diff --git a/.gitignore b/.gitignore
index 3a65830..46b2346 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,5 @@
 SOURCES/cbindgen-vendor.tar.xz
 SOURCES/nspr-4.32.0-1.el8_1.src.rpm
 SOURCES/nss-3.67.0-7.el8_1.src.rpm
-SOURCES/thunderbird-91.6.0.processed-source.tar.xz
-SOURCES/thunderbird-langpacks-91.6.0-20220207.tar.xz
+SOURCES/thunderbird-91.7.0.processed-source.tar.xz
+SOURCES/thunderbird-langpacks-91.7.0-20220308.tar.xz
diff --git a/.thunderbird.metadata b/.thunderbird.metadata
index 6f336fa..53e4f08 100644
--- a/.thunderbird.metadata
+++ b/.thunderbird.metadata
@@ -1,5 +1,5 @@
 c822547dbc12e2baebdfdfb38b665e23f0c2513a SOURCES/cbindgen-vendor.tar.xz
 b5fd1332d8e0d37339ae170c7bebcb63a40b22e0 SOURCES/nspr-4.32.0-1.el8_1.src.rpm
 8fff814901e03c2518ede2f8992d898f5ba61ed9 SOURCES/nss-3.67.0-7.el8_1.src.rpm
-5f4f619a433c7abc51733215a128dbc7ddb5be0c SOURCES/thunderbird-91.6.0.processed-source.tar.xz
-fe71530869aeb1b6039e0ae4dfc13498c2035560 SOURCES/thunderbird-langpacks-91.6.0-20220207.tar.xz
+0d9dea815661a0ad101d2fd758be855a542f2797 SOURCES/thunderbird-91.7.0.processed-source.tar.xz
+eab467b27d7ff768518cbb6ee38cc8b1ab793920 SOURCES/thunderbird-langpacks-91.7.0-20220308.tar.xz
diff --git a/README.debrand b/README.debrand
deleted file mode 100644
index 01c46d2..0000000
--- a/README.debrand
+++ /dev/null
@@ -1,2 +0,0 @@
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
diff --git a/SOURCES/expat-CVE-2022-25235.patch b/SOURCES/expat-CVE-2022-25235.patch
new file mode 100644
index 0000000..ac495b1
--- /dev/null
+++ b/SOURCES/expat-CVE-2022-25235.patch
@@ -0,0 +1,49 @@
+diff -up thunderbird-91.7.0/parser/expat/lib/xmltok.c.expat-CVE-2022-25235 thunderbird-91.7.0/parser/expat/lib/xmltok.c
+--- thunderbird-91.7.0/parser/expat/lib/xmltok.c.expat-CVE-2022-25235	2022-03-02 17:57:38.364361168 +0100
++++ thunderbird-91.7.0/parser/expat/lib/xmltok.c	2022-03-02 17:58:22.235512399 +0100
+@@ -65,13 +65,6 @@
+                       + ((((byte)[2]) >> 5) & 1)] \
+          & (1u << (((byte)[2]) & 0x1F)))
+ 
+-#define UTF8_GET_NAMING(pages, p, n) \
+-  ((n) == 2 \
+-  ? UTF8_GET_NAMING2(pages, (const unsigned char *)(p)) \
+-  : ((n) == 3 \
+-     ? UTF8_GET_NAMING3(pages, (const unsigned char *)(p)) \
+-     : 0))
+-
+ /* Detection of invalid UTF-8 sequences is based on Table 3.1B
+    of Unicode 3.2: http://www.unicode.org/unicode/reports/tr28/
+    with the additional restriction of not allowing the Unicode
+diff -up thunderbird-91.7.0/parser/expat/lib/xmltok_impl.c.expat-CVE-2022-25235 thunderbird-91.7.0/parser/expat/lib/xmltok_impl.c
+--- thunderbird-91.7.0/parser/expat/lib/xmltok_impl.c.expat-CVE-2022-25235	2022-03-02 17:57:38.365361172 +0100
++++ thunderbird-91.7.0/parser/expat/lib/xmltok_impl.c	2022-03-02 18:04:51.240853247 +0100
+@@ -34,7 +34,7 @@
+    case BT_LEAD ## n: \
+      if (end - ptr < n) \
+        return XML_TOK_PARTIAL_CHAR; \
+-     if (!IS_NAME_CHAR(enc, ptr, n)) { \
++     if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NAME_CHAR(enc, ptr, n)) { \
+        *nextTokPtr = ptr; \
+        return XML_TOK_INVALID; \
+      } \
+@@ -62,7 +62,7 @@
+    case BT_LEAD ## n: \
+      if (end - ptr < n) \
+        return XML_TOK_PARTIAL_CHAR; \
+-     if (!IS_NMSTRT_CHAR(enc, ptr, n)) { \
++     if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NMSTRT_CHAR(enc, ptr, n)) { \
+        *nextTokPtr = ptr; \
+        return XML_TOK_INVALID; \
+      } \
+@@ -1090,6 +1090,10 @@ PREFIX(prologTok)(const ENCODING *enc, c
+   case BT_LEAD ## n: \
+     if (end - ptr < n) \
