOCAT_HOST" ]; then
+        SOCAT_HOST=$SOCAT_ADDR
+    fi
+    SOCAT_PORT=$RSYNC_PORT
+
+    trap "exit 32" HUP PIPE
+    trap "exit 3"  INT TERM ABRT
+    trap cleanup_joiner EXIT
+
+    RSYNC_CONF="$WSREP_SST_OPT_DATA/$MODULE.conf"
+
+    if [ -n "${MYSQL_TMP_DIR:-}" ] ; then
+      SILENT="log file = $MYSQL_TMP_DIR/rsynd.log"
+    else
+      SILENT=""
+    fi
+
+cat << EOF > "$RSYNC_CONF"
+pid file = $RSYNC_PID
+use chroot = no
+read only = no
+timeout = 300
+$SILENT
+[$MODULE]
+    path = $WSREP_SST_OPT_DATA
+[$MODULE-log_dir]
+    path = $WSREP_LOG_DIR
+EOF
+
+#    rm -rf "$DATA"/ib_logfile* # we don't want old logs around
+
+    # Socat receives rsync connections from the donor
+    SOCAT_SRC=openssl-listen:$SOCAT_PORT,bind=$SOCAT_HOST,reuseaddr,fork,$SOCAT_OPTS
+    SOCAT_DST=tcp:localhost:$RSYNC_PORT
+    wsrep_log_info "Setting up tunnel for joiner: socat $SOCAT_SRC $SOCAT_DST"
+    socat $SOCAT_SRC $SOCAT_DST &
+    SOCAT_REAL_PID=$!
+    # This is ok because a local galera node doesn't run SST concurrently
+    echo $SOCAT_REAL_PID >"$SOCAT_PID"
+    until check_pid_and_port $SOCAT_PID $SOCAT_REAL_PID $SOCAT_PORT $SOCAT_HOST "socat"
+    do
+        sleep 0.2
+    done
+
+    wsrep_log_info "rsync --daemon --no-detach --address localhost --port $RSYNC_PORT --config \"$RSYNC_CONF\""
+    rsync --daemon --no-detach --address localhost --port $RSYNC_PORT --config "$RSYNC_CONF" &
+    RSYNC_REAL_PID=$!
+
+    until check_pid_and_port $RSYNC_PID $RSYNC_REAL_PID $RSYNC_PORT localhost "rsync"
+    do
+        sleep 0.2
+    done
+
+    echo "ready $ADDR/$MODULE"
+
+    # wait for SST to complete by monitoring magic file
+    while [ ! -r "$MAGIC_FILE" ] && check_pid "$RSYNC_PID" && \
+          check_pid "$SOCAT_PID" && ps -p $MYSQLD_PID >/dev/null
+    do
+        sleep 1
+    done
+
+    # to avoid cleanup race, we can tear down the socat tunnel now
+    # before signaling the end of the SST to galera.
+    cleanup_tunnel
+
+    if ! ps -p $MYSQLD_PID >/dev/null
+    then
+        wsrep_log_error \
+        "Parent mysqld process (PID:$MYSQLD_PID) terminated unexpectedly."
+        exit 32
+    fi
+
+    if ! [ -z $WSREP_SST_OPT_BINLOG ]
+    then
+
+        pushd $BINLOG_DIRNAME &> /dev/null
+        if [ -f $BINLOG_TAR_FILE ]
+        then
+            # Clean up old binlog files first
+            rm -f ${BINLOG_FILENAME}.*
+            wsrep_log_info "Extracting binlog files:"
+            tar -xvf $BINLOG_TAR_FILE >&2
+            for ii in $(ls -1 ${BINLOG_FILENAME}.*)
+            do
+                echo ${BINLOG_DIRNAME}/${ii} >> ${BINLOG_FILENAME}.index
+            done
+        fi
+        popd &> /dev/null
+    fi
+    if [ -r "$MAGIC_FILE" ]
+    then
+        # UUID:seqno & wsrep_gtid_domain_id is received here.
+        cat "$MAGIC_FILE" # Output : UUID:seqno wsrep_gtid_domain_id
+    else
+        # this message should cause joiner to abort
+        echo "rsync process ended without creating '$MAGIC_FILE'"
+    fi
+    wsrep_cleanup_progress_file
+#    cleanup_joiner
+else
+    wsrep_log_error "Unrecognized role: '$WSREP_SST_OPT_ROLE'"
+    exit 22 # EINVAL
+fi
+
+rm -f $BINLOG_TAR_FILE || :
+
+exit 0
diff --git a/SPECS/mariadb.spec b/SPECS/mariadb.spec
index 09fea8f..4467063 100644
--- a/SPECS/mariadb.spec
+++ b/SPECS/mariadb.spec
@@ -15,7 +15,7 @@
 # The last version on which the full testsuite has been run
 # In case of further rebuilds of that version, don't require full testsuite to be run
 # run only "main" suite
-%global last_tested_version 10.5.9
+%global last_tested_version 10.5.12
 # Set to 1 to force run the testsuite even if it was already tested in current version
 %global force_run_testsuite 0
 
