diff --git a/SOURCES/0659-sd-event-take-ref-on-event-loop-object-before-dispat.patch b/SOURCES/0659-sd-event-take-ref-on-event-loop-object-before-dispat.patch
new file mode 100644
index 0000000..d726221
--- /dev/null
+++ b/SOURCES/0659-sd-event-take-ref-on-event-loop-object-before-dispat.patch
@@ -0,0 +1,32 @@
+From 814da05c68d9e892c1f89585cc07c6a0330f3e37 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Wed, 8 Sep 2021 15:42:11 +0200
+Subject: [PATCH] sd-event: take ref on event loop object before dispatching
+ event sources
+
+Idea is that all public APIs should take reference on objects that get
+exposed to user-provided callbacks. We take the reference as a
+protection from callbacks dropping it. We used to do this also here in
+sd_event_loop(). However, in cleanup portion of f814c871e6 this was
+accidentally dropped.
+
+(cherry picked from commit 9f6ef467818f902fe5369c8e37a39a3901bdcf4f)
+
+Resolves: #2024903
+---
+ src/libsystemd/sd-event/sd-event.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c
+index f78da00c3a..47cf93b3f4 100644
+--- a/src/libsystemd/sd-event/sd-event.c
++++ b/src/libsystemd/sd-event/sd-event.c
+@@ -3838,7 +3838,7 @@ _public_ int sd_event_loop(sd_event *e) {
+ assert_return(!event_pid_changed(e), -ECHILD);
+ assert_return(e->state == SD_EVENT_INITIAL, -EBUSY);
+
+- _unused_ _cleanup_(sd_event_unrefp) sd_event *ref = NULL;
++ _unused_ _cleanup_(sd_event_unrefp) sd_event *ref = sd_event_ref(e);
+
+ while (e->state != SD_EVENT_FINISHED) {
+ r = sd_event_run(e, (uint64_t) -1);
diff --git a/SOURCES/0660-pid1-fix-free-of-uninitialized-pointer-in-unit_fail_.patch b/SOURCES/0660-pid1-fix-free-of-uninitialized-pointer-in-unit_fail_.patch
new file mode 100644
index 0000000..9566337
--- /dev/null
+++ b/SOURCES/0660-pid1-fix-free-of-uninitialized-pointer-in-unit_fail_.patch
@@ -0,0 +1,28 @@
+From b526b7636961ca3d303a6965879b3575e4cc293b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Fri, 14 Dec 2018 08:16:31 +0100
+Subject: [PATCH] pid1: fix free of uninitialized pointer in
+ unit_fail_if_noncanonical()
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1653068
+
+(cherry picked from commit 58d9d89b4b41189bdcea86c2ad5cf708b7d54aca)
+
+Related: #2024903
+---
+ src/core/unit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/core/unit.c b/src/core/unit.c
+index 93c13e58d9..152a860d08 100644
+--- a/src/core/unit.c
++++ b/src/core/unit.c
+@@ -4785,7 +4785,7 @@ void unit_warn_if_dir_nonempty(Unit *u, const char* where) {
+ }
+
+ int unit_fail_if_noncanonical(Unit *u, const char* where) {
+- _cleanup_free_ char *canonical_where;
++ _cleanup_free_ char *canonical_where = NULL;
+ int r;
+
+ assert(u);
diff --git a/SOURCES/0661-Disable-iptables-for-CI.patch b/SOURCES/0661-Disable-iptables-for-CI.patch
new file mode 100644
index 0000000..be22077
--- /dev/null
+++ b/SOURCES/0661-Disable-iptables-for-CI.patch
@@ -0,0 +1,24 @@
+From 5e081bdfe3711a812c0f2448a14909b0c518d808 Mon Sep 17 00:00:00 2001
+From: David Tardon <dtardon@redhat.com>
+Date: Wed, 13 Oct 2021 10:01:59 +0200
+Subject: [PATCH] Disable iptables for CI
+
+(cherry picked from commit ffd20a699280a4732d0fe4cddafe12ee8010ddb6)
+
+Related: #2024903
+---
+ .github/workflows/unit_tests.sh | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/.github/workflows/unit_tests.sh b/.github/workflows/unit_tests.sh
+index ad4584ec1d..36363603db 100755
+--- a/.github/workflows/unit_tests.sh
++++ b/.github/workflows/unit_tests.sh
+@@ -92,7 +92,6 @@ SYSTEMD_BUILD_DEPS=(
+ gnutls-devel
+ gobject-introspection-devel
+ gperf
+- iptables-devel
+ kmod-devel
+ libacl-devel
+ libblkid-devel
diff --git a/SOURCES/0662-test-seccomp-accept-ENOSYS-from-sysctl-2-too.patch b/SOURCES/0662-test-seccomp-accept-ENOSYS-from-sysctl-2-too.patch
new file mode 100644
index 0000000..138bc42
--- /dev/null
+++ b/SOURCES/0662-test-seccomp-accept-ENOSYS-from-sysctl-2-too.patch
@@ -0,0 +1,27 @@
+From 307930f1c7e7588e6cfdc413147c5fc615ae73de Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 22 Sep 2020 19:05:17 +0200
+Subject: [PATCH] test-seccomp: accept ENOSYS from sysctl(2) too
+
+It seems that kernel 5.9 started returning that.
