diff --git a/ocserv-0.10.5.tar.xz b/ocserv-0.10.5.tar.xz
deleted file mode 100644
index 0e6cea3..0000000
--- a/ocserv-0.10.5.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:62a2b087f21b257a1ea433c12f6937d2a2f5ef30eedbe4739b0407405de474b8
-size 705828
diff --git a/ocserv-0.10.9.tar.xz b/ocserv-0.10.9.tar.xz
new file mode 100644
index 0000000..21fb147
--- /dev/null
+++ b/ocserv-0.10.9.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:96d0ea22e811a70e46561ffe29c4e6b1cc014ee24d353c0367ca72edcedf533c
+size 718004
diff --git a/ocserv.changes b/ocserv.changes
index a75e322..57cac6d 100644
--- a/ocserv.changes
+++ b/ocserv.changes
@@ -1,3 +1,59 @@
+-------------------------------------------------------------------
+Wed Oct 21 11:34:00 UTC 2015 - i@marguerite.su
+
+- update version 0.10.9
+  * When compiled with GnuTLS 3.4 automatically sort the certificate
+    list to be imported
+  * Reload the CRL during periodic maintaince if its modification
+    time changes
+  * Address issue with duplicate check failing on IPv6 addresses
+  * Added the ability to specify a UsersFile in plain auth for using
+    an OTP
+    This allows to use an OTP 2nd factor authentication without having
+    to rely on PAM. This change, also enables the usage of an empty
+    password field in the password file if an OTP file is present
+  * Allow loading DER-encoded CRLs
+  * Re-added the PAM accounting method. That accounting method can
+    be combined with any authentication method, and can be used to
+    check for a valid system account
+- changes in 0.10.8
+  * Pass the proxy protocol information at earlier stage to main
+    process, to allow the correct information to be passed at the
+    connect script and occtl
+  * Added the IP_REAL_LOCAL environment variable to scripts. This
+    passes the local IP the client connected to
+  * The PAM accounting method was dropped as there was no practical
+    usage of it, the way it was implemented
+  * When assigning IPv6 addresses use the whole available netmask
+  * occtl: Print the local IP the client connected to, with the 
+    client information
+  * occtl: Print the configured for the client split-dns domains
+- changes in 0.10.7
+  * Added a fuzzying factor to CPU intensive, or radius communication
+    tasks when initiated by worker process. That avoids a very
+    high load periodically, e.g., when multiple clients connect
+    at the same time
+  * Added support for haproxy's protocol v2 format. That allows
+    to report the correct client IP even on proxied sessions.
+    It introduces the configuration option listen-proxy-proto
+  * occtl: added -n/--no-pager option. That allows to disable
+    pager explicitly
+  * occtl: fixed several cases of invalid JSON output
+- changes in 0.10.6
+  * Transmit packets to the last incoming source, allowing faster
+    switch of the communication channel
+  * The worker processes will utilize the UDP socket address
+    (if any), when reporting peer's address if the listen-clear-file
+    option is set
+  * Lifted the limit on the number of configuration options. That
+    allows to add an "unlimited" number of 'route' options
+  * Support encrypted key files. That adds the key-pin and srk-pin
+    configuration options
+  * The dbus communication option has been dropped
+  * Radius: depend on radcli radius library
+  * occtl: added -j/--json option. That allows to output in a
+    JSON format
+
 -------------------------------------------------------------------
 Mon Jun  8 13:51:18 UTC 2015 - i@marguerite.su
 
diff --git a/ocserv.config.patch b/ocserv.config.patch
index ef40546..9bff168 100644
--- a/ocserv.config.patch
+++ b/ocserv.config.patch
@@ -1,17 +1,17 @@
-Index: ocserv-0.10.5/doc/sample.config
+Index: ocserv-0.10.9/doc/sample.config
 ===================================================================
---- ocserv-0.10.5.orig/doc/sample.config
-+++ ocserv-0.10.5/doc/sample.config
-@@ -36,7 +36,7 @@
- 
+--- ocserv-0.10.9.orig/doc/sample.config
++++ ocserv-0.10.9/doc/sample.config
+@@ -39,7 +39,7 @@
  #auth = "pam"
  #auth = "pam[gid-min=1000]"
+ #auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
 -auth = "plain[passwd=./sample.passwd]"
 +auth = "plain[passwd=/etc/ocserv/ocpasswd]"
  #auth = "certificate"
  #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
  
