diff --git a/_service b/_service
index 0a7754b..518240e 100644
--- a/_service
+++ b/_service
@@ -1,17 +1,17 @@
-
+
https://github.com/containers/conmon
git
@PARENT_TAG@
[v]?([^\+]+)(.*)
-v2.1.8
+v2.1.9
disable
-
+
conmon-*.tar
xz
-
+
conmon
diff --git a/conmon-2.1.8.tar.xz b/conmon-2.1.8.tar.xz
deleted file mode 100644
index fd02900..0000000
--- a/conmon-2.1.8.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:229bed08c810956c25d1f1a67d4a17221e21cf1b9cb181ce0fedc9a68e8973e5
-size 102828
diff --git a/conmon-2.1.9.tar.xz b/conmon-2.1.9.tar.xz
new file mode 100644
index 0000000..0bcab21
--- /dev/null
+++ b/conmon-2.1.9.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:01adf76b2d4b96b99b21faaa300808aa61a34db20f4f634fd4deb63fc9799145
+size 103136
diff --git a/conmon.changes b/conmon.changes
index 60ddab7..084f4bb 100644
--- a/conmon.changes
+++ b/conmon.changes
@@ -1,3 +1,25 @@
+-------------------------------------------------------------------
+Mon Dec 18 09:02:52 UTC 2023 - Dan Čermák
+
+- Add fix-incorrect-free-in-conn_sock.patch
+ This fixes a regression in 2.1.9
+ (https://github.com/containers/conmon/issues/475 and
+ https://github.com/containers/conmon/issues/477)
+
+-------------------------------------------------------------------
+Fri Dec 15 09:54:35 UTC 2023 - Dan Čermák
+
+- New upstream release 2.1.9
+
+ ### Bug fixes
+ * fix some issues flagged by SAST scan
+ * src: fix write after end of buffer
+ * src: open all files with O_CLOEXEC
+ * oom-score: restore oom score before running exit command
+ ### Features
+ * Forward more messages on the sd-notify socket
+ * logging: -l passthrough accepts TTYs
+
-------------------------------------------------------------------
Thu Sep 28 16:02:58 UTC 2023 - Valentin Lefebvre
diff --git a/conmon.spec b/conmon.spec
index 5acb563..b7895e7 100644
--- a/conmon.spec
+++ b/conmon.spec
@@ -17,13 +17,14 @@
Name: conmon
-Version: 2.1.8
+Version: 2.1.9
Release: 0
Summary: An OCI container runtime monitor
License: Apache-2.0
Group: System/Management
URL: https://github.com/containers/conmon
Source0: %{name}-%{version}.tar.xz
+Patch0: https://github.com/containers/conmon/pull/476.patch#./fix-incorrect-free-in-conn_sock.patch
BuildRequires: pkgconfig
BuildRequires: golang(API) >= 1.20
BuildRequires: pkgconfig(glib-2.0)
diff --git a/fix-incorrect-free-in-conn_sock.patch b/fix-incorrect-free-in-conn_sock.patch
new file mode 100644
index 0000000..b414942
--- /dev/null
+++ b/fix-incorrect-free-in-conn_sock.patch
@@ -0,0 +1,31 @@
+From 8557c117bcab03e3c16e40ffb7bd450d697f72c7 Mon Sep 17 00:00:00 2001
+From: Dominique Martinet
+Date: Fri, 15 Dec 2023 12:44:03 +0900
+Subject: [PATCH] Fix incorrect free in conn_sock
+
+Earlier commit freed socket_parent_dir()'s result which is correct in
+the case it returns a path from g_build_filename, but when it returns
+opt_bundle_path the string should not be freed.
+
+Make the function always return an allocated string that can be freed
+
+Fixes: #475
+Fixes: fad6bac8e65f ("fix some issues flagged by SAST scan")
+Signed-off-by: Dominique Martinet
+---
+ src/conn_sock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/conn_sock.c b/src/conn_sock.c
+index 62a02266..3b854e33 100644
+--- a/src/conn_sock.c
++++ b/src/conn_sock.c
+@@ -314,7 +314,7 @@ char *socket_parent_dir(gboolean use_full_attach_path, size_t desired_len)
+ {
+ /* if we're to use the full path, ignore the socket path and only use the bundle_path */
+ if (use_full_attach_path)
+- return opt_bundle_path;
++ return strdup(opt_bundle_path);
+
+ char *base_path = g_build_filename(opt_socket_path, opt_cuuid, NULL);
+