+
+(cherry picked from commit 0af05e485a3a88f454c714901eb6109307dc893e)
+
+Related: #2024903
+---
+ src/test/test-seccomp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c
+index 5eb1c78b8b..6ec04c4c55 100644
+--- a/src/test/test-seccomp.c
++++ b/src/test/test-seccomp.c
+@@ -239,7 +239,7 @@ static void test_protect_sysctl(void) {
+ if (pid == 0) {
+ #if defined __NR__sysctl && __NR__sysctl >= 0
+ assert_se(syscall(__NR__sysctl, NULL) < 0);
+- assert_se(errno == EFAULT);
++ assert_se(IN_SET(errno, EFAULT, ENOSYS));
+ #endif
+
+ assert_se(seccomp_protect_sysctl() >= 0);
diff --git a/SOURCES/0663-Disable-libpitc-to-fix-CentOS-Stream-CI.patch b/SOURCES/0663-Disable-libpitc-to-fix-CentOS-Stream-CI.patch
new file mode 100644
index 0000000..fd6f0ec
--- /dev/null
+++ b/SOURCES/0663-Disable-libpitc-to-fix-CentOS-Stream-CI.patch
@@ -0,0 +1,28 @@
+From 26a1c41e771eb3b36f6f9b95ae35ce4803766e3c Mon Sep 17 00:00:00 2001
+From: David Tardon <dtardon@redhat.com>
+Date: Mon, 25 Oct 2021 15:27:27 +0200
+Subject: [PATCH] Disable libpitc to fix CentOS Stream CI
+
+We have disabled it in our spec starting with 8.5.0, so let's follow
+suit here.
+
+(cherry picked from commit b029865ef6d8b23ecdbfda4e277a3f75cb59ee94)
+
+Related: #2024903
+---
+ .github/workflows/unit_tests.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/.github/workflows/unit_tests.sh b/.github/workflows/unit_tests.sh
+index 36363603db..814870e7a0 100755
+--- a/.github/workflows/unit_tests.sh
++++ b/.github/workflows/unit_tests.sh
+@@ -50,7 +50,7 @@ CONFIGURE_OPTS=(
+ -Dgnutls=true
+ -Dmicrohttpd=true
+ -Dlibidn2=true
+- -Dlibiptc=true
++ -Dlibiptc=false
+ -Dlibcurl=true
+ -Defi=true
+ -Dtpm=true
diff --git a/SOURCES/0664-test-accept-that-char-device-0-0-can-now-be-created-.patch b/SOURCES/0664-test-accept-that-char-device-0-0-can-now-be-created-.patch
new file mode 100644
index 0000000..3645a71
--- /dev/null
+++ b/SOURCES/0664-test-accept-that-char-device-0-0-can-now-be-created-.patch
@@ -0,0 +1,52 @@
+From 5763844219e88a993d1b93653585bc68e909353c Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Fri, 14 Aug 2020 21:50:55 +0200
+Subject: [PATCH] test: accept that char device 0/0 can now be created witout
+ privileges
+
+Fixes: #16721
+
+(cherry picked from commit 5b5ce6298e5a1c09beacd5c963e2350979cbf94a)
+
+Related: #2024903
+---
+ src/test/test-fs-util.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/test/test-fs-util.c b/src/test/test-fs-util.c
+index e3338ea440..aa32629f62 100644
+--- a/src/test/test-fs-util.c
++++ b/src/test/test-fs-util.c
+@@ -518,8 +518,8 @@ static void test_touch_file(void) {
+ assert_se(timespec_load(&st.st_mtim) == test_mtime);
+
+ if (geteuid() == 0) {
+- a = strjoina(p, "/cdev");
+- r = mknod(a, 0775 | S_IFCHR, makedev(0, 0));
++ a = strjoina(p, "/bdev");
++ r = mknod(a, 0775 | S_IFBLK, makedev(0, 0));
+ if (r < 0 && errno == EPERM && detect_container() > 0) {
