diff --git a/.gitignore b/.gitignore
index fd60404..0eea3a6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,3 +13,5 @@
 /v2.4.4.tar.gz
 /v2.4.4.1.tar.gz
 /v2.4.8.2.tar.gz
+/v2.4.9.tar.gz
+/v2.4.9.1.tar.gz
diff --git a/mod_auth_openidc.spec b/mod_auth_openidc.spec
index 81dbfdc..5f2d4a6 100644
--- a/mod_auth_openidc.spec
+++ b/mod_auth_openidc.spec
@@ -14,8 +14,8 @@
 %global httpd_pkg_cache_dir /var/cache/httpd/mod_auth_openidc
 
 Name:		mod_auth_openidc
-Version:	2.4.8.2
-Release:	3%{?dist}
+Version:	2.4.9.1
+Release:	1%{?dist}
 Summary:	OpenID Connect auth module for Apache HTTP Server
 
 License:	ASL 2.0
@@ -94,6 +94,15 @@ install -m 700 -d $RPM_BUILD_ROOT%{httpd_pkg_cache_dir}/cache
 %dir %attr(0700, apache, apache) %{httpd_pkg_cache_dir}/cache
 
 %changelog
+* Fri Jul 30 2021 Jakub Hrozek <jhrozek@redhat.com> - 2.4.9.1-1
+- Resolves: rhbz#1987223 - CVE-2021-32792 mod_auth_openidc: XSS when using
+                           OIDCPreservePost On [rhel-9.0]
+- Resolves: rhbz#1987217 - CVE-2021-32791 mod_auth_openidc: hardcoded
+                           static IV and AAD with a reused key in AES GCM
+                           encryption [rhel-9.0]
+- Resolves: rhbz#1987204 - CVE-2021-32786 mod_auth_openidc: open redirect in
+                           oidc_validate_redirect_url() [rhel-9.0]
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.8.2-3
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688
diff --git a/sources b/sources
index 5d4280c..6e67a52 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (v2.4.8.2.tar.gz) = 5c8750c1e39eadba4bfef5a3769240e3c7a78a3116adcd852de4a62152405491953f0e625d81aaf26a3bc35917370a2ff1abbc22d64d7af564f060601eae655c
+SHA512 (v2.4.9.1.tar.gz) = 25ad23fa9ae39ed9ff6d7a9607ef2d92ab96c4898ba9dc548418ab80652e310424c41c76ec55dccd415d1d30c271fccf7dd9f5b65f0f0b9dfa2386d242c4b0b5