diff --git a/.gitignore b/.gitignore
index cbf6389..9ea49f6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,3 +25,4 @@
 /sudo-1.9.1.tar.gz
 /sudo-1.9.2.tar.gz
 /sudo-1.9.3p1.tar.gz
+/sudo-1.9.5p1.tar.gz
diff --git a/sources b/sources
index 2a74432..9d9c821 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (sudo-1.9.3p1.tar.gz) = 3ad13fd03e5b371fd6bf7909731ffc11431d2182a744b654f7e5d4b810e47955d49bc78f551afe13ec56acbce694139c33a15bc022cea41b17af5496b8b7f89f
+SHA512 (sudo-1.9.5p1.tar.gz) = 0168f0b61a6c2d2f60a92b5b4d3c3254aed4116decabac3821d9ac2fd7f74bb7b019e35bb8955335315b3b00ddf4e4acd82540df0addc1d9bf4f44b60447a878
diff --git a/sudo.spec b/sudo.spec
index 0089dfe..779cfc9 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,15 +1,17 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
-Version: 1.9.3p1
+Version: 1.9.5p1
 Release: 1%{?dist}
 License: ISC
-URL: http://www.courtesan.com/sudo/
-Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz
+URL: https://www.sudo.ws
+Source0: %{url}/dist/%{name}-%{version}.tar.gz
 Source1: sudoers
 Requires: pam
 Recommends: vim-minimal
+Recommends: %{name}-python-plugin%{?_isa} = %{version}-%{release}
 Requires(post): coreutils
 
+BuildRequires: make
 BuildRequires: pam-devel
 BuildRequires: groff
 BuildRequires: openldap-devel
@@ -21,7 +23,6 @@ BuildRequires: libselinux-devel
 BuildRequires: sendmail
 BuildRequires: gettext
 BuildRequires: zlib-devel
-BuildRequires: python3-devel
 
 # don't strip
 Patch1: sudo-1.6.7p5-strip.patch
@@ -56,6 +57,15 @@ BuildRequires:  openssl-devel
 %{name}-logsrvd is a high-performance log server that accepts event and I/O logs from sudo.
 It can be used to implement centralized logging of sudo logs.
 
+%package        python-plugin
+Summary:        Python plugin for %{name}
+Requires:       %{name} = %{version}-%{release}
+BuildRequires:  python3-devel
+
+
+%description    python-plugin
+%{name}-python-plugin allows using sudo plugins written in Python.
+
 %prep
 %setup -q
 
@@ -181,7 +191,6 @@ EOF
 %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
 %attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so
 %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
-%attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so
 %attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so
 %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
 %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.?
@@ -196,7 +205,6 @@ EOF
 %{_mandir}/man8/visudo.8*
 %{_mandir}/man1/cvtsudoers.1.gz
 %{_mandir}/man5/sudoers_timestamp.5.gz
-%{_mandir}/man8/sudo_plugin_python.8.gz
 %dir %{_pkgdocdir}/
 %{_pkgdocdir}/*
 %{!?_licensedir:%global license %%doc}
@@ -217,7 +225,25 @@ EOF
 %{_mandir}/man8/sudo_logsrvd.8.gz
 %{_mandir}/man8/sudo_sendlog.8.gz
 
+%files python-plugin
+%{_mandir}/man8/sudo_plugin_python.8.gz
+%attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so
+
 %changelog
+* Mon Jan 18 2021 Radovan Sroka <rsroka@redhat.com> - 1.9.5p1-1
+- rebase to 1.9.5p1
+Resolves: rhbz#1902758
+- fixed double free in sss_to_sudoers
+Resolves: rhbz#1885874
+- fixed CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit
+Resolves: rhbz#1915055
+- fixed CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit
+Resolves: rhbz#1915054
+
+* Wed Jan 13 2021 Jonathan Lebon <jonathan@jlebon.com> - 1.9.3p1-2
+- split out Python modules into separate subpackage
+Resolves: rhbz#1909299
+
 * Mon Oct 05 2020 Radovan Sroka <rsroka@redhat.com> - 1.9.3p1-1
 - rebase to 1.9.3p1
 - enable python modules