@@ -32,10 +32,6 @@
 
 
 
-# TokuDB engine - DEPRECATED !
-#   https://mariadb.com/kb/en/mariadb/tokudb/
-#   TokuDB engine is available only for x86_64
-#   The Percona upstream deprecated the SE. It is not part of MariaDB 10.5
 # Mroonga engine
 #   https://mariadb.com/kb/en/mariadb/about-mroonga/
 #   Current version in MariaDB, 7.07, only supports the x86_64
@@ -46,12 +42,9 @@
 #   RocksDB may be built with jemalloc, if specified in CMake
 %ifarch x86_64
 %if 0%{?fedora}
-# TokuDB is deprecated in MariaDB 10.5 and later
-%bcond_with tokudb
 %bcond_without mroonga
 %bcond_without rocksdb
 %else
-%bcond_with tokudb
 %bcond_with mroonga
 %bcond_with rocksdb
 %endif
@@ -116,7 +109,7 @@
 %bcond_without unbundled_pcre
 %else
 %bcond_with unbundled_pcre
-%global pcre_bundled_version 10.36
+%global pcre_bundled_version 10.37
 %endif
 
 # Use main python interpretter version
@@ -154,7 +147,7 @@
 %global sameevr   %{epoch}:%{version}-%{release}
 
 Name:             mariadb
-Version:          10.5.9
+Version:          10.5.13
 Release:          1%{?with_debug:.debug}%{?dist}
 Epoch:            3
 
@@ -163,11 +156,17 @@ URL:              http://mariadb.org
 # Exceptions allow client libraries to be linked with most open source SW, not only GPL code.  See README.mysql-license
 License:          GPLv2 with exceptions and LGPLv2 and BSD
 
-Source0:          https://downloads.mariadb.org/interstitial/mariadb-%{version}/source/mariadb-%{version}.tar.gz
+# Original upstream sources archive URL
+# Source0:          https://downloads.mariadb.org/interstitial/mariadb-%{version}/source/mariadb-%{version}.tar.gz
+# Non-existent URL containing correct archive name
+#   The archive was created by executing the "generate-modified-sources.sh" script
+Source0:          https://fedoraproject.org/mariadb-%{version}-downstream_modified.tar.gz
+
 Source2:          mysql_config_multilib.sh
 Source3:          my.cnf.in
 Source6:          README.mysql-docs
 Source7:          README.mysql-license
+Source8:          README.wsrep_sst_rsync_tunnel
 Source10:         mysql.tmpfiles.d.in
 Source11:         mysql.service.in
 Source12:         mysql-prepare-db-dir.sh
@@ -202,6 +201,14 @@ Source71:         LICENSE.clustercheck
 # https://jira.mariadb.org/browse/MDEV-12646
 Source72:         mariadb-server-galera.te
 
+# Script to support encrypted rsync transfers when SST is required between nodes.
+# https://github.com/dciabrin/wsrep_sst_rsync_tunnel/blob/master/wsrep_sst_rsync_tunnel
+Source73:         wsrep_sst_rsync_tunnel
+
+#   Patch1: OpenSSL 3 patch
+#   Picked from the upstream developement branch for MariaDB 10.8.
+#   https://jira.mariadb.org/browse/MDEV-25785
+Patch1:           %{pkgnamepatch}-openssl3.patch
 #   Patch4: Red Hat distributions specific logrotate fix
 #   it would be big unexpected change, if we start shipping it now. Better wait for MariaDB 10.2
 Patch4:           %{pkgnamepatch}-logrotate.patch
@@ -320,7 +327,7 @@ Provides:         mysql-compat-client%{?_isa} = %{sameevr}
 
 Suggests:         %{name}-server%{?_isa} = %{sameevr}
 
-Conflicts:        community-mysql
+Conflicts:        mysql
 
 # Filtering: https://docs.fedoraproject.org/en-US/packaging-guidelines/AutoProvidesAndRequiresFiltering/
 %global __requires_exclude ^perl\\((hostnames|lib::mtr|lib::v1|mtr_|My::|wsrep)
@@ -356,7 +363,7 @@ to a MariaDB/MySQL server.
 
