diff --git a/.gitignore b/.gitignore
index c8829a6..caeb661 100644
--- a/.gitignore
+++ b/.gitignore
@@ -34,3 +34,4 @@
 /freeipa-4.0.2.tar.gz
 /freeipa-4.0.3.tar.gz
 /freeipa-4.1.0.tar.gz
+/freeipa-4.1.1.tar.gz
diff --git a/0001-Do-not-check-if-port-8443-is-available-in-step-2-of.patch b/0001-Do-not-check-if-port-8443-is-available-in-step-2-of.patch
deleted file mode 100644
index de46547..0000000
--- a/0001-Do-not-check-if-port-8443-is-available-in-step-2-of.patch
+++ /dev/null
@@ -1,52 +0,0 @@
->From 1a42a07cfa02753053298c75d3a76cb1cb3bf839 Mon Sep 17 00:00:00 2001
-From: Jan Cholasta <jcholast@redhat.com>
-Date: Wed, 22 Oct 2014 11:18:35 +0200
-Subject: [PATCH] Do not check if port 8443 is available in step 2 of external
- CA install
-
-The port is never available in step 2 of external CA install, as Dogtag is
-already running.
-
-https://fedorahosted.org/freeipa/ticket/4660
----
- install/tools/ipa-ca-install     | 3 ++-
- install/tools/ipa-server-install | 9 +++++----
- 2 files changed, 7 insertions(+), 5 deletions(-)
-
-diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
-index cb072e6..1bda22d 100755
---- a/install/tools/ipa-ca-install
-+++ b/install/tools/ipa-ca-install
-@@ -301,7 +301,8 @@ def install_master(safe_options, options):
-     domain_name = api.env.domain
-     host_name = api.env.host
- 
--    check_ca()
-+    if external != 2:
-+        check_ca()
- 
-     dirname = dsinstance.config_dirname(
-         dsinstance.realm_to_serverid(realm_name))
-diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
-index 0394314..67dd21f 100755
---- a/install/tools/ipa-server-install
-+++ b/install/tools/ipa-server-install
-@@ -869,10 +869,11 @@ def main():
-         # Make sure the 389-ds ports are available
-         check_dirsrv(options.unattended)
- 
--    if setup_ca:
--        if not cainstance.check_port():
--            print "IPA requires port 8443 for PKI but it is currently in use."
--            sys.exit("Aborting installation")
-+        if setup_ca:
-+            if not cainstance.check_port():
-+                print ("IPA requires port 8443 for PKI but it is currently in "
-+                       "use.")
-+                sys.exit("Aborting installation")
- 
-     if options.conf_ntp:
-         try:
--- 
-1.9.3
-
diff --git a/freeipa.spec b/freeipa.spec
index aa0b0bc..d483932 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -19,13 +19,13 @@
 %global platform_module fedora
 %endif
 
-%global VERSION 4.1.0
+%global VERSION 4.1.1
 
 %define _hardened_build 1
 
 Name:           freeipa
 Version:        %{VERSION}
-Release:        2%{?dist}
+Release:        1%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -34,8 +34,6 @@ URL:            http://www.freeipa.org/
 Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
-Patch0001:      0001-Do-not-check-if-port-8443-is-available-in-step-2-of.patch
-
 %if ! %{ONLY_CLIENT}
 BuildRequires:  389-ds-base-devel >= 1.3.3.5
 BuildRequires:  svrcore-devel
@@ -134,7 +132,7 @@ Requires(pre): systemd-units
 Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base
-Requires: slapi-nis >= 0.54-1
+Requires: slapi-nis >= 0.54.1-1
 Requires: pki-ca >= 10.2.0-3
 %if 0%{?rhel}
 Requires: subscription-manager
@@ -447,6 +445,7 @@ mkdir -p %{buildroot}%{_usr}/share/ipa/html/
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html
 mkdir -p %{buildroot}%{_initrddir}
 mkdir %{buildroot}%{_sysconfdir}/sysconfig/
+mkdir -p %{buildroot}%{_localstatedir}/named/dyndb-ldap/ipa/
 install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached
 install -m 644 init/ipa-dnskeysyncd.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-dnskeysyncd
 install -m 644 init/ipa-ods-exporter.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-ods-exporter
@@ -686,6 +685,7 @@ fi
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
 %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
 %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
+%dir %attr(0770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa/
 # NOTE: systemd specific section
 %{_tmpfilesdir}/%{name}.conf
 %attr(644,root,root) %{_unitdir}/ipa.service
@@ -918,6 +918,10 @@ fi
 %endif # ONLY_CLIENT
 
 %changelog
+* Thu Nov 06 2014 Petr Vobornik <pvoborni@redhat.com> - 4.1.1-1
+- Update to upstream 4.1.1 - see http://www.freeipa.org/page/Releases/4.1.1
+- fix CVE-2014-7828
+
 * Wed Oct 22 2014 Petr Vobornik <pvoborni@redhat.com> - 4.1.0-2
 - fix armv7hl stack oversize build failure
 - fix https://fedorahosted.org/freeipa/ticket/4660
diff --git a/sources b/sources
index 65d41bd..3e42ab4 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-15d4914499ff928a1f90b3c4d15998f8  freeipa-4.1.0.tar.gz
+6e1ec60f71aa17b65a2a3caadd688f3c  freeipa-4.1.1.tar.gz