diff --git a/.fence-agents.metadata b/.fence-agents.metadata
index 2fb1c64..c86696d 100644
--- a/.fence-agents.metadata
+++ b/.fence-agents.metadata
@@ -20,7 +20,7 @@ f6efa66f6106b069b5c0e0cf8cc677e4e96c91ca SOURCES/oauthlib-3.1.1.tar.gz
 bccbc1bf76a9db46998eb8e1ffa2f2a2baf9237a SOURCES/packaging-21.2-py3-none-any.whl
 e0fa19f8fda46a1fa2253477499b116b33f67175 SOURCES/pyasn1-0.4.8.tar.gz
 43b89feb6864fe359aae89120627165219de313b SOURCES/pyasn1-modules-0.2.8.tar.gz
-326a73f58a62ebee00c11a12cfdd838b196e0e8e SOURCES/pycryptodome-3.6.4.tar.gz
+c55d177e9484d974c95078d4ae945f89ba2c7251 SOURCES/pycryptodome-3.20.0.tar.gz
 c8307f47e3b75a2d02af72982a2dfefa3f56e407 SOURCES/pyparsing-2.4.7-py2.py3-none-any.whl
 c2ba10c775b7a52a4b57cac4d4110a0c0f812a82 SOURCES/python-dateutil-2.8.2.tar.gz
 1dc2fa004aa6517f1620e55d8a7b8e68a9cf2a47 SOURCES/python-string-utils-1.0.0.tar.gz
@@ -33,5 +33,5 @@ d5354718cb8c9330d3abc27445467ce8a5ed9d70 SOURCES/setuptools-58.3.0.tar.gz
 a4f02fddae697614e356cadfddb6241cc7737f38 SOURCES/setuptools_scm-6.3.2.tar.gz
 06fa0bb50f2a4e2917fd14c21e9d2d5508ce0163 SOURCES/six-1.16.0.tar.gz
 b42b7960047441db7dc021cc20e14279bd836f8d SOURCES/tomli-1.0.1.tar.gz
-eb35c3fd8b0867ae988a15917d6b80e8bdf60222 SOURCES/urllib3-1.26.7.tar.gz
+84e2852d8da1655373f7ce5e7d5d3e256b62b4e4 SOURCES/urllib3-1.26.18.tar.gz
 540f083782c584989c1a0f69ffd69ba7aae07db6 SOURCES/websocket-client-1.2.1.tar.gz
diff --git a/.gitignore b/.gitignore
index 6c996d9..81347c1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -20,7 +20,7 @@ SOURCES/openshift-0.12.1.tar.gz
 SOURCES/packaging-21.2-py3-none-any.whl
 SOURCES/pyasn1-0.4.8.tar.gz
 SOURCES/pyasn1-modules-0.2.8.tar.gz
-SOURCES/pycryptodome-3.6.4.tar.gz
+SOURCES/pycryptodome-3.20.0.tar.gz
 SOURCES/pyparsing-2.4.7-py2.py3-none-any.whl
 SOURCES/python-dateutil-2.8.2.tar.gz
 SOURCES/python-string-utils-1.0.0.tar.gz
@@ -33,5 +33,5 @@ SOURCES/setuptools-58.3.0.tar.gz
 SOURCES/setuptools_scm-6.3.2.tar.gz
 SOURCES/six-1.16.0.tar.gz
 SOURCES/tomli-1.0.1.tar.gz
-SOURCES/urllib3-1.26.7.tar.gz
+SOURCES/urllib3-1.26.18.tar.gz
 SOURCES/websocket-client-1.2.1.tar.gz
diff --git a/SOURCES/RHEL-11988-1-kubevirt-fix-bundled-urllib3-CVE-2023-43804.patch b/SOURCES/RHEL-11988-1-kubevirt-fix-bundled-urllib3-CVE-2023-43804.patch
deleted file mode 100644
index e47342d..0000000
--- a/SOURCES/RHEL-11988-1-kubevirt-fix-bundled-urllib3-CVE-2023-43804.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 644124ecd0b6e417c527191f866daa05a5a2056d Mon Sep 17 00:00:00 2001
-From: Quentin Pradet <quentin.pradet@gmail.com>
-Date: Mon, 2 Oct 2023 19:46:16 +0400
-Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f
-
----
- CHANGES.rst                               |  5 ++++
- docs/user-guide.rst                       |  3 +++
- src/urllib3/util/retry.py                 |  2 +-
- test/test_retry.py                        |  4 +--
- test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++-----
- 5 files changed, 35 insertions(+), 9 deletions(-)
-
-diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
-index ea48afe3ca..7572bfd26a 100644
---- a/kubevirt/urllib3/util/retry.py
-+++ b/kubevirt/urllib3/util/retry.py
-@@ -187,7 +187,7 @@ class Retry:
-     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
- 
-     #: Default headers to be used for ``remove_headers_on_redirect``
--    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
-+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
- 
-     #: Maximum backoff time.
-     BACKOFF_MAX = 120
diff --git a/SOURCES/RHEL-11988-2-aws-fix-bundled-urllib3-CVE-2023-43804.patch b/SOURCES/RHEL-11988-2-aws-fix-bundled-urllib3-CVE-2023-43804.patch
deleted file mode 100644
index 809237b..0000000
--- a/SOURCES/RHEL-11988-2-aws-fix-bundled-urllib3-CVE-2023-43804.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 644124ecd0b6e417c527191f866daa05a5a2056d Mon Sep 17 00:00:00 2001
-From: Quentin Pradet <quentin.pradet@gmail.com>
-Date: Mon, 2 Oct 2023 19:46:16 +0400
-Subject: [PATCH] Merge pull request from GHSA-v845-jxx5-vc9f
-
----
- CHANGES.rst                               |  5 ++++
- docs/user-guide.rst                       |  3 +++
- src/urllib3/util/retry.py                 |  2 +-
- test/test_retry.py                        |  4 +--
- test/with_dummyserver/test_poolmanager.py | 30 ++++++++++++++++++-----
- 5 files changed, 35 insertions(+), 9 deletions(-)
-
-diff --git a/src/urllib3/util/retry.py b/src/urllib3/util/retry.py
-index ea48afe3ca..7572bfd26a 100644
---- a/aws/urllib3/util/retry.py
-+++ b/aws/urllib3/util/retry.py
