diff --git a/SOURCES/0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch b/SOURCES/0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch
new file mode 100644
index 0000000..24a7326
--- /dev/null
+++ b/SOURCES/0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch
@@ -0,0 +1,40 @@
+From 48546ffc0a3f3eb15bfd439a19fc9722eaea592f Mon Sep 17 00:00:00 2001
+From: Florian Festi <ffesti@redhat.com>
+Date: Tue, 28 Jun 2022 12:50:54 +0200
+Subject: [PATCH] Give warning on not supported hash for RSA keys
+
+This can happen when old keys are used on systems that have disabled SHA1
+e.g. for FIPS requirements.
+
+This is less than ideal but there is currently no way to pass a meaningful
+error code up to rpmtsImportPubkey. rpmPubkeyNew just returns a valid key
+or NULL.
+
+See rhbz#2069877
+---
+ rpmio/digest_openssl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/rpmio/digest_openssl.c b/rpmio/digest_openssl.c
+index a28a13acc..2ec5140f1 100644
+--- a/rpmio/digest_openssl.c
++++ b/rpmio/digest_openssl.c
+@@ -4,6 +4,7 @@
+ #include <openssl/rsa.h>
+ #include <openssl/dsa.h>
+ #include <rpm/rpmpgp.h>
++#include <rpm/rpmlog.h>
+ 
+ #include "rpmio/digest.h"
+ 
+@@ -483,6 +484,7 @@ static int pgpVerifySigRSA(pgpDigAlg pgpkey, pgpDigAlg pgpsig,
+ 
+     ret = EVP_PKEY_CTX_set_signature_md(pkey_ctx, getEVPMD(hash_algo));
+     if (ret < 0) {
++	rpmlog(RPMLOG_WARNING, "Signature not supported. Hash algorithm %s not available.\n", pgpValString(PGPVAL_HASHALGO, hash_algo));
+         rc = 1;
+         goto done;
+     }
+-- 
+2.36.1
+
diff --git a/SOURCES/rpm-4.16.1.3-Make-rpm2cpio.sh-more-robust.patch b/SOURCES/rpm-4.16.1.3-Make-rpm2cpio.sh-more-robust.patch
new file mode 100644
index 0000000..38b2f5a
--- /dev/null
+++ b/SOURCES/rpm-4.16.1.3-Make-rpm2cpio.sh-more-robust.patch
@@ -0,0 +1,57 @@
+diff --git a/scripts/rpm2cpio.sh b/scripts/rpm2cpio.sh
+index 4531271cc..74aeed851 100755
+--- a/scripts/rpm2cpio.sh
++++ b/scripts/rpm2cpio.sh
+@@ -15,13 +15,23 @@ _dd() {
+ }
+ 
+ calcsize() {
++
++	case "$(_dd $1 bs=4 count=1 | tr -d '\0')" in
++		"$(printf '\216\255\350')"*) ;; # '\x8e\xad\xe8'
++		*) fatal "File doesn't look like rpm: $pkg" ;;
++	esac
++
+ 	offset=$(($1 + 8))
+ 
+ 	local i b b0 b1 b2 b3 b4 b5 b6 b7
+ 
+ 	i=0
+ 	while [ $i -lt 8 ]; do
+-		b="$(_dd $(($offset + $i)) bs=1 count=1)"
++		# add . to not loose \n
++		# strip \0 as it gets dropped with warning otherwise
++		b="$(_dd $(($offset + $i)) bs=1 count=1 | tr -d '\0' ; echo .)"
++		b=${b%.}    # strip . again
++
+ 		[ -z "$b" ] &&
+ 			b="0" ||
+ 			b="$(exec printf '%u\n' "'$b")"
+@@ -33,7 +43,7 @@ calcsize() {
+ 	offset=$(($offset + $rsize))
+ }
+ 
+-case "$(_dd 0 bs=8 count=1)" in
++case "$(_dd 0 bs=4 count=1 | tr -d '\0')" in
+ 	"$(printf '\355\253\356\333')"*) ;; # '\xed\xab\xee\xdb'
+ 	*) fatal "File doesn't look like rpm: $pkg" ;;
+ esac
+@@ -44,11 +54,11 @@ sigsize=$rsize
+ calcsize $(($offset + (8 - ($sigsize % 8)) % 8))
+ hdrsize=$rsize
+ 
+-case "$(_dd $offset bs=3 count=1)" in
+-	"$(printf '\102\132')"*) _dd $offset | bunzip2 ;; # '\x42\x5a'
+-	"$(printf '\037\213')"*) _dd $offset | gunzip  ;; # '\x1f\x8b'
+-	"$(printf '\375\067')"*) _dd $offset | xzcat   ;; # '\xfd\x37'
+-	"$(printf '\135\000')"*) _dd $offset | unlzma  ;; # '\x5d\x00'
+-	"$(printf '\050\265')"*) _dd $offset | unzstd  ;; # '\x28\xb5'
+-	*) fatal "Unrecognized rpm file: $pkg" ;;
++case "$(_dd $offset bs=2 count=1 | tr -d '\0')" in
++	"$(printf '\102\132')") _dd $offset | bunzip2 ;; # '\x42\x5a'
++	"$(printf '\037\213')") _dd $offset | gunzip  ;; # '\x1f\x8b'
++	"$(printf '\375\067')") _dd $offset | xzcat   ;; # '\xfd\x37'
++	"$(printf '\135')") _dd $offset | unlzma      ;; # '\x5d\x00'
++	"$(printf '\050\265')") _dd $offset | unzstd  ;; # '\x28\xb5'
++	*) fatal "Unrecognized payload compression format in rpm file: $pkg" ;;
+ esac
diff --git a/SOURCES/rpm-4.16.1.3-add-path-query-option.patch b/SOURCES/rpm-4.16.1.3-add-path-query-option.patch
index 0a44718..324f098 100644
--- a/SOURCES/rpm-4.16.1.3-add-path-query-option.patch
+++ b/SOURCES/rpm-4.16.1.3-add-path-query-option.patch
@@ -1,4 +1,4 @@
-From ce8af503733b5661efa046cc7f5f68ee0dad75cc Mon Sep 17 00:00:00 2001
+From ba659220886c1a315f50fb91b9af4615b1a8757e Mon Sep 17 00:00:00 2001
 From: Michal Domonkos <mdomonko@redhat.com>
 Date: Mon, 16 Aug 2021 18:21:02 +0200
 Subject: [PATCH] Add support for RPMDBI_BASENAMES on file queries
@@ -14,8 +14,11 @@ Update the man page for --file to reflect it's current behavior and make
 