+ log_notice("Running in unprivileged container? Skipping remaining tests in %s", __func__);
+ return;
+@@ -529,17 +529,17 @@ static void test_touch_file(void) {
+ assert_se(lstat(a, &st) >= 0);
+ assert_se(st.st_uid == test_uid);
+ assert_se(st.st_gid == test_gid);
+- assert_se(S_ISCHR(st.st_mode));
++ assert_se(S_ISBLK(st.st_mode));
+ assert_se((st.st_mode & 0777) == 0640);
+ assert_se(timespec_load(&st.st_mtim) == test_mtime);
+
+- a = strjoina(p, "/bdev");
+- assert_se(mknod(a, 0775 | S_IFBLK, makedev(0, 0)) >= 0);
++ a = strjoina(p, "/cdev");
++ assert_se(mknod(a, 0775 | S_IFCHR, makedev(0, 0)) >= 0);
+ assert_se(touch_file(a, false, test_mtime, test_uid, test_gid, 0640) >= 0);
+ assert_se(lstat(a, &st) >= 0);
+ assert_se(st.st_uid == test_uid);
+ assert_se(st.st_gid == test_gid);
+- assert_se(S_ISBLK(st.st_mode));
++ assert_se(S_ISCHR(st.st_mode));
+ assert_se((st.st_mode & 0777) == 0640);
+ assert_se(timespec_load(&st.st_mtim) == test_mtime);
+ }
diff --git a/SOURCES/0665-core-return-true-from-cg_is_empty-on-ENOENT.patch b/SOURCES/0665-core-return-true-from-cg_is_empty-on-ENOENT.patch
new file mode 100644
index 0000000..5d22a15
--- /dev/null
+++ b/SOURCES/0665-core-return-true-from-cg_is_empty-on-ENOENT.patch
@@ -0,0 +1,43 @@
+From bfc6e3c33b49b4f2e611e2ff151d3088055df07d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 17 Oct 2018 17:48:35 +0200
+Subject: [PATCH] core: return true from cg_is_empty* on ENOENT
+
+(cherry picked from commit 1bcf3fc6c57d92927b96cad8c739099b4ceae236)
+
+Related: #2024903
+---
+ src/basic/cgroup-util.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
+index 992b12811a..14abe6e014 100644
+--- a/src/basic/cgroup-util.c
++++ b/src/basic/cgroup-util.c
+@@ -1177,7 +1177,7 @@ int cg_is_empty(const char *controller, const char *path) {
+
+ r = cg_enumerate_processes(controller, path, &f);
+ if (r == -ENOENT)
+- return 1;
++ return true;
+ if (r < 0)
+ return r;
+
+@@ -1207,6 +1207,8 @@ int cg_is_empty_recursive(const char *controller, const char *path) {
+ * via the "populated" attribute of "cgroup.events". */
+
+ r = cg_read_event(controller, path, "populated", &t);
++ if (r == -ENOENT)
++ return true;
+ if (r < 0)
+ return r;
+
+@@ -1221,7 +1223,7 @@ int cg_is_empty_recursive(const char *controller, const char *path) {
+
+ r = cg_enumerate_subgroups(controller, path, &d);
+ if (r == -ENOENT)
+- return 1;
++ return true;
+ if (r < 0)
+ return r;
+
diff --git a/SOURCES/0666-Do-not-fail-if-the-same-alt.-name-is-set-again.patch b/SOURCES/0666-Do-not-fail-if-the-same-alt.-name-is-set-again.patch
new file mode 100644
index 0000000..ffafa82
--- /dev/null
+++ b/SOURCES/0666-Do-not-fail-if-the-same-alt.-name-is-set-again.patch
@@ -0,0 +1,27 @@
+From 21c071fbd05d112ccd92b7a49e53bf8d38cdbd06 Mon Sep 17 00:00:00 2001
+From: David Tardon <dtardon@redhat.com>
+Date: Wed, 8 Dec 2021 09:49:24 +0100
+Subject: [PATCH] Do not fail if the same alt. name is set again
+
+This is a workaround for a kernel bug.
+
+RHEL-only
+
+Resolves: #2030027
+---
+ src/udev/net/link-config.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/udev/net/link-config.c b/src/udev/net/link-config.c
+index 5220f247f0..9046c5bd2a 100644
+--- a/src/udev/net/link-config.c
++++ b/src/udev/net/link-config.c
+@@ -526,7 +526,7 @@ int link_config_apply(link_config_ctx *ctx, link_config *config,
+ strv_uniq(altnames);
+ strv_sort(altnames);
+ r = rtnl_set_link_alternative_names(&ctx->rtnl, ifindex, altnames);
+- if (r == -EOPNOTSUPP)
++ if (IN_SET(r, -EOPNOTSUPP, -EEXIST))
+ log_debug_errno(r, "Could not set AlternativeName= or apply AlternativeNamesPolicy= on %s, ignoring: %m", old_name);
+ else if (r < 0)
+ return log_warning_errno(r, "Could not set AlternativeName= or apply AlternativeNamesPolicy= on %s: %m", old_name);
diff --git a/SOURCES/0667-meson-avoid-bogus-meson-warning.patch b/SOURCES/0667-meson-avoid-bogus-meson-warning.patch
new file mode 100644
index 0000000..4bdfec5
--- /dev/null
+++ b/SOURCES/0667-meson-avoid-bogus-meson-warning.patch
@@ -0,0 +1,38 @@
+From 0e03f2192cd80e6a4a1bf83f0238cc6d133b8475 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Thu, 7 Nov 2019 11:32:26 +0100
+Subject: [PATCH] meson: avoid bogus meson warning
+
+With meson-0.52.0-1.module_f31+6771+f5d842eb.noarch I get:
+src/test/meson.build:19: WARNING: Overriding previous value of environment variable 'PATH' with a new one
+
+When we're using *prepend*, the whole point is to modify an existing variable,
+so meson shouldn't warn. But let's set avoid the warning and shorten things by
+setting the final value immediately.
+
+(cherry picked from commit cbe804947482998cc767bfb0c169e6263a6ef097)
+
+Related: #2030027
+---
+ src/test/meson.build | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/src/test/meson.build b/src/test/meson.build
+index 7b310d4ec7..4bbc67d367 100644
+--- a/src/test/meson.build
++++ b/src/test/meson.build
+@@ -10,12 +10,11 @@ test_hashmap_ordered_c = custom_target(
+
+ test_include_dir = include_directories('.')
+
+-path = run_command('sh', ['-c', 'echo "$PATH"']).stdout()
++path = run_command('sh', ['-c', 'echo "$PATH"']).stdout().strip()
+ test_env = environment()
+ test_env.set('SYSTEMD_KBD_MODEL_MAP', kbd_model_map)
+ test_env.set('SYSTEMD_LANGUAGE_FALLBACK_MAP', language_fallback_map)
+-test_env.set('PATH', path)
+-test_env.prepend('PATH', meson.build_root())
++test_env.set('PATH', '@0@:@1@'.format(meson.build_root(), path))
+
+ ############################################################
+
diff --git a/SOURCES/0668-meson-do-not-fail-if-rsync-is-not-installed-with-mes.patch b/SOURCES/0668-meson-do-not-fail-if-rsync-is-not-installed-with-mes.patch
new file mode 100644
index 0000000..9dc08d1
--- /dev/null
+++ b/SOURCES/0668-meson-do-not-fail-if-rsync-is-not-installed-with-mes.patch
@@ -0,0 +1,54 @@
+From 112de8e094470d2a8df4f7c9b8ca62bd68c96a70 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Mon, 12 Apr 2021 14:03:32 +0200
+Subject: [PATCH] meson: do not fail if rsync is not installed with meson
+ 0.57.2
+
+https://github.com/mesonbuild/meson/issues/8641
+
+Our CI started to fail. Even if the change is reverted in meson,
+we need a quick workaround here.
