diff --git a/bind-9.16-CVE-2020-8625.patch b/bind-9.16-CVE-2020-8625.patch
new file mode 100644
index 0000000..ce92a48
--- /dev/null
+++ b/bind-9.16-CVE-2020-8625.patch
@@ -0,0 +1,45 @@
+From b04cb88462863d762093760ffcfe1946200e30f5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Thu, 7 Jan 2021 10:44:46 +0100
+Subject: [PATCH] Fix off-by-one bug in ISC SPNEGO implementation
+
+The ISC SPNEGO implementation is based on mod_auth_kerb code.  When
+CVE-2006-5989 was disclosed, the relevant fix was not applied to the
+BIND 9 codebase, making the latter vulnerable to the aforementioned flaw
+when "tkey-gssapi-keytab" or "tkey-gssapi-credential" is set in
+named.conf.
+
+The original description of CVE-2006-5989 was:
+
+    Off-by-one error in the der_get_oid function in mod_auth_kerb 5.0
+    allows remote attackers to cause a denial of service (crash) via a
+    crafted Kerberos message that triggers a heap-based buffer overflow
+    in the component array.
+
+Later research revealed that this flaw also theoretically enables remote
+code execution, though achieving the latter in real-world conditions is
+currently deemed very difficult.
+
+This vulnerability was responsibly reported as ZDI-CAN-12302 ("ISC BIND
+TKEY Query Heap-based Buffer Overflow Remote Code Execution
+Vulnerability") by Trend Micro Zero Day Initiative.
+---
+ lib/dns/spnego.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
+index e61d1c600f..753dc8049f 100644
+--- a/lib/dns/spnego.c
++++ b/lib/dns/spnego.c
+@@ -848,7 +848,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) {
+ 		return (ASN1_OVERRUN);
+ 	}
+ 
+-	data->components = malloc(len * sizeof(*data->components));
++	data->components = malloc((len + 1) * sizeof(*data->components));
+ 	if (data->components == NULL) {
+ 		return (ENOMEM);
+ 	}
+-- 
+2.26.2
+
diff --git a/bind.spec b/bind.spec
index 946f8db..9f89fea 100644
--- a/bind.spec
+++ b/bind.spec
@@ -19,7 +19,8 @@
 # New MaxMind GeoLite support
 %bcond_without GEOIP2
 %if 0%{?fedora} >= 28
-%bcond_without UNITTEST
+# Disabled temporarily until kyua is fixed on rawhide, bug #1926779
+%bcond_with UNITTEST
 %bcond_without DNSTAP
 %bcond_without LMDB
 %bcond_without DOC
@@ -66,7 +67,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.16.11
-Release:  2%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release:  5%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -120,6 +121,8 @@ Patch170:bind-9.11-feature-test-named.patch
 Patch171:bind-9.11-tests-variants.patch
 # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4582
 Patch172:bind-9.16-unit-tests-multicore.patch
+# https://gitlab.isc.org/isc-projects/bind9/commit/b04cb88462863d762093760ffcfe1946200e30f5
+Patch173:bind-9.16-CVE-2020-8625.patch
 
 Requires(post):   systemd
 Requires(preun):  systemd
@@ -434,6 +437,7 @@ in HTML and PDF format.
 %patch170 -p1 -b .featuretest-named
 %patch171 -p1 -b .test-variant
 %patch172 -p1 -b .multicore
+%patch173 -p1 -b .CVE-2020-8625
 
 %if %{with PKCS11}
 %patch135 -p1 -b .config-pkcs11
@@ -598,15 +602,18 @@ export TSAN_OPTIONS="log_exe_name=true log_path=ThreadSanitizer exitcode=0"
 
 %if %{with UNITTEST}
   pushd build
-  ORIGFILES=$(ulimit -n)
-  ulimit -n 4096 # Requires on some machines with many cores
+  CPUS=$(lscpu -p=cpu,core | grep -v '^#' | wc -l)
+  if [ "$CPUS" -gt 16 ]; then
+    ORIGFILES=$(ulimit -n)
+    ulimit -n 4096 || : # Requires on some machines with many cores
+  fi
   make unit
   e=$?
   if [ "$e" -ne 0 ]; then
     echo "ERROR: this build of BIND failed 'make unit'. Aborting."
     exit $e;
   fi;
-  ulimit -n $ORIGFILES
+  [ "$CPUS" -gt 16 ] && ulimit -n $ORIGFILES || :
   popd
 ## End of UNITTEST
 %endif
@@ -932,6 +939,7 @@ fi;
 %exclude %{_libdir}/named/dlz_*.so
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/sysconfig/named
 %config(noreplace) %attr(0644,root,named) %{_sysconfdir}/named.root.key
+%config(noreplace) %{_sysconfdir}/logrotate.d/named
 %{_tmpfilesdir}/named.conf
 %{_sysconfdir}/rwtab.d/named
 %{_unitdir}/named.service
@@ -978,7 +986,6 @@ fi;
 %ghost %config(noreplace) %{_sysconfdir}/rndc.conf
 # ^- The default rndc.conf which uses rndc.key is in named's default internal config -
 #    so rndc.conf is not necessary.
-%config(noreplace) %{_sysconfdir}/logrotate.d/named
 %defattr(-,named,named,-)
 %dir /run/named
 
@@ -1161,6 +1168,15 @@ fi;
 %endif
 
 %changelog
+* Fri Feb 26 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.11-5
+- Make logrotate.d world-readable (#1917061)
+
+* Mon Feb 22 2021 Petr Menšík <pemensik@redhat.com> - 32:9.16.11-4
+- Fix off-by-one bug in ISC SPNEGO implementation (#1929965)
+
+* Mon Feb 08 2021 Pavel Raiskup <praiskup@redhat.com> - 32:9.16.11-3
+- rebuild for libpq ABI fix rhbz#1908268
+
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 32:9.16.11-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild