diff --git a/oath-toolkit-2.4.0.tar.gz b/oath-toolkit-2.4.0.tar.gz
deleted file mode 100644
index 49c8e4b..0000000
--- a/oath-toolkit-2.4.0.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:66ebf924304409356b35a3423e4b7255996c5a42503c3188bf08c6446f436ddc
-size 4137994
diff --git a/oath-toolkit-2.4.1.tar.gz b/oath-toolkit-2.4.1.tar.gz
new file mode 100644
index 0000000..b7e1aa0
--- /dev/null
+++ b/oath-toolkit-2.4.1.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9bfa42cbc100eb6c43d2bf83e3badc51d9e6f4950a92e07513ae586d0c5e9b24
+size 4136649
diff --git a/oath-toolkit.changes b/oath-toolkit.changes
index 66d18f7..2482adf 100644
--- a/oath-toolkit.changes
+++ b/oath-toolkit.changes
@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Sat Jan 24 10:29:53 UTC 2015 - mardnh@gmx.de
+
+- Update to version 2.4.1:
+  + liboath: Fix usersfile bug that caused it to update the wrong line.
+    When an usersfile contain multiple lines for the same user but with an
+    unparseable token type (e.g., HOTP vs TOTP), the code would update the
+    wrong line of the file.  Since the then updated line could be a
+    commented out line, this can lead to the same OTP being accepted
+    multiple times which is a security vulnerability.  Reported by Bas van
+    Schaik <bas@sj-vs.net> and patch provided by Ilkka Virta
+    <itvirta@iki.fi>.  CVE-2013-7322
+
 -------------------------------------------------------------------
 Fri Jul 11 18:14:17 UTC 2014 - darin@darins.net
 
diff --git a/oath-toolkit.spec b/oath-toolkit.spec
index 11244d9..713129f 100644
--- a/oath-toolkit.spec
+++ b/oath-toolkit.spec
@@ -18,7 +18,7 @@
 
 %define build_pskc 0
 Name:           oath-toolkit
-Version:        2.4.0
+Version:        2.4.1
 Release:        0
 Summary:        Toolkit for one-time password authentication systems
 License:        GPL-3.0+