diff --git a/.gitignore b/.gitignore
index e06708c..cda75d0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/opencryptoki-3.18.0.tar.gz
+SOURCES/opencryptoki-3.19.0.tar.gz
diff --git a/.opencryptoki.metadata b/.opencryptoki.metadata
index 7ff8bfe..3db97e4 100644
--- a/.opencryptoki.metadata
+++ b/.opencryptoki.metadata
@@ -1 +1 @@
-257eb4d5458c52bf7c1634fea155bf217d561bd4 SOURCES/opencryptoki-3.18.0.tar.gz
+39acf63d03978b2827340394fe6f732a6f0c0526 SOURCES/opencryptoki-3.19.0.tar.gz
diff --git a/SOURCES/opencryptoki-3.18.0-fix-json-output.patch b/SOURCES/opencryptoki-3.18.0-fix-json-output.patch
deleted file mode 100644
index baa6ff7..0000000
--- a/SOURCES/opencryptoki-3.18.0-fix-json-output.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-commit 1600eebb422ae2a733de3a0bd47464620e39ab0d
-Author: Ingo Franzki <ifranzki@linux.ibm.com>
-Date:   Tue Jun 7 08:58:16 2022 +0200
-
-    pkcsstats: Fix JSON output in case of errors
-    
-    Produce correct JSON output, even if an error occurs during obtaining
-    of the statistics for a user.
-    
-    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
-
-diff --git a/usr/sbin/pkcsstats/pkcsstats.c b/usr/sbin/pkcsstats/pkcsstats.c
-index 8eb049dd..65d4833f 100644
---- a/usr/sbin/pkcsstats/pkcsstats.c
-+++ b/usr/sbin/pkcsstats/pkcsstats.c
-@@ -789,7 +789,7 @@ int main(int argc, char **argv)
-     bool reset = false, reset_all = false;
-     bool delete = false, delete_all = false;
-     bool slot_id_specified = false;
--    bool json = false;
-+    bool json = false, json_started = false;
-     CK_SLOT_ID slot_id = 0;
-     void *dll = NULL;
-     CK_FUNCTION_LIST *func_list = NULL;
-@@ -949,8 +949,11 @@ int main(int argc, char **argv)
-         goto done;
-     }
- 
--    if (json && print_json_start() != 0)
--        goto done;
-+    if (json) {
-+        if (print_json_start() != 0)
-+            goto done;
-+        json_started = true;
-+    }
- 
-     dd.func_list = func_list;
-     dd.num_slots = num_slots;
-@@ -972,7 +975,7 @@ int main(int argc, char **argv)
-     }
- 
- done:
--    if (rc == 0 && json)
-+    if (json && json_started)
-         printf("\n\t]\n}\n");
- 
-     if (slots != NULL)
diff --git a/SOURCES/opencryptoki-3.18.0-returning_CKR_BUFFER_TOO_SMALL.patch b/SOURCES/opencryptoki-3.18.0-returning_CKR_BUFFER_TOO_SMALL.patch
deleted file mode 100644
index 9dbbb74..0000000
--- a/SOURCES/opencryptoki-3.18.0-returning_CKR_BUFFER_TOO_SMALL.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-commit b545050b338e46c29936a2748aab7200e69a5c91
-Author: Ingo Franzki <ifranzki@linux.ibm.com>
-Date:   Tue Jul 26 15:11:06 2022 +0200
-
-    EP11: Fix C_GetMechanismList returning CKR_BUFFER_TOO_SMALL
-    
-    For mixed card levels, the size query call and the call to obtain the
-    list may run on different cards. When the size query call runs on a
-    card with less mechanisms than the second call, will fail, but it
-    returns the larger larger number of mechanisms.
-    
-    The code already re-allocates the buffer for retrieving the mechanism
-    list, but does not return the larger number in pulCount. This will
-    lead to a CKR_BUFFER_TOO_SMALL when the application calls C_GetMechanismList
-    again to obtain the list of mechanisms, because the applications buffer
-    is too small.
-    
-    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
-
-diff --git a/usr/lib/ep11_stdll/ep11_specific.c b/usr/lib/ep11_stdll/ep11_specific.c
-index 8d796452..1629e664 100644
---- a/usr/lib/ep11_stdll/ep11_specific.c
-+++ b/usr/lib/ep11_stdll/ep11_specific.c
-@@ -8977,6 +8977,8 @@ CK_RV ep11tok_get_mechanism_list(STDLL_TokData_t * tokdata,
-                 if (rc != CKR_BUFFER_TOO_SMALL)
-                     goto out;
-             }
-+            /* counter was updated in case of CKR_BUFFER_TOO_SMALL */
-+            *pulCount = counter;
-         } while (rc == CKR_BUFFER_TOO_SMALL);
- 
-         for (i = 0; i < counter; i++) {
diff --git a/SOURCES/opencryptoki-3.19.0-fix-memory-leak.patch b/SOURCES/opencryptoki-3.19.0-fix-memory-leak.patch
new file mode 100644
index 0000000..89da088
--- /dev/null
+++ b/SOURCES/opencryptoki-3.19.0-fix-memory-leak.patch
@@ -0,0 +1,51 @@
+commit cb4d7b125c7166602cb9094497a201b2f5a56985
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Date:   Tue Oct 4 13:21:32 2022 +0200
+
+    pkcsicsf: Fix memory leak
+    
+    Use confignode_deepfree() to also free appended config nodes.
+    
+    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+
+diff --git a/usr/sbin/pkcsicsf/pkcsicsf.c b/usr/sbin/pkcsicsf/pkcsicsf.c
+index 44f5ef34..b02d1fe5 100644
+--- a/usr/sbin/pkcsicsf/pkcsicsf.c
++++ b/usr/sbin/pkcsicsf/pkcsicsf.c
+@@ -129,7 +129,8 @@ static void add_token_config_entry(struct ConfigIdxStructNode *s, char *key, cha
+         return;
+ 
+     v = confignode_allocstringvaldumpable(key, value, 0, NULL);
+-    confignode_append(s->value, &v->base);
++    if (v != NULL)
++        confignode_append(s->value, &v->base);
+ }
+ 
+ static int add_token_config(const char *configname,
+@@ -150,7 +151,7 @@ static int add_token_config(const char *configname,
+             confignode_freeeoc(eoc1);
+             confignode_freeeoc(eoc2);
+         }
+-        confignode_freeidxstruct(s);
++        confignode_deepfree(&s->base);
+         fprintf(stderr, "Failed to add an entry for %s token\n", token.name);
+         return -1;
+     }
+@@ -179,7 +180,7 @@ static int add_token_config(const char *configname,
+     if (tfp == NULL) {
+         fprintf(stderr, "fopen failed, line %d: %s\n",
+                 __LINE__, strerror(errno));
+-        confignode_freeidxstruct(s);
++        confignode_deepfree(&s->base);
+         return -1;
+     }
+ 
+@@ -188,7 +189,7 @@ static int add_token_config(const char *configname,
+     confignode_dump(tfp, &s->base, NULL, 2);
+ 
+     fclose(tfp);
+-    confignode_freeidxstruct(s);
++    confignode_deepfree(&s->base);
+ 
+     return 0;
+ }
diff --git a/SPECS/opencryptoki.spec b/SPECS/opencryptoki.spec
index 42d72c7..7f015d5 100644
--- a/SPECS/opencryptoki.spec
+++ b/SPECS/opencryptoki.spec
@@ -1,7 +1,7 @@
 Name: opencryptoki
 Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
-Version: 3.18.0
-Release: 3%{?dist}
+Version: 3.19.0
+Release: 1%{?dist}
 License: CPL
 Group: System Environment/Base
 URL: https://github.com/opencryptoki/opencryptoki
@@ -13,8 +13,7 @@ Patch1: opencryptoki-3.11.0-lockdir.patch
 # add missing p11sak_defined_attrs.conf
 Patch2: opencryptoki-3.18.0-p11sak.patch
 # upstream patches
-Patch100: opencryptoki-3.18.0-fix-json-output.patch
-Patch102: opencryptoki-3.18.0-returning_CKR_BUFFER_TOO_SMALL.patch
+Patch100: opencryptoki-3.19.0-fix-memory-leak.patch
 