 Resolves: rhbz#1940895
 
-Combined with d1aebda01033bc8ba0d748b49f6fad9a5c0caa3f and backported
-for 4.16.1.3.
+Combined with:
+d1aebda01033bc8ba0d748b49f6fad9a5c0caa3f
+f62b6d27cd741406a52a7e9c5b1d6f581dbd3af8
+
+Backported for 4.16.1.3.
 ---
  doc/rpm.8         |  9 ++++++--
  lib/poptQV.c      |  6 +++++-
@@ -115,17 +118,17 @@ index fdabe6e52..9a71f0dc5 100644
  	    mi = rpmtsInitIterator(ts, RPMDBI_PROVIDENAME, fn, 0);
  
 diff --git a/lib/rpmcli.h b/lib/rpmcli.h
-index 4886c2453..8ef992ff2 100644
+index 4886c2453..3961418e7 100644
 --- a/lib/rpmcli.h
 +++ b/lib/rpmcli.h
-@@ -81,6 +81,7 @@ rpmcliFini(poptContext optCon);
- enum rpmQVSources_e {
-     RPMQV_PACKAGE = 0,	/*!< ... from package name db search. */
-     RPMQV_PATH,		/*!< ... from file path db search. */
+@@ -101,6 +101,7 @@ enum rpmQVSources_e {
+     RPMQV_SPECBUILTRPMS,	/*!< ... from pkgs which would be built from spec */
+     RPMQV_WHATOBSOLETES,	/*!< ... from obsoletes db search. */
+     RPMQV_WHATCONFLICTS,	/*!< ... from conflicts db search. */
 +    RPMQV_PATH_ALL,	/*!< ... from file path db search (all states). */
-     RPMQV_ALL,		/*!< ... from each installed package. */
-     RPMQV_RPM, 		/*!< ... from reading binary rpm package. */
-     RPMQV_GROUP,	/*!< ... from group db search. */
+ };
+ 
+ typedef rpmFlags rpmQVSources;
 diff --git a/tests/rpmquery.at b/tests/rpmquery.at
 index 9a4f1cb76..335d5ee0d 100644
 --- a/tests/rpmquery.at
@@ -190,5 +193,5 @@ index 9a4f1cb76..335d5ee0d 100644
  AT_SETUP([integer array query])
  AT_KEYWORDS([query])
 -- 
-2.34.1
+2.35.1
 