 # At least main config file /etc/my.cnf is shared for client and server part
 # Since we want to support combination of different client and server
-# implementations (e.g. mariadb library and community-mysql server),
+# implementations (e.g. mariadb library and mysql server),
 # we need the config file(s) to be in a separate package, so no extra packages
 # are pulled, because these would likely conflict.
 # More specifically, the dependency on the main configuration file (/etc/my.cnf)
@@ -443,7 +450,6 @@ Recommends:       %{name}-backup%{?_isa} = %{sameevr}
 %{?with_cracklib:Recommends:   %{name}-cracklib-password-check%{?_isa} = %{sameevr}}
 %{?with_gssapi:Recommends:     %{name}-gssapi-server%{?_isa} = %{sameevr}}
 %{?with_rocksdb:Suggests:      %{name}-rocksdb-engine%{?_isa} = %{sameevr}}
-%{?with_tokudb:Suggests:       %{name}-tokudb-engine%{?_isa} = %{sameevr}}
 %{?with_sphinx:Suggests:       %{name}-sphinx-engine%{?_isa} = %{sameevr}}
 %{?with_oqgraph:Suggests:      %{name}-oqgraph-engine%{?_isa} = %{sameevr}}
 %{?with_connect:Suggests:      %{name}-connect-engine%{?_isa} = %{sameevr}}
@@ -478,7 +484,7 @@ Provides:         mysql-server%{?_isa} = %{sameevr}
 Provides:         mysql-compat-server = %{sameevr}
 Provides:         mysql-compat-server%{?_isa} = %{sameevr}
 %endif
-Conflicts:        community-mysql-server
+Conflicts:        mysql-server
 
 # Bench subpackage has been deprecated in F32
 Obsoletes: %{name}-bench <= %{sameevr}
@@ -552,18 +558,6 @@ The RocksDB storage engine is used for high performance servers on SSD drives.
 %endif
 
 
-%if %{with tokudb}
-%package          tokudb-engine
-Summary:          The TokuDB storage engine for MariaDB
-Requires:         %{name}-server%{?_isa} = %{sameevr}
-BuildRequires:    jemalloc-devel
-Requires:         jemalloc
-
-%description      tokudb-engine
-The TokuDB storage engine from Percona.
-%endif
-
-
 %if %{with cracklib}
 %package          cracklib-password-check
 Summary:          The password strength checking plugin
@@ -625,7 +619,7 @@ Requires:         %{name}-server%{?_isa} = %{sameevr}
 %if %{with mysql_names}
 Provides:         mysql-perl = %{sameevr}
 %endif
-Conflicts:        community-mysql-server
+Conflicts:        mysql-server
 # mysqlhotcopy needs DBI/DBD support
 Requires:         perl(DBI) perl(DBD::mysql)
 
@@ -647,7 +641,7 @@ Requires:         mariadb-connector-c-devel >= 3.0
 Provides:         mysql-devel = %{sameevr}
 Provides:         mysql-devel%{?_isa} = %{sameevr}
 %endif
-Conflicts:        community-mysql-devel
+Conflicts:        mysql-devel
 
 %description      devel
 MariaDB is a multi-user, multi-threaded SQL database server.
@@ -690,7 +684,7 @@ Requires:         libaio-devel
 Provides:         mysql-embedded-devel = %{sameevr}
 Provides:         mysql-embedded-devel%{?_isa} = %{sameevr}
 %endif
-Conflicts:        community-mysql-embedded-devel
+Conflicts:        mysql-embedded-devel
 
 %description      embedded-devel
 MariaDB is a multi-user, multi-threaded SQL database server.
@@ -718,7 +712,7 @@ Requires:         perl(Socket)
 Requires:         perl(Sys::Hostname)
 Requires:         perl(Test::More)
 Requires:         perl(Time::HiRes)
-Conflicts:        community-mysql-test
+Conflicts:        mysql-test
 %if %{with mysql_names}
 Provides:         mysql-test = %{sameevr}
 Provides:         mysql-test%{?_isa} = %{sameevr}
@@ -733,20 +727,20 @@ sources.
 
 
 %prep
-%setup -q -n mariadb-%{version}
+%setup -q -n mariadb-%{version}-downstream_modified
 
 # Remove JAR files that upstream puts into tarball
 find . -name "*.jar" -type f -exec rm --verbose -f {} \;
 # Remove testsuite for the mariadb-connector-c
 rm -rf libmariadb/unittest
-# Remove python scripts remains from tokudb upstream (those files are not used anyway)
-rm -r storage/tokudb/mysql-test/tokudb/t/*.py
 %if %{without rocksdb}
 rm -r storage/rocksdb/
 %endif
 
 
-
+%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
+%patch1 -p1
+%endif
 %patch4 -p1
 %patch7 -p1
 %patch9 -p1
@@ -774,7 +768,7 @@ cat %{SOURCE53} | tee -a mysql-test/unstable-tests
 %endif
 
 cp %{SOURCE2} %{SOURCE3} %{SOURCE10} %{SOURCE11} %{SOURCE12} \
-   %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE18} %{SOURCE70} scripts
+   %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE18} %{SOURCE70} %{SOURCE73} scripts
 
