diff --git a/freeradius-server-3.2.1.tar.bz2 b/freeradius-server-3.2.1.tar.bz2
deleted file mode 100644
index 86c3f89..0000000
--- a/freeradius-server-3.2.1.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:32cd4eae3c24af2893aa5feff643bc9ac0755341b2b7e8dd622c6e9a23e9f256
-size 3399164
diff --git a/freeradius-server-3.2.1.tar.bz2.sig b/freeradius-server-3.2.1.tar.bz2.sig
deleted file mode 100644
index 0edc072..0000000
Binary files a/freeradius-server-3.2.1.tar.bz2.sig and /dev/null differ
diff --git a/freeradius-server-3.2.3.tar.bz2 b/freeradius-server-3.2.3.tar.bz2
new file mode 100644
index 0000000..41363a9
--- /dev/null
+++ b/freeradius-server-3.2.3.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4a16aeffbfa1424e1f317fdf71d17e5523a4fd9564d87c747a60595ef93c5d1f
+size 3454869
diff --git a/freeradius-server-3.2.3.tar.bz2.sig b/freeradius-server-3.2.3.tar.bz2.sig
new file mode 100644
index 0000000..2dadfb0
Binary files /dev/null and b/freeradius-server-3.2.3.tar.bz2.sig differ
diff --git a/freeradius-server-rlm_sql_unixodbc-configure.patch b/freeradius-server-rlm_sql_unixodbc-configure.patch
index 12ac20f..f331e28 100644
--- a/freeradius-server-rlm_sql_unixodbc-configure.patch
+++ b/freeradius-server-rlm_sql_unixodbc-configure.patch
@@ -1,11 +1,22 @@
---- freeradius-server-3.0.11.orig/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure	2016-01-25 19:27:03.000000000 +0100
-+++ freeradius-server-3.0.11/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure	2016-01-25 20:42:24.835741109 +0100
-@@ -1843,7 +1843,7 @@
+Index: freeradius-server-3.2.3/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure
+===================================================================
+--- freeradius-server-3.2.3.orig/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure
++++ freeradius-server-3.2.3/src/modules/rlm_sql/drivers/rlm_sql_unixodbc/configure
+@@ -1884,7 +1884,7 @@ if test "${with_unixodbc_dir+set}" = set
  fi
  
  
--		smart_try_dir="$unixodbc_lib_dir /usr/local/unixodbc/lib"
-+		smart_try_dir="$unixodbc_lib_dir"
- 	ac_ext=c
+-smart_try_dir="$unixodbc_lib_dir /usr/local/unixodbc/lib"
++smart_try_dir="$unixodbc_lib_dir"
+ ac_ext=c
  ac_cpp='$CPP $CPPFLAGS'
  ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+@@ -2800,7 +2800,7 @@ fail="$fail libodbc"
+ 
+ fi
+ 
+-smart_try_dir="$unixodbc_include_dir /usr/local/unixodbc/include"
++smart_try_dir="$unixodbc_include_dir"
+ 
+ 
+ ac_safe=`echo "sql.h" | sed 'y%./+-%__pm%'`
diff --git a/freeradius-server.changes b/freeradius-server.changes
index 8b90a7a..ea40d7d 100644
--- a/freeradius-server.changes
+++ b/freeradius-server.changes
@@ -1,3 +1,86 @@
+-------------------------------------------------------------------
+Thu Aug 31 13:09:06 UTC 2023 - Adam Majer <adam.majer@suse.de>
+
+- update to version 3.2.3:
+  Feature Improvements
+  * Add "max_retries" for connection pools. Fixes #4908.
+  * Update dictionary.ciena, dictionary.huawei, dictionary.wifialliance and
+    dictionary.wispr; add dictionary.eleven.
+  * You can now list "eap" in the "pre-proxy" section. If the packet contains a
+    malformed EAP message, then the request will be rejected The home server
+    will either reject (or discard) this packet anyways, so this change can
+    only help with large proxy scenarios.
+  * Show warnings if libldap is not using OpenSSL.
+  * Support RADIUS/1.1. See
+    https://datatracker.ietf.org/doc/draft-dekok-radext-radiusv11/ Disabled by
+    default, can be enabled by passing `--with-radiusv11` to the configure
+    script. For now, this is for testing interoperability.
+  * Add extra sanity checks for malformed EAP attributes.
+  * More TLS debugging output.
+  * Clear old module instance data before HUP reload. Avoids burst memory use
+    when e.g. using large data files with rlm_files.
+  * `rlm_cache_redis` is now included in the freeradius-redis packages.
+
+Bug Fixes
+  * Don't leak MD contexts with OpenSSL 3.0.
+  * Increase internal buffer size for TLS connections, which can help with
+    high-load proxies.
+  * Send Status-Server checks for TLS connections.
+  * Give descriptive error if "update CoA" is used with "fake" packets, as it
+    won't work. i.e. inner-tunnel and virtual home servers.
+  * Many small ASAN / LSAN fixes from Jorge Pereira.
+  * Close inbound RADIUS/TLS socket on TLS errors. When a home server sees a
+    TLS error, it will now close the socket, so proxies do not have an open
+    (but dead) TLS connection.
+  * Fix mutex locking issues on inbound RADIUS/TLS connections This change
+    avoids random issues with "bad record mac".
+  * Improve REST encoding loop. Patch from Herwin Weststrate. Closes #4950.
+  * Correctly report the LDAP group a user was found in. Fixes #3084.
+  * Force correct packet type when running Post-Auth-Type. Helps with #4980.
+  * Fix small leak in Client-Lost code. Patch from Terry Burton. PR #4996.
+  * Fix TCP socket statistics. Closes #4990.
+  * Use NAS-Port-Id instead of NAS-Port during SQL simultaneous-use checks. Helps with #5010.
+
+
+Changes in version 3.2.2:
+
+Feature Improvements
+
+  * The "configure" process now gives a much clearer report when it's finished
+  * Fallback to "uname -n" on missing "hostname". Fixes #4771.
+  * Export thread details in radmin "stats threads". Fixes #4770.
+  * Improve queries for processing radacct into periodic usage data
+  * Update dictionary.juniper.
+  * Add dictionary.calix.
+  * Fix dictionary.rfc6519 DS-Lite-Tunnel-Name to be "octets".
+  * Update documentation for robust-proxy-accounting, and be more aggressive about sending packets.
+  * Add per-module README.md files in the source.
+  * Add default Visual Studio configuration for developers.
+  * Postgres can now automatically use alternate queries for errors other than duplicate keys.
+  * %{listen:TLS-PSK-Identity} is now set when using PSK and psk_query This
+    helps the server track the identity of the client which is connecting.
+  * Include thread stats in Status-Server attributes. Fixes #4870.
+  * Mark rlm_unbound stable and add to packages.
+  * Remove broken/unsupported Dockerfiles for centos8 and debian9.
+
+Bug Fixes
+
+  * Preliminary support for non-blocking TLS sockets. Helps with #3501.
+  * Fix support for partial certificate chains after adding reload support. Fixes #4753.
+  * Fix handling of debug_condition.
+  * Clean up home server states, and re-sync with the dictionaries.
+  * Correct certificate order when creating TLS-* attributes Fixes #4785.
+  * Update use of isalpha() etc. so broken configurations have less impact on the server.
+  * Outgoing TLS sockets now set SNI correctly from the "hostname" configuration item.
+  * Support Apple Homebrew on the M1. Fixes #4754.
+  * Better error messages when %{listen:TLS-...} is used.
+  * Getting statistics via Status-Server can now be done within a virtual server. Fixes #4868.
+  * Make TTLS+MS-CHAP work with TLS 1.3. Fixes #4878.
+  * Fix md5 xlat memory leak when using OpenSSL 3.0
+
+- freeradius-server-rlm_sql_unixodbc-configure.patch: refreshed
+- spec file cleanup: remove duplicate BR: from subpackages
+
 -------------------------------------------------------------------
 Mon Feb  6 16:57:33 UTC 2023 - Adam Majer <adam.majer@suse.de>
 