+       return XML_TOK_PARTIAL_CHAR; \
++    if (IS_INVALID_CHAR(enc, ptr, n)) {                                        \
++      *nextTokPtr = ptr;                                                       \
++      return XML_TOK_INVALID;                                                  \
++    }                                                                          \
+     if (IS_NMSTRT_CHAR(enc, ptr, n)) { \
+       ptr += n; \
+       tok = XML_TOK_NAME; \
diff --git a/SOURCES/expat-CVE-2022-25236.patch b/SOURCES/expat-CVE-2022-25236.patch
new file mode 100644
index 0000000..84cafd2
--- /dev/null
+++ b/SOURCES/expat-CVE-2022-25236.patch
@@ -0,0 +1,40 @@
+diff -up thunderbird-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25236 thunderbird-91.7.0/parser/expat/lib/xmlparse.c
+--- thunderbird-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25236	2022-03-02 18:08:40.085642028 +0100
++++ thunderbird-91.7.0/parser/expat/lib/xmlparse.c	2022-03-02 18:13:31.838667958 +0100
+@@ -700,8 +700,7 @@ XML_ParserCreate(const XML_Char *encodin
+ XML_Parser XMLCALL
+ XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep)
+ {
+-  XML_Char tmp[2];
+-  *tmp = nsSep;
++  XML_Char tmp[2] = {nsSep, 0};
+   return XML_ParserCreate_MM(encodingName, NULL, tmp);
+ }
+ #endif
+@@ -1276,8 +1275,7 @@ XML_ExternalEntityParserCreate(XML_Parse
+      would be otherwise.
+   */
+   if (ns) {
+-    XML_Char tmp[2];
+-    *tmp = namespaceSeparator;
++    XML_Char tmp[2] = {parser->m_namespaceSeparator, 0};
+     parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd);
+   }
+   else {
+@@ -3667,6 +3665,16 @@ addBinding(XML_Parser parser, PREFIX *pr
+     if (!mustBeXML && isXMLNS
+         && (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
+       isXMLNS = XML_FALSE;
++    // NOTE: While Expat does not validate namespace URIs against RFC 3986,
++    //       we have to at least make sure that the XML processor on top of
++    //       Expat (that is splitting tag names by namespace separator into
++    //       2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
++    //       by an attacker putting additional namespace separator characters
++    //       into namespace declarations.  That would be ambiguous and not to
++    //       be expected.
++    if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
++      return XML_ERROR_SYNTAX;
++    }
+   }
+   isXML = isXML && len == xmlLen;
+   isXMLNS = isXMLNS && len == xmlnsLen;
diff --git a/SOURCES/expat-CVE-2022-25315.patch b/SOURCES/expat-CVE-2022-25315.patch
new file mode 100644
index 0000000..4d4efb7
--- /dev/null
+++ b/SOURCES/expat-CVE-2022-25315.patch
@@ -0,0 +1,24 @@
+diff -up thunderbird-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25315 thunderbird-91.7.0/parser/expat/lib/xmlparse.c
+--- thunderbird-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25315	2022-03-02 18:17:50.966583254 +0100
++++ thunderbird-91.7.0/parser/expat/lib/xmlparse.c	2022-03-02 18:19:27.636924735 +0100
+@@ -2479,6 +2479,7 @@ storeRawNames(XML_Parser parser)
+   while (tag) {
+     int bufSize;
+     int nameLen = sizeof(XML_Char) * (tag->name.strLen + 1);
++    size_t rawNameLen;
+     char *rawNameBuf = tag->buf + nameLen;
+     /* Stop if already stored.  Since tagStack is a stack, we can stop
+        at the first entry that has already been copied; everything
+@@ -2490,7 +2491,11 @@ storeRawNames(XML_Parser parser)
+     /* For re-use purposes we need to ensure that the
+        size of tag->buf is a multiple of sizeof(XML_Char).