 %if %{with galera}
 # prepare selinux policy
@@ -784,12 +778,12 @@ sed 's/mariadb-server-galera/%{name}-server-galera/' %{SOURCE72} > selinux/%{nam
 
 
 # Get version of PCRE, that upstream use
-pcre_version=`grep -e "ftp.pcre.org/pub/pcre/pcre2" cmake/pcre.cmake | sed -r "s;[^0123456789]*2-([[:digit:]]+\.[[:digit:]]+)\.[^0123456789]*;\1;"`
+pcre_version=`grep -e "https://github.com/PhilipHazel/pcre2/releases/download" cmake/pcre.cmake | sed -r "s;.*pcre2-([[:digit:]]+\.[[:digit:]]+).*;\1;" `
 
 # Check if the PCRE version in macro 'pcre_bundled_version', used in Provides: bundled(...), is the same version as upstream actually bundles
 %if %{without unbundled_pcre}
 if [ %{pcre_bundled_version} != "$pcre_version" ] ; then
-  echo "\n Error: Bundled PCRE version is not correct. \n\tBundled version number:%{pcre_bundled_version} \n\tUpstream version number: $pcre_version\n"
+  echo -e "\n Error: Bundled PCRE version is not correct. \n\tBundled version number: %{pcre_bundled_version} \n\tUpstream version number: $pcre_version\n"
   exit 1
 fi
 %else
@@ -797,7 +791,7 @@ fi
 pcre_system_version=`pkgconf %{_libdir}/pkgconfig/libpcre2-*.pc --modversion 2>/dev/null | head -n 1`
 
 if [ "$pcre_system_version" != "$pcre_version" ] ; then
-  echo "\n Warning: Error: Bundled PCRE version is not correct. \n\tSystem version number:$pcre_system_version \n\tUpstream version number: $pcre_version\n"
+  echo -e "\n Warning: Error: Bundled PCRE version is not correct. \n\tSystem version number: $pcre_system_version \n\tUpstream version number: $pcre_version\n"
 fi
 %endif
 
@@ -863,7 +857,6 @@ fi
          -DCONC_WITH_SSL=%{?with_clibrary:ON}%{!?with_clibrary:NO} \
          -DWITH_SSL=system \
          -DWITH_ZLIB=system \
-         -DWITH_JEMALLOC=%{?with_tokudb:yes}%{!?with_tokudb:no} \
          -DLZ4_LIBS=%{_libdir}/liblz4.so \
          -DLZ4_LIBS=%{?with_lz4:%{_libdir}/liblz4.so}%{!?with_lz4:} \
          -DWITH_INNODB_LZ4=%{?with_lz4:ON}%{!?with_lz4:OFF} \
@@ -873,8 +866,8 @@ fi
          -DPLUGIN_CRACKLIB_PASSWORD_CHECK=%{?with_cracklib:DYNAMIC}%{!?with_cracklib:NO} \
          -DPLUGIN_ROCKSDB=%{?with_rocksdb:DYNAMIC}%{!?with_rocksdb:NO} \
          -DPLUGIN_SPHINX=%{?with_sphinx:DYNAMIC}%{!?with_sphinx:NO} \
-         -DPLUGIN_TOKUDB=%{?with_tokudb:DYNAMIC}%{!?with_tokudb:NO} \
          -DPLUGIN_CONNECT=%{?with_connect:DYNAMIC}%{!?with_connect:NO} \
+         -DPLUGIN_COLUMNSTORE=NO \
          -DPLUGIN_CLIENT_ED25519=OFF \
          -DPYTHON_SHEBANG=%{python_path} \
          -DPLUGIN_CACHING_SHA2_PASSWORD=%{?with_clibrary:DYNAMIC}%{!?with_clibrary:OFF} \
@@ -1045,6 +1038,7 @@ ln -s %{_libexecdir}/mariadbd %{buildroot}%{_sbindir}/mariadbd
 # copy additional docs into build tree so %%doc will find them
 install -p -m 0644 %{SOURCE6} %{basename:%{SOURCE6}}
 install -p -m 0644 %{SOURCE7} %{basename:%{SOURCE7}}
+install -p -m 0644 %{SOURCE8} %{basename:%{SOURCE8}}
 install -p -m 0644 %{SOURCE16} %{basename:%{SOURCE16}}
 install -p -m 0644 %{SOURCE71} %{basename:%{SOURCE71}}
 
@@ -1072,6 +1066,9 @@ rm -r %{buildroot}%{_datadir}/%{pkg_name}/policy/apparmor
 # Buildroot does not have symlink /lib64 --> /usr/lib64
 mv %{buildroot}/%{_lib}/security %{buildroot}%{_libdir}
 
+# Add wsrep_sst_rsync_tunnel script
+install -p -m 0755 scripts/wsrep_sst_rsync_tunnel %{buildroot}%{_bindir}/wsrep_sst_rsync_tunnel
+
 # Disable plugins
 %if %{with gssapi}
 sed -i 's/^plugin-load-add/#plugin-load-add/' %{buildroot}%{_sysconfdir}/my.cnf.d/auth_gssapi.cnf
@@ -1145,14 +1142,6 @@ rm %{buildroot}%{_mandir}/man1/mysql{access,admin,binlog,check,dump,_find_rows,i
 rm %{buildroot}%{_mandir}/man1/mariadb-{access,admin,binlog,check,dump,find-rows,import,plugin,show,slap,waitpid}.1*
 %endif
 
-%if %{with tokudb}
-%if 0%{?fedora} || 0%{?rhel} > 7
-# Move the upstream file to the correct location
-mkdir -p %{buildroot}%{_unitdir}/mariadb.service.d
-mv %{buildroot}/etc/systemd/system/mariadb.service.d/tokudb.conf %{buildroot}%{_unitdir}/mariadb.service.d/tokudb.conf
-%endif
-%endif
-
 %if %{without config}
 rm %{buildroot}%{_sysconfdir}/my.cnf
 %endif
@@ -1238,14 +1227,14 @@ export MTR_BUILD_THREAD=$(( $(date +%s) % 1100 ))
   if [[ "%{last_tested_version}" == "%{version}" ]] && [[ %{force_run_testsuite} -eq 0 ]]
   then
     # in further rebuilds only run the basic "main" suite (~800 tests)
-    echo "running only base testsuite"
+    echo -e "\n\nRunning just the base testsuite\n\n"
     perl ./mysql-test-run.pl $common_testsuite_arguments --ssl --suite=main --mem --skip-test-list=unstable-tests
   fi
 
   # If either this version wasn't marked as tested yet or I explicitly want to run the testsuite, run everything we have (~4000 test)
   if [[ "%{last_tested_version}" != "%{version}" ]] || [[ %{force_run_testsuite} -ne 0 ]]
   then
-    echo "running advanced testsuite"
+    echo -e "running advanced testsuite"
     perl ./mysql-test-run.pl $common_testsuite_arguments --ssl --big-test --skip-test=spider \
     %if %{ignore_testsuite_result}
       --max-test-fail=9999 || :
@@ -1394,6 +1383,7 @@ fi
 %endif
 
 %files server
+%doc README.wsrep_sst_rsync_tunnel
 
 %{_bindir}/aria_{chk,dump_log,ftdump,pack,read_log}
 %{_bindir}/mariadb-service-convert
@@ -1440,7 +1430,6 @@ fi
 %{?with_connect:%exclude %{_libdir}/%{pkg_name}/plugin/ha_connect.so}
 %{?with_cracklib:%exclude %{_libdir}/%{pkg_name}/plugin/cracklib_password_check.so}
 %{?with_rocksdb:%exclude %{_libdir}/%{pkg_name}/plugin/ha_rocksdb.so}
-%{?with_tokudb:%exclude %{_libdir}/%{pkg_name}/plugin/ha_tokudb.so}
 %{?with_gssapi:%exclude %{_libdir}/%{pkg_name}/plugin/auth_gssapi.so}
 %{?with_sphinx:%exclude %{_libdir}/%{pkg_name}/plugin/ha_sphinx.so}
 %if %{with clibrary}
@@ -1485,7 +1474,6 @@ fi
 %{_datadir}/%{pkg_name}/mysql_system_tables.sql
 %{_datadir}/%{pkg_name}/mysql_system_tables_data.sql
 %{_datadir}/%{pkg_name}/mysql_test_data_timezone.sql
-%{_datadir}/%{pkg_name}/mysql_to_mariadb.sql
 %{_datadir}/%{pkg_name}/mysql_performance_tables.sql
 %{_datadir}/%{pkg_name}/mysql_test_db.sql
 %if %{with mroonga}
@@ -1514,7 +1502,6 @@ fi
 %endif
 
 %{_unitdir}/%{daemon_name}*
-%{?with_tokudb:%exclude %{_unitdir}/mariadb.service.d/tokudb.conf}
 
 %{_libexecdir}/mysql-prepare-db-dir
 %{_libexecdir}/mysql-check-socket
@@ -1557,17 +1544,6 @@ fi
 %{_mandir}/man1/myrocks_hotbackup.1*
 %endif
 