diff --git a/freeradius-server.spec b/freeradius-server.spec
index 0245336..2cbe8b8 100644
--- a/freeradius-server.spec
+++ b/freeradius-server.spec
@@ -18,7 +18,7 @@
 
 %define unitname radiusd
 Name:           freeradius-server
-Version:        3.2.1
+Version:        3.2.3
 Release:        0
 
 # Disable FreeTDS on SLE12. We never shipped it enabled with FreeTDS.
@@ -94,6 +94,7 @@ Obsoletes:      freeradius < %{version}
 Conflicts:      icradius
 Conflicts:      radiusd-cistron
 Conflicts:      radiusd-livingston
+BuildRequires:  pkgconfig(libunbound)
 BuildRequires:  pkgconfig(systemd)
 %{?systemd_requires}
 
@@ -141,7 +142,6 @@ FreeRADIUS documentation.
 %package ldap
 Summary:        LDAP support for freeradius
 Group:          System/Daemons
-BuildRequires:  openldap2-devel
 Requires:       %{name} = %{version}
 
 %description ldap
@@ -158,7 +158,6 @@ FreeRADIUS schemas for OpenLDAP.
 %package krb5
 Summary:        Kerberos 5 support for freeradius
 Group:          System/Daemons
-BuildRequires:  krb5-devel
 Requires:       %{name} = %{version}
 
 %description krb5
@@ -167,8 +166,6 @@ FreeRADIUS plugin providing Kerberos 5 authentication support.
 %package perl
 Summary:        Perl support for freeradius
 Group:          System/Daemons
-BuildRequires:  perl
-BuildRequires:  perl(ExtUtils::Embed)
 Requires:       %{name} = %{version}
 Requires:       perl
 
@@ -186,7 +183,6 @@ FreeRADIUS plugin providing Python3 support.
 %package mysql
 Summary:        MySQL support for freeradius
 Group:          System/Daemons
-BuildRequires:  mysql-devel
 Requires:       %{name} = %{version}
 
 %description mysql
@@ -195,7 +191,6 @@ FreeRADIUS plugin providing MySQL support.
 %package postgresql
 Summary:        Postgresql support for freeradius
 Group:          System/Daemons
-BuildRequires:  postgresql-devel
 Requires:       %{name} = %{version}
 
 %description postgresql
@@ -204,7 +199,6 @@ FreeRADIUS plugin providing PostgreSQL support.
 %package sqlite
 Summary:        SQLite support for freeradius
 Group:          System/Daemons
-BuildRequires:  sqlite3-devel
 Requires:       %{name} = %{version}
 
 %description sqlite
@@ -242,6 +236,7 @@ export LDFLAGS="-pie"
   --without-rlm_sql_iodbc \
   --without-rlm_redis \
   --without-rlm_rediswho \
+  --without-rlm_cache_redis \
   --without-rlm_sql_oracle \
   --without-rlm_securid \
   --without-rlm_python \
@@ -663,6 +658,7 @@ done
 %{_libdir}/freeradius/rlm_sql_null.so
 %{_libdir}/freeradius/rlm_test.so
 %{_libdir}/freeradius/rlm_totp.so
+%{_libdir}/freeradius/rlm_unbound.so
 %{_libdir}/freeradius/rlm_unix.so
 %{_libdir}/freeradius/rlm_utf8.so
 %{_libdir}/freeradius/rlm_wimax.so