diff --git a/.gitignore b/.gitignore
index bbcd392..3e095fa 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/opencryptoki-3.11.1.tar.gz
+SOURCES/opencryptoki-3.12.1.tar.gz
diff --git a/.opencryptoki.metadata b/.opencryptoki.metadata
index 64653b0..5177ce9 100644
--- a/.opencryptoki.metadata
+++ b/.opencryptoki.metadata
@@ -1 +1 @@
-26348de186bbc9d52eaca043445053c6cdaad489 SOURCES/opencryptoki-3.11.1.tar.gz
+8cb8804fe7bbd306d16ca714f62c54927fc3c3d8 SOURCES/opencryptoki-3.12.1.tar.gz
diff --git a/SOURCES/opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch b/SOURCES/opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch
deleted file mode 100644
index 756f55d..0000000
--- a/SOURCES/opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff -up opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c.me opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c
---- opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c.me	2019-01-31 13:27:05.720647942 +0100
-+++ opencryptoki-3.11.0/usr/sbin/pkcsconf/pkcsconf.c	2019-01-31 13:36:05.763624633 +0100
-@@ -1072,6 +1072,9 @@ CK_RV init(void)
-     if (rc != CKR_OK) {
-         printf("Error initializing the PKCS11 library: 0x%lX (%s)\n", rc,
-                p11_get_ckr(rc));
-+        printf("Note: all non-root users that require access to PKCS#11 tokens "
-+               "using opencryptoki must be assigned to the pkcs11 group to be "
-+               "able to communicate with the pkcsslotd daemon.\n");
-         fflush(stdout);
-         cleanup();
-     }
diff --git a/SOURCES/opencryptoki-50a8a8806059647a3e446fd129995af61ec54867.patch b/SOURCES/opencryptoki-50a8a8806059647a3e446fd129995af61ec54867.patch
new file mode 100644
index 0000000..3032fb6
--- /dev/null
+++ b/SOURCES/opencryptoki-50a8a8806059647a3e446fd129995af61ec54867.patch
@@ -0,0 +1,33 @@
+commit 50a8a8806059647a3e446fd129995af61ec54867
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Tue Dec 3 14:58:26 2019 +0100
+
+    EP11: Fix EC-uncompress buffer length
+    
+    Function ec_uncompress_public_key() expects the size of the output
+    buffer in out_pubkey to be specified in the out_len parameter.
+    However, variable pubkey_len is uninitialized when calling
+    ec_uncompress_public_key(), so this may result in CKR_BUFFER_TOO_SMALL
+    dependent on the value of pubkey_len.
+    Fix this by setting pubkey_len to the size of the public key buffer
+    allocated above.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
+index 38b6708f..10dfe4e0 100644
+--- a/usr/lib/ep11_stdll/ep11_specific.c
++++ b/usr/lib/ep11_stdll/ep11_specific.c
+@@ -2034,9 +2034,10 @@ static CK_RV import_EC_key(STDLL_TokData_t * tokdata, SESSION * sess,
+         rc = get_ecsiglen(ec_key_obj, &privkey_len);
+         if (rc != CKR_OK)
+             goto import_EC_key_end;
+-        privkey_len /= 2; /* Public key is half the size of an EC signature */
++        privkey_len /= 2; /* private key is half the size of an EC signature */
+ 
+-        pubkey = (CK_BYTE *)malloc(1 + 2 * privkey_len);
++        pubkey_len = 1 + 2 * privkey_len;
++        pubkey = (CK_BYTE *)malloc(pubkey_len);
+         if (pubkey == NULL) {
+             rc = CKR_HOST_MEMORY;
+             goto import_EC_key_end;
diff --git a/SPECS/opencryptoki.spec b/SPECS/opencryptoki.spec
index 05e5800..e739bb5 100644
--- a/SPECS/opencryptoki.spec
+++ b/SPECS/opencryptoki.spec
@@ -1,17 +1,16 @@
 Name:			opencryptoki
 Summary:		Implementation of the PKCS#11 (Cryptoki) specification v2.11
-Version:		3.11.1
-Release:		1%{?dist}
+Version:		3.12.1
+Release:		2%{?dist}
 License:		CPL
 Group:			System Environment/Base
 URL:			https://github.com/opencryptoki/opencryptoki
 Source0:		https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
 # https://bugzilla.redhat.com/show_bug.cgi?id=732756
-Patch0:        opencryptoki-3.11.0-group.patch
+Patch0:			opencryptoki-3.11.0-group.patch
 # bz#1373833, change tmpfiles snippets from /var/lock/* to /run/lock/*
-Patch1:        opencryptoki-3.11.0-lockdir.patch
-# bz#1063763, inform the user that he is not in pkcs11 group
-Patch2:        opencryptoki-3.11.0-warn-user-not-in-pkcs11-group.patch
+Patch1:			opencryptoki-3.11.0-lockdir.patch
+Patch2:			opencryptoki-50a8a8806059647a3e446fd129995af61ec54867.patch
 Requires(pre):		coreutils
 BuildRequires:		gcc
 BuildRequires:		openssl-devel
@@ -328,6 +327,18 @@ fi
 
 
 %changelog
+* Fri Dec 13 2019 Than Ngo <than@redhat.com> - 3.12.1-2
+- Resolves: #1782445, EP11: Fix EC-uncompress buffer length
+
+* Thu Nov 28 2019 Than Ngo <than@redhat.com> - 3.12.1-1
+- Resolves: #1777313, rebase to 3.12.1
+
+* Tue Nov 12 2019 Than Ngo <than@redhat.com> - 3.12.0-1
+- Resolves: #1726243, rebase to 3.12.0
+
+* Mon Aug 26 2019 Dan Horák <dhorak@redhat.com> - 3.11.1-2
+- Resolves: #1739433, ICA HW token missing after the package update
+
 * Mon May 06 2019 Than Ngo <than@redhat.com> - 3.11.1-1
 - Resolves: #1706140, rebase to 3.11.1