diff --git a/dovecot.spec b/dovecot.spec
index 4fdfb59..b85d60f 100644
--- a/dovecot.spec
+++ b/dovecot.spec
@@ -3,9 +3,9 @@
 Summary: Secure imap and pop3 server
 Name: dovecot
 Epoch: 1
-Version: 2.3.9.2
+Version: 2.3.9.3
 %global prever %{nil}
-Release: 2%{?dist}
+Release: 1%{?dist}
 #dovecot itself is MIT, a few sources are PD, pigeonhole is LGPLv2
 License: MIT and LGPLv2
 
@@ -500,6 +500,13 @@ make check
 %{_libdir}/%{name}/dict/libdriver_pgsql.so
 
 %changelog
+* Wed Feb 12 2020 Michal Hlavinka <mhlavink@redhat.com> - 1:2.3.9.3-1
+- dovecot updated to 2.3.9.3
+- fixes CVE-2020-7046: Truncated UTF-8 can be used to DoS
+      submission-login and lmtp processes.
+- fixes CVE-2020-7957: Specially crafted mail can crash snippet generation.
+
+
 * Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.3.9.2-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 
diff --git a/sources b/sources
index c3d0413..27cc3f5 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (dovecot-2.3.9.2.tar.gz) = 36e8270bfa33e2bd6aa89017e65c7d1650c494c79ff297759a4b01c026aebcfdf5b1b542d4357e1f9dc2bb8169ef67064f0699b17ca36d658deb70b4c800b253
+SHA512 (dovecot-2.3.9.3.tar.gz) = e39dc825a03f009928b67d01747bb70487fbec155e6be5109037db67b78301aa761db432f7355e96d927abf30c68f0116a5f2cf518b9eebf7f5c7806ac00ae41
 SHA512 (dovecot-2.3-pigeonhole-0.5.9.tar.gz) = 1b8d2ac8d3985dde035fc45df519788a924ba971f3e39717f5196ea56a982d4156226586d0a964473525d086967883ea52f2e624e81f7035cb0952b76f2414d8