diff --git a/.gitignore b/.gitignore
index 4d97e7f..dc6af45 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/runc-425e105.tar.gz
+SOURCES/runc-d736ef1.tar.gz
diff --git a/.runc.metadata b/.runc.metadata
index 1ff52c1..6c81a25 100644
--- a/.runc.metadata
+++ b/.runc.metadata
@@ -1 +1 @@
-cfbe1abc984f5b0be1413475f888e39304b265ae SOURCES/runc-425e105.tar.gz
+812dbd873389db38f03438166784aee998146d30 SOURCES/runc-d736ef1.tar.gz
diff --git a/SOURCES/1807.patch b/SOURCES/1807.patch
index dcfae56..6d415f0 100644
--- a/SOURCES/1807.patch
+++ b/SOURCES/1807.patch
@@ -1,4 +1,4 @@
-From e3b37893afa498ef6254cc9d94c159b12e04d0b0 Mon Sep 17 00:00:00 2001
+From 3d99c51e1b38a440804a55c9f314f62cc50b8902 Mon Sep 17 00:00:00 2001
 From: Giuseppe Scrivano <gscrivan@redhat.com>
 Date: Fri, 25 May 2018 18:04:06 +0200
 Subject: [PATCH] sd-notify: do not hang when NOTIFY_SOCKET is used with create
@@ -10,21 +10,20 @@ still accessible from the container.
 
 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
 ---
- notify_socket.go | 113 ++++++++++++++++++++++++++++++++++-------------
+ notify_socket.go | 112 ++++++++++++++++++++++++++++++++++-------------
  signals.go       |   4 +-
  start.go         |  13 +++++-
  utils_linux.go   |  12 ++++-
- 4 files changed, 106 insertions(+), 36 deletions(-)
+ 4 files changed, 105 insertions(+), 36 deletions(-)
 
 diff --git a/notify_socket.go b/notify_socket.go
-index b890b5b1c..286ce1ddd 100644
+index e7453c62..d961453a 100644
 --- a/notify_socket.go
 +++ b/notify_socket.go
-@@ -6,11 +6,14 @@ import (
- 	"bytes"
+@@ -7,11 +7,13 @@ import (
  	"fmt"
  	"net"
-+	"os"
+ 	"os"
 +	"path"
  	"path/filepath"
 +	"strconv"
@@ -37,7 +36,7 @@ index b890b5b1c..286ce1ddd 100644
  	"github.com/urfave/cli"
  )
  
-@@ -26,12 +29,12 @@ func newNotifySocket(context *cli.Context, notifySocketHost string, id string) *
+@@ -27,12 +29,12 @@ func newNotifySocket(context *cli.Context, notifySocketHost string, id string) *
  	}
  
  	root := filepath.Join(context.GlobalString("root"), id)
@@ -52,7 +51,7 @@ index b890b5b1c..286ce1ddd 100644
  	}
  
  	return notifySocket
-@@ -43,13 +46,19 @@ func (s *notifySocket) Close() error {
+@@ -44,13 +46,19 @@ func (s *notifySocket) Close() error {
  
  // If systemd is supporting sd_notify protocol, this function will add support
  // for sd_notify protocol from within the container.
@@ -76,7 +75,7 @@ index b890b5b1c..286ce1ddd 100644
  	addr := net.UnixAddr{
  		Name: s.socketPath,
  		Net:  "unixgram",
-@@ -64,45 +73,89 @@ func (s *notifySocket) setupSocket() error {
+@@ -71,45 +79,89 @@ func (s *notifySocket) setupSocket() error {
  	return nil
  }
  
@@ -189,7 +188,7 @@ index b890b5b1c..286ce1ddd 100644
  		}
  	}
 diff --git a/signals.go b/signals.go
-index b67f65a03..dd25e094c 100644
+index b67f65a0..dd25e094 100644
 --- a/signals.go
 +++ b/signals.go
 @@ -70,6 +70,7 @@ func (h *signalHandler) forward(process *libcontainer.Process, tty *tty, detach
@@ -211,7 +210,7 @@ index b67f65a03..dd25e094c 100644
  				}
  			}
 diff --git a/start.go b/start.go
-index 2bb698b20..3a1769a43 100644
+index 2bb698b2..3a1769a4 100644
 --- a/start.go
 +++ b/start.go
 @@ -3,6 +3,7 @@ package main
@@ -242,10 +241,10 @@ index 2bb698b20..3a1769a43 100644
  			return errors.New("cannot start a container that has stopped")
  		case libcontainer.Running:
 diff --git a/utils_linux.go b/utils_linux.go
-index ce50db145..670c0fcba 100644
+index 984e6b0f..46c26246 100644
 --- a/utils_linux.go
 +++ b/utils_linux.go
-@@ -406,7 +406,9 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp
+@@ -408,7 +408,9 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp
  