+     */
+-    bufSize = nameLen + ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
++    rawNameLen = ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
++    /* Detect and prevent integer overflow. */
++    if (rawNameLen > (size_t)INT_MAX - nameLen)
++      return XML_FALSE;
++    bufSize = nameLen + (int)rawNameLen;
+     if (bufSize > tag->bufEnd - tag->buf) {
+       char *temp = (char *)REALLOC(tag->buf, bufSize);
+       if (temp == NULL)
diff --git a/SPECS/thunderbird.spec b/SPECS/thunderbird.spec
index d0dcebb..2294f33 100644
--- a/SPECS/thunderbird.spec
+++ b/SPECS/thunderbird.spec
@@ -128,8 +128,8 @@ end}
 %global build_langpacks         1
 Summary:        Mozilla Thunderbird mail/newsgroup client
 Name:           thunderbird
-Version:        91.6.0
-Release:        1%{?dist}
+Version:        91.7.0
+Release:        2%{?dist}
 URL:            http://www.mozilla.org/projects/thunderbird/
 License:        MPLv1.1 or GPLv2+ or LGPLv2+
 Group:          Applications/Internet
@@ -155,7 +155,7 @@ ExcludeArch:    aarch64 s390 ppc
 # Link to official tarball: https://archive.mozilla.org/pub/thunderbird/releases/%%{version}%%{?pre_version}/source/thunderbird-%%{version}%%{?pre_version}.source.tar.xz
 Source0:        thunderbird-%{version}%{?pre_version}.processed-source.tar.xz
 %if %{build_langpacks}
-Source1:        thunderbird-langpacks-%{version}%{?ext_version}-20220207.tar.xz
+Source1:        thunderbird-langpacks-%{version}%{?ext_version}-20220308.tar.xz
 %endif
 Source2:        cbindgen-vendor.tar.xz
 Source3:        get-calendar-langpacks.sh
@@ -203,6 +203,9 @@ Patch512:        mozilla-bmo849632.patch
 Patch513:        mozilla-bmo998749.patch
 Patch514:        mozilla-s390x-skia-gradient.patch
 Patch515:        mozilla-bmo1626236.patch
+Patch516:        expat-CVE-2022-25235.patch
+Patch517:        expat-CVE-2022-25236.patch
+Patch518:        expat-CVE-2022-25315.patch
 
 %if %{?system_nss}
 %if !0%{?bundle_nss}
@@ -429,6 +432,9 @@ echo "use_rustts            %{?use_rustts}"
 %patch513 -p1 -b .mozilla-bmo998749
 %patch514 -p1 -b .mozilla-s390x-skia-gradient
 %patch515 -p1 -b .mozilla-bmo1626236
+%patch516 -p1 -b .expat-CVE-2022-25235
+%patch517 -p1 -b .expat-CVE-2022-25236
+%patch518 -p1 -b .expat-CVE-2022-25315
 %patch237 -p1 -b .disable-openpgp-in-thunderbird
 
 
@@ -869,9 +875,9 @@ ls %{_buildrootdir}
 export MACH_USE_SYSTEM_PYTHON=1
 %if 0%{?use_llvmts}
   #scl enable llvm-toolset-%{llvm_version} './mach build -v'
-  ./mach build -v
+  ./mach build -v || exit 1
 %else
-  ./mach build -v
+  ./mach build -v || exit 1
 %endif
 # Look for the reason we get: /usr/lib/rpm/debugedit: canonicalization unexpectedly shrank by one character
 readelf -wl objdir/dist/bin/libxul.so | grep "/"
@@ -1118,8 +1124,11 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 #===============================================================================
 
 %changelog
-* Mon Mar 07 2022 CentOS Sources <bugs@centos.org> - 91.6.0-1.el8.centos
-- Apply debranding changes
+* Tue Mar 08 2022 Eike Rathke <erack@redhat.com> - 91.7.0-2
+- Update to 91.7.0 build2
+
+* Thu Mar 03 2022 Eike Rathke <erack@redhat.com> - 91.7.0-1
+- Update to 91.7.0 build1
 
 * Mon Feb 07 2022 Eike Rathke <erack@redhat.com> - 91.6.0-1
 - Update to 91.6.0 build1