diff --git a/.gitignore b/.gitignore
index 471692b..f71f200 100644
--- a/.gitignore
+++ b/.gitignore
@@ -46,3 +46,4 @@
 /freeipa-4.3.2.tar.gz
 /freeipa-4.4.1.tar.gz
 /freeipa-4.4.2.tar.gz
+/freeipa-4.4.3.tar.gz
diff --git a/0003-certprofile-mod-correctly-authorise-config-update.patch b/0003-certprofile-mod-correctly-authorise-config-update.patch
deleted file mode 100644
index d69b785..0000000
--- a/0003-certprofile-mod-correctly-authorise-config-update.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From cca4741602bf60fbc0589116113dd95646fa2888 Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Tue, 15 Nov 2016 14:02:54 +1000
-Subject: [PATCH] certprofile-mod: correctly authorise config update
-
-Certificate profiles consist of an FreeIPA object, and a
-corresponding Dogtag configuration object.  When updating profile
-configuration, changes to the Dogtag configuration are not properly
-authorised, allowing unprivileged operators to modify (but not
-create or delete) profiles.  This could result in issuance of
-certificates with fraudulent subject naming information, improper
-key usage, or other badness.
-
-Update certprofile-mod to ensure that the operator has permission to
-modify FreeIPA certprofile objects before modifying the Dogtag
-configuration.
----
- ipaserver/plugins/certprofile.py | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/ipaserver/plugins/certprofile.py b/ipaserver/plugins/certprofile.py
-index f4466077484591c8e941027fa8e4897602384f7c..2bd3311e3b729b768188d537bf7f675a0f9346c2 100644
---- a/ipaserver/plugins/certprofile.py
-+++ b/ipaserver/plugins/certprofile.py
-@@ -310,6 +310,11 @@ class certprofile_mod(LDAPUpdate):
-             raise errors.ProtectedEntryError(label='certprofile', key=keys[0],
-                 reason=_('Certificate profiles cannot be renamed'))
-         if 'file' in options:
-+            # ensure operator has permission to update a certprofile
-+            if not ldap.can_write(dn, 'ipacertprofilestoreissued'):
-+                raise errors.ACIError(info=_(
-+                    "Insufficient privilege to modify a certificate profile."))
-+
-             with self.api.Backend.ra_certprofile as profile_api:
-                 profile_api.disable_profile(keys[0])
-                 try:
---
-2.7.4
diff --git a/0004-password-policy-Add-explicit-default-password-policy.patch b/0004-password-policy-Add-explicit-default-password-policy.patch
deleted file mode 100644
index 80664af..0000000
--- a/0004-password-policy-Add-explicit-default-password-policy.patch
+++ /dev/null
@@ -1,188 +0,0 @@
-From bcb06e1d67b3aefad33db387ce7a7700a224f30c Mon Sep 17 00:00:00 2001
-From: David Kupka <dkupka@redhat.com>
-Date: Thu, 29 Sep 2016 15:59:34 +0200
-Subject: [PATCH] password policy: Add explicit default password policy for
- hosts and services
-
-Set explicitly krbPwdPolicyReference attribute to all hosts (entries in
-cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and
-Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's
-CoS so no attributes are really added.
-
-The default policies effectively disable any enforcement or lockout for hosts
-and services. Since hosts and services use keytabs passwords enforcements
-doesn't make much sense. Also the lockout policy could be used for easy and
-cheap DoS.
----
- install/updates/20-default_password_policy.update | 133 ++++++++++++++++++++++
- install/updates/Makefile.am                       |   1 +
- ipaserver/install/service.py                      |   1 +
- 3 files changed, 135 insertions(+)
- create mode 100644 install/updates/20-default_password_policy.update
-
-diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update
-new file mode 100644
-index 0000000000000000000000000000000000000000..b1f9754a98e9c4b9cb8558e96f7195ea87c2f1ce
---- /dev/null
-+++ b/install/updates/20-default_password_policy.update
-@@ -0,0 +1,133 @@
-+# Default password policies for hosts, services and Kerberos services
-+# Setting all attributes to zero effectively disables any password policy
-+# We can do this because hosts and services uses keytabs instead of passwords
-+
-+# hosts
-+dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
-+default:objectClass: krbPwdPolicy
-+default:objectClass: nsContainer
-+default:objectClass: top
-+default:cn: Default Host Password Policy
-+default:krbMinPwdLife: 0
-+default:krbPwdMinDiffChars: 0
-+default:krbPwdMinLength: 0
-+default:krbPwdHistoryLength: 0
-+default:krbMaxPwdLife: 0
-+default:krbPwdMaxFailure: 0
-+default:krbPwdFailureCountInterval: 0
-+default:krbPwdLockoutDuration: 0
-+
-+# services
-+dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
-+default:objectClass: krbPwdPolicy
-+default:objectClass: nsContainer
-+default:objectClass: top
-+default:cn: Default Service Password Policy
-+default:krbMinPwdLife: 0
-+default:krbPwdMinDiffChars: 0
-+default:krbPwdMinLength: 0
-+default:krbPwdHistoryLength: 0
-+default:krbMaxPwdLife: 0
-+default:krbPwdMaxFailure: 0
-+default:krbPwdFailureCountInterval: 0
-+default:krbPwdLockoutDuration: 0
-+