-@@ -187,7 +187,7 @@ class Retry:
-     RETRY_AFTER_STATUS_CODES = frozenset([413, 429, 503])
- 
-     #: Default headers to be used for ``remove_headers_on_redirect``
--    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Authorization"])
-+    DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset(["Cookie", "Authorization"])
- 
-     #: Maximum backoff time.
-     BACKOFF_MAX = 120
diff --git a/SOURCES/RHEL-22179-kubevirt-fix-bundled-jinja2-CVE-2024-22195.patch b/SOURCES/RHEL-22179-kubevirt-fix-bundled-jinja2-CVE-2024-22195.patch
new file mode 100644
index 0000000..cdc3fb8
--- /dev/null
+++ b/SOURCES/RHEL-22179-kubevirt-fix-bundled-jinja2-CVE-2024-22195.patch
@@ -0,0 +1,63 @@
+From 7dd3680e6eea0d77fde024763657aa4d884ddb23 Mon Sep 17 00:00:00 2001
+From: Calum Hutton <calum.hutton@snyk.io>
+Date: Thu, 26 Oct 2023 12:08:53 +0100
+Subject: [PATCH] xmlattr filter disallows keys with spaces
+
+---
+ CHANGES.rst           |  1 +
+ src/jinja2/filters.py | 28 +++++++++++++++++++++-------
+ tests/test_filters.py |  6 ++++++
+ 3 files changed, 28 insertions(+), 7 deletions(-)
+
+diff --git a/src/jinja2/filters.py b/src/jinja2/filters.py
+index ed07c4c0e..c7ecc9bb6 100644
+--- a/kubevirt/jinja2/filters.py
++++ b/kubevirt/jinja2/filters.py
+@@ -248,13 +248,17 @@ def do_items(value: t.Union[t.Mapping[K, V], Undefined]) -> t.Iterator[t.Tuple[K
+     yield from value.items()
+ 
+ 
++_space_re = re.compile(r"\s", flags=re.ASCII)
++
++
+ @pass_eval_context
+ def do_xmlattr(
+     eval_ctx: "EvalContext", d: t.Mapping[str, t.Any], autospace: bool = True
+ ) -> str:
+     """Create an SGML/XML attribute string based on the items in a dict.
+-    All values that are neither `none` nor `undefined` are automatically
+-    escaped:
++
++    If any key contains a space, this fails with a ``ValueError``. Values that
++    are neither ``none`` nor ``undefined`` are automatically escaped.
+ 
+     .. sourcecode:: html+jinja
+ 
+@@ -273,12 +277,22 @@ def do_xmlattr(
+ 
+     As you can see it automatically prepends a space in front of the item
+     if the filter returned something unless the second parameter is false.
++
++    .. versionchanged:: 3.1.3
++        Keys with spaces are not allowed.
+     """
+-    rv = " ".join(
+-        f'{escape(key)}="{escape(value)}"'
+-        for key, value in d.items()
+-        if value is not None and not isinstance(value, Undefined)
+-    )
++    items = []
++
++    for key, value in d.items():
++        if value is None or isinstance(value, Undefined):
++            continue
++
++        if _space_re.search(key) is not None:
++            raise ValueError(f"Spaces are not allowed in attributes: '{key}'")
++
++        items.append(f'{escape(key)}="{escape(value)}"')
++
++    rv = " ".join(items)
+ 
+     if autospace and rv:
+         rv = " " + rv
diff --git a/SPECS/fence-agents.spec b/SPECS/fence-agents.spec
index 8991bd3..083d1de 100644
--- a/SPECS/fence-agents.spec
+++ b/SPECS/fence-agents.spec
@@ -11,7 +11,7 @@
 # alibaba
 # python-pycryptodome bundle
 %global pycryptodome		pycryptodome
-%global pycryptodome_version	3.6.4
+%global pycryptodome_version	3.20.0
 %global pycryptodome_dir	%{bundled_lib_dir}/aliyun/%{pycryptodome}
 # python-aliyun-sdk-core bundle
 %global aliyunsdkcore		aliyun-python-sdk-core
@@ -59,10 +59,10 @@
 %global pyyaml_version		6.0
 %global six			six
 %global six_version		1.16.0
-%global urllib3			urllib3
-%global urllib3_version		1.26.7
-%global websocketclient		websocket-client
-%global websocketclient_version	1.2.1
+%global urllib3 		urllib3
+%global urllib3_version 	1.26.18
+%global websocketclient 	websocket-client
+%global websocketclient_version 1.2.1
 %global jinja2			Jinja2
 %global jinja2_version		3.0.2
 %global markupsafe		MarkupSafe
@@ -87,7 +87,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.2.1
-Release: 121%{?alphatag:.%{alphatag}}%{?dist}.2
+Release: 121%{?alphatag:.%{alphatag}}%{?dist}.4
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Base
 URL: https://github.com/ClusterLabs/fence-agents
@@ -278,10 +278,9 @@ Patch134: bz2155453-fence_ibm_powervs-performance-improvements.patch
 ### HA support libs/utils ###
 # all archs
 Patch1000: bz2218234-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
-Patch1001: RHEL-11988-1-kubevirt-fix-bundled-urllib3-CVE-2023-43804.patch
+Patch1001: RHEL-22179-kubevirt-fix-bundled-jinja2-CVE-2024-22195.patch
 # cloud (x86_64 only)
 Patch2000: bz2218234-2-aws-fix-bundled-dateutil-CVE-2007-4559.patch
-Patch2001: RHEL-11988-2-aws-fix-bundled-urllib3-CVE-2023-43804.patch
 
