diff --git a/.gitignore b/.gitignore
index f881887..028dd9e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -80,3 +80,5 @@
 /freeipa-4.8.1.tar.gz.asc
 /freeipa-4.8.2.tar.gz
 /freeipa-4.8.2.tar.gz.asc
+/freeipa-4.8.3.tar.gz
+/freeipa-4.8.3.tar.gz.asc
diff --git a/freeipa.spec b/freeipa.spec
index 4fbcd4a..b153a5a 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -124,7 +124,7 @@
 
 # Work-around fact that RPM SPEC parser does not accept
 # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
-%define IPA_VERSION 4.8.2
+%define IPA_VERSION 4.8.3
 %define AT_SIGN @
 # redefine IPA_VERSION only if its value matches the Autoconf placeholder
 %if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
@@ -1335,6 +1335,11 @@ fi
 
 
 %changelog
+* Tue Nov 26 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.3-1
+- New upstream release 4.8.3
+- CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf()
+- CVE-2019-10195: Don't log passwords embedded in commands in calls using batch
+
 * Tue Nov 12 2019 Rob Crittenden <rcritten@redhat.com> - 4.8.2-1
 - New upstream release 4.8.2
 - Replace %%{_libdir} macro in BuildRequires (#1746882)
diff --git a/sources b/sources
index c23c93a..5ee2a36 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (freeipa-4.8.2.tar.gz) = 4ca63cc63152a240c78d7b77f674831c557cad1a991c7ba8c5339f79f1f42fb72991c804bee4d5686c9d3eddb9b9fb5347fbfa1398d8397ec6cf9c075c7773f1
-SHA512 (freeipa-4.8.2.tar.gz.asc) = 4c82920bd78d59ee4143e96832af74c44274945240aac16b49180bca07bf521bb300124613f2de2501b53b48a4a11d60ac81a4398e55d1deeb190125e09bf5b1
+SHA512 (freeipa-4.8.3.tar.gz) = b6bc7410397a6c85f66308aaa8fc223297b50d03ddfaa0b8093b0a240cf9418423eb94255e63f227365157158d2e1a768ba93eec1f4fe7e0d108fa27b4121c5f
+SHA512 (freeipa-4.8.3.tar.gz.asc) = 25c0a142389ee5ea8b21029ce7e33781d301a1a021f0cec405eca111bdcb68d5508fb605b4977552bdcd7e44edc24336557c667f217f086abbe50608e4cd2b03