diff --git a/go1.18.8.src.tar.gz b/go1.18.8.src.tar.gz
deleted file mode 100644
index 658e205..0000000
--- a/go1.18.8.src.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1f79802305015479e77d8c641530bc54ec994657d5c5271e0172eb7118346a12
-size 22873390
diff --git a/go1.18.9.src.tar.gz b/go1.18.9.src.tar.gz
new file mode 100644
index 0000000..8615b6f
--- /dev/null
+++ b/go1.18.9.src.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fbe7f09b96aca3db6faeaf180da8bb632868ec049731e355ff61695197c0e3ea
+size 22878625
diff --git a/go1.18.changes b/go1.18.changes
index e1e76bf..0232ae1 100644
--- a/go1.18.changes
+++ b/go1.18.changes
@@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Tue Dec  6 20:49:04 UTC 2022 - Jeff Kowalczyk <jkowalczyk@suse.com>
+
+- go1.18.9 (released 2022-12-06) includes security fixes to the
+  net/http and os packages, as well as bug fixes to cgo, the
+  compiler, the runtime, and the crypto/x509 and os/exec packages.
+  Refs boo#1193742 go1.18 release tracking
+  CVE-2022-41717 CVE-2022-41720
+  * go#57008 boo#1206135 security: fix CVE-2022-41717 net/http: limit canonical header cache by bytes, not entries
+  * go#57005 boo#1206134 security: fix CVE-2022-41720 os, net/http: avoid escapes from os.DirFS and http.Dir on Windows
+  * go#56751 runtime,cmd/compile: apparent memory corruption in compress/flate
+  * go#56709 net: builders failing TestLookupDotsWithRemoteSource and TestLookupGoogleSRV due to missing host for _xmpp-server._tcp.google.com
+  * go#56675 x/net/http2/h2c: ineffective mitigation for unsafe io.ReadAll
+  * go#56635 runtime: traceback stuck in runtime.systemstack
+  * go#56556 cmd/compile: some x/sys versions no longer build due to "go:linkname must refer to declared function or variable"
+  * go#56550 os/exec: Plan 9 build has been broken by a Windows security fix (also breaks 1.19.3 and 1.18.8)
+  * go#56437 crypto/x509: respect GODEBUG changes during program lifetime
+  * go#56396 runtime: on linux/PPC64, usleep computes incorrect tv_nsec parameter
+  * go#56359 cmd/compile: panic: offset too large
+
 -------------------------------------------------------------------
 Tue Nov  1 17:18:30 UTC 2022 - Jeff Kowalczyk <jkowalczyk@suse.com>
 
diff --git a/go1.18.spec b/go1.18.spec
index 17f42cf..5877ba3 100644
--- a/go1.18.spec
+++ b/go1.18.spec
@@ -134,7 +134,7 @@
 %endif
 
 Name:           go1.18
-Version:        1.18.8
+Version:        1.18.9
 Release:        0
 Summary:        A compiled, garbage-collected, concurrent programming language
 License:        BSD-3-Clause