 Requires(pre): coreutils diffutils
 Requires: (selinux-policy >= 3.14.3-70 if selinux-policy-targeted)
@@ -312,6 +311,7 @@ fi
 
 %files devel
 %{_includedir}/%{name}/
+%{_libdir}/pkgconfig/%{name}.pc
 
 %files swtok
 %{_libdir}/opencryptoki/stdll/libpkcs11_sw.*
@@ -342,6 +342,7 @@ fi
 
 %files ccatok
 %doc doc/README.cca_stdll
+%config(noreplace) %{_sysconfdir}/%{name}/ccatok.conf
 %{_sbindir}/pkcscca
 %{_mandir}/man1/pkcscca.1*
 %{_libdir}/opencryptoki/stdll/libpkcs11_cca.*
@@ -365,6 +366,13 @@ fi
 
 
 %changelog
+* Tue Nov 01 2022 Than Ngo <than@redhat.com> - 3.19.0-1
+- Resolves: #2126612, opencryptoki fails after generating > 500 RSA keys
+- Resolves: #2110315, rebase to 3.19.0
+- Resolves: #2110990, openCryptoki key generation with expected MKVP only on CCA and EP11 tokens
+- Resolves: #2110477, openCryptoki ep11 token: master key consistency
+- Resolves: #1984871, openCryptoki ep11 token: vendor specific key derivation
+
 * Mon Aug 01 2022 Than Ngo <than@redhat.com> - 3.18.0-3
 - Related: #2043854, do not touch opencryptoki.conf if it is in place already and even if it is unchanged
 - Resolves: #2112785, EP11: Fix C_GetMechanismList returning CKR_BUFFER_TOO_SMALL