diff --git a/.gitignore b/.gitignore
index 98645ee..6deb4fb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/mysql-boost-5.7.19.tar.gz
+SOURCES/mysql-boost-5.7.20.tar.gz
diff --git a/.rh-mysql57-mysql.metadata b/.rh-mysql57-mysql.metadata
index 0861135..6a5a5a7 100644
--- a/.rh-mysql57-mysql.metadata
+++ b/.rh-mysql57-mysql.metadata
@@ -1 +1 @@
-357769356761e040d8e3febbeb351ba95bde1a43 SOURCES/mysql-boost-5.7.19.tar.gz
+1fcbaea0d75d71a8a868f518b5b0afaaa18c5cda SOURCES/mysql-boost-5.7.20.tar.gz
diff --git a/SPECS/mysql.spec b/SPECS/mysql.spec
index 58067b8..fc2382c 100644
--- a/SPECS/mysql.spec
+++ b/SPECS/mysql.spec
@@ -113,8 +113,8 @@
 %endif
 
 Name:             %{?scl_prefix}mysql
-Version:          5.7.19
-Release:          6%{?with_debug:.debug}%{?dist}
+Version:          5.7.20
+Release:          1%{?with_debug:.debug}%{?dist}
 Summary:          MySQL client programs and shared libraries
 Group:            Applications/Databases
 URL:              http://www.mysql.com
@@ -1096,9 +1096,17 @@ fi
 %endif
 
 %changelog
+* Fri Oct 27 2017 Honza Horak <hhorak@redhat.com> - 5.7.20-1
+- Update to MySQL 5.7.20, for various fixes described at
+  https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-20.html
+  Also fixes: CVE-2017-10155 CVE-2017-10227 CVE-2017-10268 CVE-2017-10276
+              CVE-2017-10279 CVE-2017-10283 CVE-2017-10286 CVE-2017-10294
+              CVE-2017-10314 CVE-2017-10378 CVE-2017-10379 CVE-2017-10384
+  Resolves: #1505114
+
 * Mon Oct 09 2017 Honza Horak <hhorak@redhat.com> - 5.7.19-6
 - Clear previously set selinux equivalence rule, so the new one is used
-  Related: #1452707
+  Related: #1451175
 
 * Mon Aug 28 2017 Honza Horak <hhorak@redhat.com> - 5.7.19-5
 - Do not use PIDFile directive in mysql@.service
@@ -1118,42 +1126,41 @@ fi
 
 * Mon Jun 26 2017 Honza Horak <hhorak@redhat.com> - 5.7.18-2
 - Run mysqld with correct context
-  Resolves: #1466474
+  Resolves: #1461102
 - Work-around for #1172683 is not needed any more, SELinux context is
   properly defined for mysqld_safe-scl-helper binary in selinux-policy
   package already.
   However, what we really need is context of mysqld,
   not mysqld_safe, so using mysqld-scl-helper instead and defining own
   context for this file.
-  Related: #1466474
+  Related: #1461102
 - Do not run mysql-check-socket script as mysql user, since then it
   cannot see other processes' open files, as per see fuser(1) man page.
   Since the script only reads data, running it as root on RHEL-6 does not
   cause any security issues.
-  Resolves: #1466477
+  Resolves: #1461445
 
 * Tue May 23 2017 Michal Schorm <mschorm@redhat.com> - 5.7.18-2
 - Previous CVE fix was incomplete, fixed now
-- CVEs fixed by this commit, #1445521:
+- CVEs fixed by this commit, #1445520:
   CVE-2017-3312
-- Resolves: #1445521
 
 * Mon May 15 2017 Michal Schorm <mschorm@redhat.com> - 5.7.18-1
 - Udate to MySQL 5.7.18, for various fixes described at
   https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-18.html
-- CVEs fixed by this commit, #1445528:
+- CVEs fixed by this commit, #1445527:
   CVE-2016-5483/CVE-2017-3600 CVE-2017-3308 CVE-2017-3309
   CVE-2017-3331 CVE-2017-3450 CVE-2017-3453 CVE-2017-3454
   CVE-2017-3455 CVE-2017-3456 CVE-2017-3457 CVE-2017-3458
   CVE-2017-3459 CVE-2017-3460 CVE-2017-3461 CVE-2017-3462
   CVE-2017-3463 CVE-2017-3464 CVE-2017-3465 CVE-2017-3467
   CVE-2017-3468 CVE-2017-3599
-- CVEs fixed by this commit, #1445517:
+- CVEs fixed by this commit, #1445518:
   CVE-2016-8327 CVE-2017-3238 CVE-2017-3244 CVE-2017-3251
   CVE-2017-3256 CVE-2017-3257 CVE-2017-3258 CVE-2017-3273
   CVE-2017-3313 CVE-2017-3317 CVE-2017-3318 CVE-2017-3319
   CVE-2017-3320 CVE-2017-3291
-- CVEs fixed by this commit, #1445521:
+- CVEs fixed by this commit, #1445520:
   CVE-2017-3312
 - 'force' option for 'rm' removed in specfile
 - Sample my-*.cnf are gone (removed by upstream)
@@ -1161,11 +1168,11 @@ fi
 - Fixed SCL exit code processing ('set -e')
 - Following tests were disabled, for they started to fail or are unstable:
   main.datadir_permission main.m_i_db main.grant_user_lock
-- Resolves: #1452514; MD5 in FIPS mode
-            #1452510; bundled() provides
-            #1452516; root privilege escalation
-            #1452511; rh-mysql57-mysqld@ wasn't made for scl
-            #1452707; typo in SELinux context
+- Resolves: #1449689; MD5 in FIPS mode
+            #1396936; bundled() provides
+            #1451175; typo in SELinux context
+            #1449694; root privilege escalation
+            #1400702; rh-mysql57-mysqld@ wasn't made for scl
 
 * Mon Oct 17 2016 Jakub Dorňák <jdornak@redhat.com> - 5.7.16-1
 - Udate to MySQL 5.7.16, for various fixes described at