-+# kerberos policy container
-+# this is necessary to avoid mixing the Kerberos sevice password policy
-+# with group-membership based user password policies
-+dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
-+default:objectClass: nsContainer
-+default:objectClass: top
-+default:cn: Kerberos Service Password Policy
-+
-+# kerberos services
-+dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
-+default:objectClass: krbPwdPolicy
-+default:objectClass: nsContainer
-+default:objectClass: top
-+default:cn: Default Kerberos Service Password Policy
-+default:krbMinPwdLife: 0
-+default:krbPwdMinDiffChars: 0
-+default:krbPwdMinLength: 0
-+default:krbPwdHistoryLength: 0
-+default:krbMaxPwdLife: 0
-+default:krbPwdMaxFailure: 0
-+default:krbPwdFailureCountInterval: 0
-+default:krbPwdLockoutDuration: 0
-+
-+# default password policies for hosts, services and kerberos services
-+# cosPriority is set intentionally to higher number than FreeIPA API allows
-+# to set to ensure that these password policies have always lower priority
-+# than any defined by user.
-+
-+# hosts
-+dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
-+default:objectclass: top
-+default:objectclass: nsContainer
-+default:cn: cosTemplates
-+
-+dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
-+default:objectclass: top
-+default:objectclass: cosTemplate
-+default:objectclass: extensibleObject
-+default:objectclass: krbContainer
-+default:cn: Default Password Policy
-+default:cosPriority: 10000000000
-+default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
-+
-+dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX
-+default:description: Default Password Policy for Hosts
-+default:objectClass: top
-+default:objectClass: ldapsubentry
-+default:objectClass: cosSuperDefinition
-+default:objectClass: cosPointerDefinition
-+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
-+default:cosAttribute: krbPwdPolicyReference default
-+
-+# services
-+dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
-+default:objectclass: top
-+default:objectclass: nsContainer
-+default:cn: cosTemplates
-+
-+dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
-+default:objectclass: top
-+default:objectclass: cosTemplate
-+default:objectclass: extensibleObject
-+default:objectclass: krbContainer
-+default:cn: Default Password Policy
-+default:cosPriority: 10000000000
-+default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
-+
-+dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX
-+default:description: Default Password Policy for Services
-+default:objectClass: top
-+default:objectClass: ldapsubentry
-+default:objectClass: cosSuperDefinition
-+default:objectClass: cosPointerDefinition
-+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
-+default:cosAttribute: krbPwdPolicyReference default
-+
-+# kerberos services
-+dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
-+default:objectclass: top
-+default:objectclass: nsContainer
-+default:cn: cosTemplates
-+
-+dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
-+default:objectclass: top
-+default:objectclass: cosTemplate
-+default:objectclass: extensibleObject
-+default:objectclass: krbContainer
-+default:cn: Default Password Policy
-+default:cosPriority: 10000000000
-+default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
-+
-+dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
-+default:description: Default Password Policy for Kerberos Services
-+default:objectClass: top
-+default:objectClass: ldapsubentry
-+default:objectClass: cosSuperDefinition
-+default:objectClass: cosPointerDefinition
-+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
-+default:cosAttribute: krbPwdPolicyReference default
-diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
-index a80256f029f5547b1bc5c2226c9a0a0dd45432f4..e8a55e1734eb9979b34ddb96783902926cc975c0 100644
---- a/install/updates/Makefile.am
-+++ b/install/updates/Makefile.am
-@@ -24,6 +24,7 @@ app_DATA =				\
- 	20-winsync_index.update		\
- 	20-idoverride_index.update	\
- 	20-uuid.update  \
-+	20-default_password_policy.update \
- 	21-replicas_container.update	\
- 	21-ca_renewal_container.update	\
- 	21-certstore_container.update	\
-diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
-index 4cc7012f62c5945839af694e8d8e74179d998b12..6451f92f0d3d768cf4619e8b0e3f52e190b628c8 100644
---- a/ipaserver/install/service.py
-+++ b/ipaserver/install/service.py
-@@ -245,6 +245,7 @@ class Service(object):
-             # There is no service in the wrong location, nothing to do.
-             # This can happen when installing a replica
-             return None
-+        entry.pop('krbpwdpolicyreference', None)  # don't copy virtual attr
-         newdn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix)
-         hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix)
-         api.Backend.ldap2.delete_entry(entry)
---
-2.7.4
-
diff --git a/freeipa.spec b/freeipa.spec
index adc14b0..1c3f303 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -32,13 +32,13 @@
 %global platform_module fedora
 %endif
 