 %if 0%{?fedora} || 0%{?rhel} > 7
 %global supportedagents amt_ws apc apc_snmp bladecenter brocade cisco_mds cisco_ucs compute drac5 eaton_snmp emerson eps evacuate hds_cb hpblade ibmblade ibm_powervs ibm_vpc ifmib ilo ilo_moonshot ilo_mp ilo_ssh intelmodular ipdu ipmilan kdump kubevirt lpar mpath redfish rhevm rsa rsb sbd scsi vmware_rest vmware_soap wti
@@ -607,11 +606,10 @@ rm -rf %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}/kubevirt/rsa*
 # regular patch doesnt work in build-section
 pushd %{buildroot}/usr/lib/fence-agents/%{bundled_lib_dir}
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1000}
-/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1001}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=1 < %{PATCH1001}
 
 %ifarch x86_64
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2000}
-/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2001}
 %endif
 popd
 
@@ -1502,13 +1500,21 @@ Fence agent for IBM z/VM over IP.
 %endif
 
 %changelog
-* Thu Oct 12 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-121.2
-- bundled urllib3: fix CVE-2023-43804
-  Resolves: RHEL-11988
+* Mon Jan 22 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-121.4
+- bundled urllib3: fix CVE-2023-45803
+  Resolves: RHEL-21719
+- bundled pycryptodome: fix CVE-2023-52323
+  Resolves: RHEL-21727
+- bundled jinja2: fix CVE-2024-22195
+  Resolves: RHEL-22179
 
-* Tue Sep 26 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-122
+* Fri Oct 13 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-121.2
+- bundled urllib3: fix CVE-2023-43804
+  Resolves: RHEL-12434
+
+* Wed Sep 27 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-121.1
 - bundled certifi: fix CVE-2023-37920
-  Resolves: RHEL-6972
+  Resolves: RHEL-9452
 
 * Thu Aug  3 2023 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.2.1-121
 - bundled dateutil: fix tarfile CVE-2007-4559