diff --git a/SOURCES/rpm-4.16.1.3-find_debuginfo_vendor_opts.patch b/SOURCES/rpm-4.16.1.3-find_debuginfo_vendor_opts.patch
new file mode 100644
index 0000000..c6f30a7
--- /dev/null
+++ b/SOURCES/rpm-4.16.1.3-find_debuginfo_vendor_opts.patch
@@ -0,0 +1,20 @@
+--- rpm.orig/macros.in	2022-06-30 11:37:18.975312592 +0100
++++ rpm-4.16.1.3/macros.in	2022-06-30 11:37:43.145158323 +0100
+@@ -167,6 +167,9 @@
+ #	A spec file can %%define _find_debuginfo_opts to pass options to
+ #	the script.  See the script for details.
+ #
++#	Vendor spec files (eg redhat-rpm-config:macros) can %%define
++#       _find_debuginfo_vendor_opts to pass options to the script.
++#
+ %__debug_install_post   \
+     %{_rpmconfigdir}/find-debuginfo.sh \\\
+     %{?_smp_build_ncpus:-j%{_smp_build_ncpus}} \\\
+@@ -179,6 +182,7 @@
+     %{?_unique_debug_srcs:--unique-debug-src-base "%{name}-%{VERSION}-%{RELEASE}.%{_arch}"} \\\
+     %{?_find_debuginfo_dwz_opts} \\\
+     %{?_find_debuginfo_opts} \\\
++    %{?_find_debuginfo_vendor_opts} \\\
+     %{?_debugsource_packages:-S debugsourcefiles.list} \\\
+     "%{_builddir}/%{?buildsubdir}"\
+ %{nil}
diff --git a/SPECS/rpm.spec b/SPECS/rpm.spec
index bcd8a8d..d21d853 100644
--- a/SPECS/rpm.spec
+++ b/SPECS/rpm.spec
@@ -32,7 +32,7 @@
 
 %global rpmver 4.16.1.3
 #global snapver rc1
-%global rel 11
+%global rel 17
 %global sover 9
 
 %global srcver %{rpmver}%{?snapver:-%{snapver}}
@@ -82,11 +82,13 @@ Patch110: rpm-4.16.1.3-add-path-query-option.patch
 Patch111: rpm-4.16.1.3-skip-recorded-symlinks-in-setperms.patch
 Patch112: rpm-4.16.1.3-fix-regression-reading-rpm-v3-pkgs.patch
 Patch113: rpm-4.16.1.3-fix-spurious-transfiletriggerpostun-execution.patch
+Patch114: rpm-4.16.1.3-Make-rpm2cpio.sh-more-robust.patch
 
 # These are not yet upstream
 Patch906: rpm-4.7.1-geode-i686.patch
 # Probably to be upstreamed in slightly different form
 Patch907: rpm-4.15.x-ldflags.patch
+Patch908: 0001-Give-warning-on-not-supported-hash-for-RSA-keys.patch
 
 # Not yet (all) upstream, debugedit DWARF5
 # https://code.wildebeest.org/git/user/mjw/rpm/log/?h=gcc-dwarf5-4.16.1.2
@@ -99,6 +101,7 @@ Patch916: 0006-debugedit-Handle-DWARF-5-debug_line-and-debug_line_s.patch
 
 # Downstream-only patches
 Patch1000: rpm-4.16.1.3-hashtab-use-after-free-fix.patch
+Patch1001: rpm-4.16.1.3-find_debuginfo_vendor_opts.patch
 
 # Partially GPL/LGPL dual-licensed and some bits with BSD
 # SourceLicense: (GPLv2+ and LGPLv2+ with exceptions) and BSD
@@ -611,6 +614,18 @@ fi
 %doc doc/librpm/html/*
 
 %changelog
+* Wed Aug 03 2022 Florian Festi <ffesti@redhat.com> - 4.16.1.3-17
+- Make rpm2cpio.sh more robust (#1983015)
+
+* Thu Jun 30 2022 Nick Clifton  <nickc@redhat.com> - 4.16.1.3-15
+- Pass _find_debuginfo_vendor_opts to the find-debuginfo script.  (#2099617)
+
+* Tue Jun 28 2022 Florian Festi <ffesti@redhat.com> - 4.16.1.3-14
+- Warning for failed key import (#2069877)
+
+* Tue Apr 05 2022 Michal Domonkos <mdomonko@redhat.com> - 4.16.1.3-12
+- Fix minor ABI regression in rpmcli.h (#2037352)
+
 * Mon Feb 14 2022 Michal Domonkos <mdomonko@redhat.com> - 4.16.1.3-11
 - Fix IMA signature lengths assumed constant, take III (#2018937)
 - Fix regression reading rpm v3 and other rare packages (#2037186)