-%global VERSION 4.4.2
+%global VERSION 4.4.3
 
 %define _hardened_build 1
 
 Name:           freeipa
 Version:        %{VERSION}
-Release:        4%{?dist}
+Release:        1%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -49,8 +49,6 @@ BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 Patch0001:      0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
 Patch0002:      0002-Support-DAL-version-5-and-version-6.patch
-Patch0003:      0003-certprofile-mod-correctly-authorise-config-update.patch
-Patch0004:      0004-password-policy-Add-explicit-default-password-policy.patch
 
 %if ! %{ONLY_CLIENT}
 BuildRequires:  389-ds-base-devel >= 1.3.5.6
@@ -147,7 +145,7 @@ Requires: %{name}-server-common = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python2-ipaserver = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.5.6
+Requires: 389-ds-base >= 1.3.5.14
 Requires: openldap-clients > 2.4.35-4
 Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
@@ -179,7 +177,7 @@ Requires: zip
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
 Requires(pre): certmonger >= 0.78
-Requires(pre): 389-ds-base >= 1.3.5.6
+Requires(pre): 389-ds-base >= 1.3.5.14
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
 Requires: openssl
@@ -1478,6 +1476,9 @@ fi
 %endif # ONLY_CLIENT
 
 %changelog
+* Fri Dec 16 2016 Pavel Vomacka <pvomacka@redhat.com> - 4.4.3-1
+- Update to upstream 4.4.3 - see http://www.freeipa.org/page/Releases/4.4.3
+
 * Wed Dec 14 2016 Pavel Vomacka <pvomacka@redhat.com> - 4.4.2-4
 - Fixes 1395311 - CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod
 - Fixes 1370493 - CVE-2016-7030 ipa: DoS attack against kerberized services
diff --git a/sources b/sources
index 244ebc9..30495e6 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-d8eeb580de58d9230724b40575270bc4  freeipa-4.4.2.tar.gz
+325b3ffeeac529b29e70c7a0104a58af  freeipa-4.4.3.tar.gz