-%if %{with tokudb}
-%files tokudb-engine
-%{_bindir}/tokuftdump
-%{_bindir}/tokuft_logprint
-%{_mandir}/man1/tokuftdump.1*
-%{_mandir}/man1/tokuft_logprint.1*
-%config(noreplace) %{_sysconfdir}/my.cnf.d/tokudb.cnf
-%{_libdir}/%{pkg_name}/plugin/ha_tokudb.so
-%{_unitdir}/mariadb.service.d/tokudb.conf
-%endif
-
 %if %{with gssapi}
 %files gssapi-server
 %{_libdir}/%{pkg_name}/plugin/auth_gssapi.so
@@ -1581,7 +1557,7 @@ fi
 # SUID-to-root binary. Access MUST be restricted (https://jira.mariadb.org/browse/MDEV-25126)
 %attr(4750,root,mysql) %{_libdir}/%{pkg_name}/plugin/auth_pam_tool_dir/auth_pam_tool
 %{_libdir}/security/pam_user_map.so
-%{_sysconfdir}/security/user_map.conf
+%config(noreplace) %{_sysconfdir}/security/user_map.conf
 %endif
 
 %if %{with sphinx}
@@ -1661,56 +1637,76 @@ fi
 %endif
 
 %changelog
-* Mon Mar 22 2021 Michal Schorm <mschorm@redhat.com> - 10.5.9-1
+* Tue Jan 11 2022 Michal Schorm <mschorm@redhat.com> - 3:10.5.13-1
+- Rebase to 10.5.13
+- Add wsrep_sst_rsync_tunnel script
+
+* Tue Aug 24 2021 Lukas Javorsky <ljavorsk@redhat.com> - 3:10.5.12-1
+- Rebase to 10.5.12
+
+* Thu Aug 19 2021 Lukas Javorsky <ljavorsk@redhat.com> - 3:10.5.11-1
+- Rebase to 10.5.11
+
+* Mon Aug 16 2021 Lukas Javorsky <ljavorsk@redhat.com> - 3:10.5.10-2
+- Set user_map.conf file to be noreplace config file
+- Resolves: rhbz#1989621
+
+* Tue May 11 2021 Michal Schorm <mschorm@redhat.com> - 3:10.5.10-1
+- Rebase to 10.5.10
+
+* Mon May 10 2021 Michal Schorm <mschorm@redhat.com> - 3:10.5.9-2
+- Modify the upstream sources
+
+* Mon Mar 22 2021 Michal Schorm <mschorm@redhat.com> - 3:10.5.9-1
 - Rebase to 10.5.9
 
-* Fri Mar 19 2021 Michal Schorm <mschorm@redhat.com> - 10.5.8-4
+* Fri Mar 19 2021 Michal Schorm <mschorm@redhat.com> - 3:10.5.8-4
 - Move the PAM plugin to a standalone sub-package
 
-* Thu Mar 18 2021 Michal Schorm <mschorm@redhat.com> - 10.5.8-3
+* Thu Mar 18 2021 Michal Schorm <mschorm@redhat.com> - 3:10.5.8-3
 - Fix permissions of the PAMv2 plugin files
 
-* Tue Feb 16 2021 Michal Schorm <mschorm@redhat.com> - 10.5.8-2
+* Tue Feb 16 2021 Michal Schorm <mschorm@redhat.com> - 3:10.5.8-2
 - Bump release after several commits cherry-picked from Fedora Rawhide
 
-* Wed Nov 11 2020 Michal Schorm <mschorm@redhat.com> - 10.5.8-1
+* Wed Nov 11 2020 Michal Schorm <mschorm@redhat.com> - 3:10.5.8-1
 - Rebase to 10.5.8
 
-* Fri Nov 06 2020 Michal Schorm <mschorm@redhat.com> - 10.5.7-1
+* Fri Nov 06 2020 Michal Schorm <mschorm@redhat.com> - 3:10.5.7-1
 - Rebase to 10.5.7
 
-* Mon Sep 21 2020 Lukas Javorsky <ljavorsk@redhat.com> - 10.5.5-1
+* Mon Sep 21 2020 Lukas Javorsky <ljavorsk@redhat.com> - 3:10.5.5-1
 - Rebase to 10.5.5
 - Fix mariadb-ownsetup
 - Add manual for aria_s3_copy
 
-* Wed Sep 16 2020 Lukas Javorsky <ljavorsk@redhat.com> - 10.5.4-1
+* Wed Sep 16 2020 Lukas Javorsky <ljavorsk@redhat.com> - 3:10.5.4-1
 - Rebase to 10.5.4
 - Add spider.cnf to the server config files
 
-* Mon Sep 14 2020 Lukas Javorsky <ljavorsk@redhat.com> - 10.5.3-1
+* Mon Sep 14 2020 Lukas Javorsky <ljavorsk@redhat.com> - 3:10.5.3-1
 - Rebase to 10.5.3
 
-* Fri Sep 11 2020 Michal Schorm <mschorm@redhat.com> - 10.5.2-1
+* Fri Sep 11 2020 Michal Schorm <mschorm@redhat.com> - 3:10.5.2-1
 - Test rebase to 10.5.2 - Beta
 - TokuDB SE has been deprecated
 
