diff --git a/0001-Backport-fix-for-CVE-2024-6104.patch b/0001-Backport-fix-for-CVE-2024-6104.patch
new file mode 100644
index 0000000..50564e7
--- /dev/null
+++ b/0001-Backport-fix-for-CVE-2024-6104.patch
@@ -0,0 +1,84 @@
+From 1a3445769d0a3c392487ec9480c0bfad07bde063 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
+Date: Sun, 30 Jun 2024 16:09:52 +0200
+Subject: [PATCH] Backport fix for CVE-2024-6104
+
+This is https://github.com/hashicorp/go-retryablehttp/pull/158 only directly
+applied to the vendor/ source tree
+See also https://github.com/advisories/GHSA-v6v8-xj6m-xwqh
+---
+ .../hashicorp/go-retryablehttp/client.go      | 28 ++++++++++++++-----
+ 1 file changed, 21 insertions(+), 7 deletions(-)
+
+diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go
+index 12ac50bcc..efee53c40 100644
+--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go
++++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go
+@@ -658,9 +658,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
+ 	if logger != nil {
+ 		switch v := logger.(type) {
+ 		case LeveledLogger:
+-			v.Debug("performing request", "method", req.Method, "url", req.URL)
++			v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL))
+ 		case Logger:
+-			v.Printf("[DEBUG] %s %s", req.Method, req.URL)
++			v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL))
+ 		}
+ 	}
+ 
+@@ -715,9 +715,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
+ 		if err != nil {
+ 			switch v := logger.(type) {
+ 			case LeveledLogger:
+-				v.Error("request failed", "error", err, "method", req.Method, "url", req.URL)
++				v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL))
+ 			case Logger:
+-				v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err)
++				v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err)
+ 			}
+ 		} else {
+ 			// Call this here to maintain the behavior of logging all requests,
+@@ -753,7 +753,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
+ 
+ 		wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp)
+ 		if logger != nil {
+-			desc := fmt.Sprintf("%s %s", req.Method, req.URL)
++			desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL))
+ 			if resp != nil {
+ 				desc = fmt.Sprintf("%s (status: %d)", desc, resp.StatusCode)
+ 			}
+@@ -818,11 +818,11 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
+ 	// communicate why
+ 	if err == nil {
+ 		return nil, fmt.Errorf("%s %s giving up after %d attempt(s)",
+-			req.Method, req.URL, attempt)
++			req.Method, redactURL(req.URL), attempt)
+ 	}
+ 
+ 	return nil, fmt.Errorf("%s %s giving up after %d attempt(s): %w",
+-		req.Method, req.URL, attempt, err)
++		req.Method, redactURL(req.URL), attempt, err)
+ }
+ 
+ // Try to read the response body so we can reuse this connection.
+@@ -903,3 +903,17 @@ func (c *Client) StandardClient() *http.Client {
+ 		Transport: &RoundTripper{Client: c},
+ 	}
+ }
++
++// Taken from url.URL#Redacted() which was introduced in go 1.15.
++// We can switch to using it directly if we'll bump the minimum required go version.
++func redactURL(u *url.URL) string {
++	if u == nil {
++		return ""
++	}
++
++	ru := *u
++	if _, has := ru.User.Password(); has {
++		ru.User = url.UserPassword(ru.User.Username(), "xxxxx")
++	}
++	return ru.String()
++}
+-- 
+2.45.2
+
diff --git a/_service b/_service
index 6000b5d..3f6f141 100644
--- a/_service
+++ b/_service
@@ -2,7 +2,7 @@
   <service name="tar_scm" mode="manual">
     <param name="url">https://github.com/containers/podman.git</param>
     <param name="scm">git</param>
-    <param name="revision">v4.9.3</param>
+    <param name="revision">v4.9.5</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">enable</param>
     <param name="versionrewrite-pattern">v(.*)</param>
diff --git a/_servicedata b/_servicedata
index 95ac889..f445644 100644
--- a/_servicedata
+++ b/_servicedata
@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/containers/podman.git</param>
-              <param name="changesrevision">8d2b55ddde1bc81f43d018dfc1ac027c06b26a7f</param></service></servicedata>
\ No newline at end of file
+              <param name="changesrevision">1d51e91436c6cdf257ff26f38b5c941a51bb12d1</param></service></servicedata>
\ No newline at end of file
diff --git a/podman-4.9.3.tar.xz b/podman-4.9.3.tar.xz
deleted file mode 100644
index f2ef5ab..0000000
--- a/podman-4.9.3.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a457f5ef0f8dcfad13b3587f579b3b8383dd0c766d73e2632d625799396c7af7
-size 13583024
diff --git a/podman-4.9.5.tar.xz b/podman-4.9.5.tar.xz
new file mode 100644
index 0000000..af10b31
--- /dev/null
+++ b/podman-4.9.5.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:42b82d070540cef8ba179050db3e06f4a584827d7b2c2739548673ee1671fe3f
+size 13591196
diff --git a/podman.changes b/podman.changes
index 0ae006e..bc66e15 100644
--- a/podman.changes
+++ b/podman.changes
@@ -1,3 +1,33 @@
+-------------------------------------------------------------------
+Thu Aug 29 08:49:02 UTC 2024 - danish.prakash@suse.com
+
+- Add patch to fix bsc#1227052 / CVE-2024-6104:
+  * 0001-Backport-fix-for-CVE-2024-6104.patch
+- Update to version 4.9.5:
+  * Bump to v4.9.5
+  * Update release notes for v4.9.5
+  * fix "concurrent map writes" in network ls compat endpoint
+  * [v4.9] Fix for CVE-2024-3727
+  * Disable failing bud test
+  * CI Maintenance: Disable machine tests
+  * [CI:DOCS] Allow downgrade of WiX
+  * [CI:DOCS] Force WiX 3.11
+  * [CI:DOCS] Fix windows installer action
+  * Bump to v4.9.5-dev
+  * Bump to v4.9.4
+  * Update release notes for v4.9.4
+  * [v4.9] Bump Buildah to v1.33.7, CVE-2024-1753, CVE-2024-24786
+  * Add farm command to commands list
+  * Bump to FreeBSD 13.3 (13.2 vanished)
+  * Update health-start-periods docs
+  * Don't update health check status during initialDelaySeconds
+  * image scp: don't require port for ssh URL
+  * Ignore docker's end point config when the final network mode isn't bridge.
+  * Fix running container from docker client with rootful in rootless podman.
+  * [skip-ci] Packit: remove koji and bodhi tasks for v4.9
+  * Bump to v4.9.4-dev
+  * Remove gitleaks scanning
+
 -------------------------------------------------------------------
 Thu Feb 22 13:54:00 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
 
diff --git a/podman.spec b/podman.spec
index 4d51ada..5581000 100644
--- a/podman.spec
+++ b/podman.spec
@@ -22,7 +22,7 @@
 %bcond_without  apparmor
 
 Name:           podman
-Version:        4.9.3
+Version:        4.9.5
 Release:        0
 Summary:        Daemon-less container engine for managing containers, pods and images
 License:        Apache-2.0
@@ -30,6 +30,7 @@ Group:          System/Management
 URL:            https://%{project}
 Source0:        %{name}-%{version}.tar.xz
 Source1:        podman.conf
+Patch0:         0001-Backport-fix-for-CVE-2024-6104.patch
 BuildRequires:  bash-completion
 BuildRequires:  device-mapper-devel
 BuildRequires:  fdupes