  	notifySocket := newNotifySocket(context, os.Getenv("NOTIFY_SOCKET"), id)
  	if notifySocket != nil {
@@ -256,7 +255,7 @@ index ce50db145..670c0fcba 100644
  	}
  
  	container, err := createContainer(context, id, spec)
-@@ -415,10 +417,16 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp
+@@ -417,10 +419,16 @@ func startContainer(context *cli.Context, spec *specs.Spec, action CtAct, criuOp
  	}
  
  	if notifySocket != nil {
@@ -274,3 +273,6 @@ index ce50db145..670c0fcba 100644
  	}
  
  	// Support on-demand socket activation by passing file descriptors into the container init process.
+-- 
+2.21.0
+
diff --git a/SOURCES/99-containers.conf b/SOURCES/99-containers.conf
deleted file mode 100644
index 7e2d537..0000000
--- a/SOURCES/99-containers.conf
+++ /dev/null
@@ -1 +0,0 @@
-fs.may_detach_mounts=1
diff --git a/SPECS/runc.spec b/SPECS/runc.spec
index 95e95f3..bcfab81 100644
--- a/SPECS/runc.spec
+++ b/SPECS/runc.spec
@@ -11,8 +11,8 @@
 
 %if 0%{?rhel} > 7 && ! 0%{?fedora}
 %define gobuild(o:) \
-go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
-%endif # distro
+go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -extldflags '%__global_ldflags'" -a -v -x %{?**};
+%endif
 
 %global provider github
 %global provider_tld com
@@ -21,21 +21,19 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -
 # https://github.com/opencontainers/runc
 %global import_path %{provider}.%{provider_tld}/%{project}/%{repo}
 %global git0 https://%{import_path}
-%global commit0 425e105d5a03fabd737a126ad93d62a9eeede87f
+%global commit0 d736ef14f0288d6993a1845745d6756cfc9ddd5a
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 
 Name: %{repo}
 Version: 1.0.0
-Release: 60.rc8%{?dist}
+Release: 64.rc9%{?dist}
 Summary: CLI for running Open Containers
 ExcludeArch: %{ix86}
 License: ASL 2.0
 URL: %{git0}
 Source0: %{git0}/archive/%{commit0}/%{name}-%{shortcommit0}.tar.gz
-Source1: 99-containers.conf
 Patch0: 1807.patch
-# If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
-BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang} >= 1.6.2
+BuildRequires: golang >= 1.12.12-4
 BuildRequires: git
 BuildRequires: go-md2man
 BuildRequires: libseccomp-devel
@@ -61,7 +59,7 @@ popd
 pushd GOPATH/src/%{import_path}
 export GOPATH=%{gopath}:$(pwd)/GOPATH
 export BUILDTAGS="selinux seccomp"
-%gobuild -o %{name} %{import_path} 
+%gobuild -o %{name} %{import_path}
 
 pushd man
 ./md2man-all.sh
@@ -91,6 +89,24 @@ install -p -m 0644 contrib/completions/bash/%{name} %{buildroot}%{_datadir}/bash
 %{_datadir}/bash-completion/completions/%{name}
 
 %changelog
+* Wed Dec 11 2019 Jindrich Novy <jnovy@redhat.com> - 1.0.0-64.rc9
+- use no_openssl in BUILDTAGS (no vendored crypto in runc)
+- Related: RHELPLAN-25139
+
+* Mon Dec 09 2019 Jindrich Novy <jnovy@redhat.com> - 1.0.0-63.rc9
+- be sure to use golang >= 1.12.12-4
+- Related: RHELPLAN-25139
+
+* Thu Nov 28 2019 Jindrich Novy <jnovy@redhat.com> - 1.0.0-62.rc9
+- rebuild because of CVE-2019-9512 and CVE-2019-9514
+- Resolves: #1766331, #1766303
+
+* Thu Nov 21 2019 Jindrich Novy <jnovy@redhat.com> - 1.0.0-61.rc9
+- update to runc 1.0.0-rc9 release
+- amend golang deps
+- fixes CVE-2019-16884
+- Resolves: #1759651
+
 * Mon Jun 17 2019 Lokesh Mandvekar <lsm5@redhat.com> - 1.0.0-60.rc8
 - Resolves: #1721247 - enable fips mode