-* Thu Sep 10 2020 Michal Schorm <mschorm@redhat.com> - 10.5.1-1
+* Thu Sep 10 2020 Michal Schorm <mschorm@redhat.com> - 3:10.5.1-1
 - Test rebase to 10.5.1 - Beta
 
-* Thu Sep 10 2020 Michal Schorm <mschorm@redhat.com> - 10.5.0-1
+* Thu Sep 10 2020 Michal Schorm <mschorm@redhat.com> - 3:10.5.0-1
 - Test rebase to 10.5.0 - Alpha
 
-* Sun Sep 06 2020 Michal Schorm <mschorm@redhat.com> - 10.4.14-3
+* Sun Sep 06 2020 Michal Schorm <mschorm@redhat.com> - 3:10.4.14-3
 - Resolves: #1851605
 
-* Thu Sep 03 2020 Michal Schorm <mschorm@redhat.com> - 10.4.14-2
+* Thu Sep 03 2020 Michal Schorm <mschorm@redhat.com> - 3:10.4.14-2
 - Resolves: #1873999, #1874446
 
-* Thu Aug 20 2020 Michal Schorm <mschorm@redhat.com> - 10.4.14-1
+* Thu Aug 20 2020 Michal Schorm <mschorm@redhat.com> - 3:10.4.14-1
 - Rebase to 10.4.14
 
-* Tue Aug 18 2020 Michal Schorm <mschorm@redhat.com> - 10.4.13-7
+* Tue Aug 18 2020 Michal Schorm <mschorm@redhat.com> - 3:10.4.13-7
 - Do CMake out-of-source builds
 - Force the CMake change regarding the in-source builds also to F31 and F32
 - Use CMake macros instead of cmake & make direct commands
@@ -1727,16 +1723,16 @@ fi
 * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3:10.4.13-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 
-* Tue Jul 14 2020 Michal Schorm <mschorm@redhat.com> - 10.4.13-3
+* Tue Jul 14 2020 Michal Schorm <mschorm@redhat.com> - 3:10.4.13-3
 - Make conflicts between corresponding mariadb and mysql packages explicit
 - Get rid of the Conflicts macro, it was intended to mark conflicts with
   *upstream* packages
 
-* Fri Jun 05 2020 Michal Schorm <mschorm@redhat.com> - 10.4.13-2
+* Fri Jun 05 2020 Michal Schorm <mschorm@redhat.com> - 3:10.4.13-2
 - Extend Perl "Requires" filtering to wsrep
   Resolves: #1845376
 
-* Fri Jun 05 2020 Michal Schorm <mschorm@redhat.com> - 10.4.13-1
+* Fri Jun 05 2020 Michal Schorm <mschorm@redhat.com> - 3:10.4.13-1
 - Rebase to 10.4.13
 
 * Sun May 24 2020 Lukas Javorsky <ljavorsk@redhat.com> - 3:10.4.12-6
@@ -1745,23 +1741,23 @@ fi
 * Thu Apr 02 2020 Björn Esser <besser82@fedoraproject.org> - 3:10.4.12-5
 - Fix string quoting for rpm >= 4.16
 
-* Thu Mar 26 2020 Jitka Plesnikova <jplesnik@redhat.com> - 10.4.12-4
+* Thu Mar 26 2020 Jitka Plesnikova <jplesnik@redhat.com> - 3:10.4.12-4
 - Add perl dependencies needed for tests
 
-* Mon Mar 16 2020 Michal Schorm <mschorm@redhat.com> - 10.4.12-3
+* Mon Mar 16 2020 Michal Schorm <mschorm@redhat.com> - 3:10.4.12-3
 - Rebase mariadb-connector-c git submodule to commit fbf1db6
   For fix: https://jira.mariadb.org/browse/CONC-441
 
-* Tue Mar 10 2020 Michal Schorm <mschorm@redhat.com> - 10.4.12-2
+* Tue Mar 10 2020 Michal Schorm <mschorm@redhat.com> - 3:10.4.12-2
 - Update the fix for building in the debug mode
 
-* Thu Feb 06 2020 Michal Schorm <mschorm@redhat.com> - 10.4.12-1
+* Thu Feb 06 2020 Michal Schorm <mschorm@redhat.com> - 3:10.4.12-1
 - Rebase to 10.4.12
 
 * Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3:10.4.11-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 
-* Fri Jan 17 2020 Michal Schorm <mschorm@redhat.com> - 10.4.11-1
+* Fri Jan 17 2020 Michal Schorm <mschorm@redhat.com> - 3:10.4.11-1
 - Rebase to 10.4.11
   Related: #1756468
 - Remove 'bench' subpackage. Upstream no longer maintains it.
@@ -1770,63 +1766,63 @@ fi
 - Tweak build flags
 - Add patch for auth_pam_tool directory
 