+
+(cherry picked from commit 7c5fd25119a495009ea62f79e5daec34cc464628)
+
+Related: #2030027
+---
+ man/meson.build | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/man/meson.build b/man/meson.build
+index a953d34098..efc8836d0c 100644
+--- a/man/meson.build
++++ b/man/meson.build
+@@ -178,17 +178,20 @@ html = custom_target(
+ depends : html_pages,
+ command : ['echo'])
+
+-run_target(
+- 'doc-sync',
+- depends : man_pages + html_pages,
+- command : ['rsync', '-rlv',
+- '--delete-excluded',
+- '--include=man',
+- '--include=*.html',
+- '--exclude=*',
+- '--omit-dir-times',
+- meson.current_build_dir(),
+- get_option('www-target')])
++rsync = find_program('rsync', required : false)
++if rsync.found()
++ run_target(
++ 'doc-sync',
++ depends : man_pages + html_pages,
++ command : [rsync, '-rlv',
++ '--delete-excluded',
++ '--include=man',
++ '--include=*.html',
++ '--exclude=*',
++ '--omit-dir-times',
++ meson.current_build_dir(),
++ get_option('www-target')])
++endif
+
+ ############################################################
+
diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec
index 580ef82..1ad8a84 100644
--- a/SPECS/systemd.spec
+++ b/SPECS/systemd.spec
@@ -13,7 +13,7 @@
Name: systemd
Url: http://www.freedesktop.org/wiki/Software/systemd
Version: 239
-Release: 51%{?dist}
+Release: 51%{?dist}.3
# For a breakdown of the licensing, see README
License: LGPLv2+ and MIT and GPLv2+
Summary: System and Service Manager
@@ -708,6 +708,16 @@ Patch0655: 0655-udev-do-not-try-to-reassign-alternative-names.patch
Patch0656: 0656-Fix-LGTM-build.patch
Patch0657: 0657-sd-hwdb-allow-empty-properties.patch
Patch0658: 0658-Update-hwdb.patch
+Patch0659: 0659-sd-event-take-ref-on-event-loop-object-before-dispat.patch
+Patch0660: 0660-pid1-fix-free-of-uninitialized-pointer-in-unit_fail_.patch
+Patch0661: 0661-Disable-iptables-for-CI.patch
+Patch0662: 0662-test-seccomp-accept-ENOSYS-from-sysctl-2-too.patch
+Patch0663: 0663-Disable-libpitc-to-fix-CentOS-Stream-CI.patch
+Patch0664: 0664-test-accept-that-char-device-0-0-can-now-be-created-.patch
+Patch0665: 0665-core-return-true-from-cg_is_empty-on-ENOENT.patch
+Patch0666: 0666-Do-not-fail-if-the-same-alt.-name-is-set-again.patch
+Patch0667: 0667-meson-avoid-bogus-meson-warning.patch
+Patch0668: 0668-meson-do-not-fail-if-rsync-is-not-installed-with-mes.patch
%ifarch %{ix86} x86_64 aarch64
@@ -1335,6 +1345,22 @@ fi
%files tests -f .file-list-tests
%changelog
+* Fri Dec 10 2021 systemd maintenance team <systemd-maint@redhat.com> - 239-51.3
+- Do not fail if the same alt. name is set again (#2030027)
+- meson: avoid bogus meson warning (#2030027)
+- meson: do not fail if rsync is not installed with meson 0.57.2 (#2030027)
+
+* Fri Dec 03 2021 systemd maintenance team <systemd-maint@redhat.com> - 239-51.2
+- core: return true from cg_is_empty* on ENOENT (#2024903)
+
+* Wed Dec 01 2021 systemd maintenance team <systemd-maint@redhat.com> - 239-51.1
+- sd-event: take ref on event loop object before dispatching event sources (#2024903)
+- pid1: fix free of uninitialized pointer in unit_fail_if_noncanonical() (#2024903)
+- Disable iptables for CI (#2024903)
+- test-seccomp: accept ENOSYS from sysctl(2) too (#2024903)
+- Disable libpitc to fix CentOS Stream CI (#2024903)
+- test: accept that char device 0/0 can now be created witout privileges (#2024903)
+
* Thu Sep 23 2021 systemd maintenance team <systemd-maint@redhat.com> - 239-51
- define newly needed constants (#1850986)
- sd-netlink: support IFLA_PROP_LIST and IFLA_ALT_IFNAME attributes (#1850986)