diff --git a/git-2.14.0.tar.sign b/git-2.14.0.tar.sign
deleted file mode 100644
index 3a07df5..0000000
Binary files a/git-2.14.0.tar.sign and /dev/null differ
diff --git a/git-2.14.0.tar.xz b/git-2.14.0.tar.xz
deleted file mode 100644
index 7bf1777..0000000
--- a/git-2.14.0.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f93e6e6a307d2e953cccafd9f4003c62992628fa508d07586476c953c1655975
-size 4790932
diff --git a/git-2.14.1.tar.sign b/git-2.14.1.tar.sign
new file mode 100644
index 0000000..49ca2eb
Binary files /dev/null and b/git-2.14.1.tar.sign differ
diff --git a/git-2.14.1.tar.xz b/git-2.14.1.tar.xz
new file mode 100644
index 0000000..eb894f1
--- /dev/null
+++ b/git-2.14.1.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6f724c6d0e9e13114ab35db6f67e1b2c1934b641e89366e6a0e37618231f2cc6
+size 4791876
diff --git a/git.changes b/git.changes
index 87b38e1..46c485d 100644
--- a/git.changes
+++ b/git.changes
@@ -1,3 +1,28 @@
+-------------------------------------------------------------------
+Thu Aug 10 19:19:07 UTC 2017 - astieger@suse.com
+
+- git 2.14.1 (bsc#1052481):
+  * Security fix for CVE-2017-1000117: A malicious third-party can
+    give a crafted "ssh://..." URL to an unsuspecting victim, and
+    an attempt to visit the URL can result in any program that
+    exists on the victim's machine being executed. Such a URL could
+    be placed in the .gitmodules file of a malicious project, and
+    an unsuspecting victim could be tricked into running
+    "git clone --recurse-submodules" to trigger the vulnerability.
+  * A "ssh://..." URL can result in a "ssh" command line with a
+    hostname that begins with a dash "-", which would cause the
+    "ssh" command to instead (mis)treat it as an option. This is
+    now prevented by forbidding such a hostname (which should not
+    impact any real-world usage).
+  * Similarly, when GIT_PROXY_COMMAND is configured, the command
+    is run with host and port that are parsed out from "ssh://..."
+    URL; a poorly written GIT_PROXY_COMMAND could be tricked into
+    treating a string that begins with a dash "-" as an option.
+    This is now prevented by forbidding such a hostname and port
+    number (again, which should not impact any real-world usage).
+  * In the same spirit, a repository name that begins with a dash
+    "-" is also forbidden now.
+
 -------------------------------------------------------------------
 Sat Aug  5 14:23:43 UTC 2017 - astieger@suse.com
 
diff --git a/git.spec b/git.spec
index 52113ae..9e0ea48 100644
--- a/git.spec
+++ b/git.spec
@@ -26,7 +26,7 @@
 %endif
 
 Name:           git
-Version:        2.14.0
+Version:        2.14.1
 Release:        0
 Summary:        Fast, scalable, distributed revision control system
 License:        GPL-2.0