-* Fri Jan 10 2020 Michal Schorm <mschorm@redhat.com> - 10.3.21-1
+* Fri Jan 10 2020 Michal Schorm <mschorm@redhat.com> - 3:10.3.21-1
 - Rebase to 10.3.21
 
-* Mon Nov 18 2019 Lukas Javorsky <ljavorsk@redhat.com> - 10.3.20-3
+* Mon Nov 18 2019 Lukas Javorsky <ljavorsk@redhat.com> - 3:10.3.20-3
 - Change path of groonga's packaged files
 - Fix bz#1763287
 
-* Tue Nov 12 2019 Michal Schorm <mschorm@redhat.com> - 10.3.20-2
+* Tue Nov 12 2019 Michal Schorm <mschorm@redhat.com> - 3:10.3.20-2
 - Rebuild on top fo new mariadb-connector-c
 
-* Mon Nov 11 2019 Michal Schorm <mschorm@redhat.com> - 10.3.20-1
+* Mon Nov 11 2019 Michal Schorm <mschorm@redhat.com> - 3:10.3.20-1
 - Rebase to 10.3.20
 
-* Wed Nov 06 2019 Michal Schorm <mschorm@redhat.com> - 10.3.19-1
+* Wed Nov 06 2019 Michal Schorm <mschorm@redhat.com> - 3:10.3.19-1
 - Rebase to 10.3.19
 
 * Thu Oct 31 2019 Carl George <carl@george.computer> - 3:10.3.18-1
 - Rebase to 10.3.18
 
-* Wed Sep 11 2019 Michal Schorm <mschorm@redhat.com> - 10.3.17-3
+* Wed Sep 11 2019 Michal Schorm <mschorm@redhat.com> - 3:10.3.17-3
 - Disable building of the ed25519 client plugin.
   From now on it will be shipped by 'mariadb-connector-c' package
 
-* Fri Sep 06 2019 Michal Schorm <mschorm@redhat.com> - 10.3.17-2
+* Fri Sep 06 2019 Michal Schorm <mschorm@redhat.com> - 3:10.3.17-2
 - Fix the debug build
 
-* Thu Aug 01 2019 Michal Schorm <mschorm@redhat.com> - 10.3.17-1
+* Thu Aug 01 2019 Michal Schorm <mschorm@redhat.com> - 3:10.3.17-1
 - Rebase to 10.3.17
 
 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3:10.3.16-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 
-* Tue Jun 18 2019 Michal Schorm <mschorm@redhat.com> - 10.3.16-1
+* Tue Jun 18 2019 Michal Schorm <mschorm@redhat.com> - 3:10.3.16-1
 - Rebase to 10.3.16
 - Added patch for armv7hl builds of spider SE
 
-* Tue Jun 11 2019 Michal Schorm <mschorm@redhat.com> - 10.3.15-1
+* Tue Jun 11 2019 Michal Schorm <mschorm@redhat.com> - 3:10.3.15-1
 - Rebase to 10.3.15
 - CVEs fixed:
   CVE-2019-2510 CVE-2019-2537
 - CVEs fixed:
   CVE-2019-2614 CVE-2019-2627 CVE-2019-2628
 
-* Tue Jun 11 2019 Michal Schorm <mschorm@redhat.com> - 10.3.12-15
+* Tue Jun 11 2019 Michal Schorm <mschorm@redhat.com> - 3:10.3.12-15
 - Remove Cassandra subpackage; it is no longer developed
 
-* Thu Mar 21 2019 Michal Schorm <mschorm@redhat.com> - 10.3.12-14
+* Thu Mar 21 2019 Michal Schorm <mschorm@redhat.com> - 3:10.3.12-14
 - Fix building of TokuDB with Jemalloc 5
 - Fix building with / without lz4
 
-* Thu Mar 21 2019 Michal Schorm <mschorm@redhat.com> - 10.3.12-13
+* Thu Mar 21 2019 Michal Schorm <mschorm@redhat.com> - 3:10.3.12-13
 - Add patch for mysqld_safe --dry-run
 
-* Wed Mar 20 2019 Michal Schorm <mschorm@redhat.com> - 10.3.12-12
+* Wed Mar 20 2019 Michal Schorm <mschorm@redhat.com> - 3:10.3.12-12
 - Add patch for server pkgconfig file location
 
-* Sat Feb 23 2019 Pavel Raiskup <praiskup@redhat.com> - 10.3.12-11
+* Sat Feb 23 2019 Pavel Raiskup <praiskup@redhat.com> - 3:10.3.12-11
 - conditionally depend on selinux-policy-targeted again (rhbz#1665643)
 
 * Mon Feb 11 2019 Michal Schorm <mschorm@redhat.com> - 3:10.3.12-10