-@@ -68,8 +68,8 @@ auth = "plain[passwd=./sample.passwd]"
+@@ -72,8 +72,8 @@ auth = "plain[passwd=./sample.passwd]"
  #listen-host-is-dyndns = true
  
  # TCP and UDP port number
@@ -22,25 +22,7 @@ Index: ocserv-0.10.5/doc/sample.config
  
  # Accept connections using a socket file. It accepts HTTP
  # connections (i.e., without SSL/TLS unlike its TCP counterpart),
-@@ -102,7 +102,7 @@ socket-file = /var/run/ocserv-socket
- # system calls allowed to a worker process, in order to reduce damage from a
- # bug in the worker process. It is available on Linux systems at a performance cost.
- # The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
--isolate-workers = true
-+isolate-workers = false
- 
- # A banner to be displayed on clients
- #banner = "Welcome"
-@@ -148,7 +148,7 @@ dpd = 90
- mobile-dpd = 1800
- 
- # MTU discovery (DPD must be enabled)
--try-mtu-discovery = false
-+try-mtu-discovery = true
- 
- # The key and the certificates of the server
- # The key may be a file, or any URL supported by GnuTLS (e.g., 
-@@ -160,8 +160,8 @@ try-mtu-discovery = false
+@@ -108,8 +108,8 @@ socket-file = /var/run/ocserv-socket
  #
  # There may be multiple server-cert and server-key directives,
  # but each key should correspond to the preceding certificate.
@@ -51,16 +33,34 @@ Index: ocserv-0.10.5/doc/sample.config
  
  # Diffie-Hellman parameters. Only needed if you require support
  # for the DHE ciphersuites (by default this server supports ECDHE).
-@@ -187,7 +187,7 @@ server-key = ../tests/server-key.pem
+@@ -135,7 +135,7 @@ server-key = ../tests/server-key.pem
  # The Certificate Authority that will be used to verify
  # client certificates (public keys) if certificate authentication
  # is set.
 -ca-cert = ../tests/ca.pem
 +ca-cert = /etc/ocserv/certificates/ca-cert.pem
  
- # The object identifier that will be used to read the user ID in the client 
- # certificate. The object identifier should be part of the certificate's DN
-@@ -320,8 +320,8 @@ rekey-method = ssl
+ 
+ ### All configuration options below this line are reloaded on a SIGHUP.
+@@ -145,7 +145,7 @@ ca-cert = ../tests/ca.pem
+ # system calls allowed to a worker process, in order to reduce damage from a
+ # bug in the worker process. It is available on Linux systems at a performance cost.
+ # The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
+-isolate-workers = true
++isolate-workers = false
+ 
+ # A banner to be displayed on clients
+ #banner = "Welcome"
+@@ -197,7 +197,7 @@ dpd = 90
+ mobile-dpd = 1800
+ 
+ # MTU discovery (DPD must be enabled)
+-try-mtu-discovery = false
++try-mtu-discovery = true
+ 
+ # If you have a certificate from a CA that provides an OCSP
+ # service you may provide a fresh OCSP status response within
+@@ -341,8 +341,8 @@ rekey-method = ssl
  # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 
  # output from the tun device, and the duration of the session in seconds.
  
@@ -71,7 +71,7 @@ Index: ocserv-0.10.5/doc/sample.config
  
  # UTMP
  # Register the connected clients to utmp. This will allow viewing
-@@ -377,7 +377,7 @@ ipv4-netmask = 255.255.255.0
+@@ -401,7 +401,7 @@ ipv4-netmask = 255.255.255.0
  # The advertized DNS server. Use multiple lines for
  # multiple servers.
  # dns = fc00::4be0
@@ -80,7 +80,7 @@ Index: ocserv-0.10.5/doc/sample.config
  
  # The NBNS server (if any)
  #nbns = 192.168.1.3
-@@ -414,8 +414,8 @@ ping-leases = false
+@@ -438,8 +438,8 @@ ping-leases = false
  # comment out all routes from the server, or use the special keyword
  # 'default'.
  
@@ -91,10 +91,10 @@ Index: ocserv-0.10.5/doc/sample.config
  #route = fef4:db8:1000:1001::/64
  
  # Subsets of the routes above that will not be routed by
-Index: ocserv-0.10.5/doc/systemd/socket-activated/ocserv.socket
+Index: ocserv-0.10.9/doc/systemd/socket-activated/ocserv.socket
 ===================================================================
---- ocserv-0.10.5.orig/doc/systemd/socket-activated/ocserv.socket
-+++ ocserv-0.10.5/doc/systemd/socket-activated/ocserv.socket
+--- ocserv-0.10.9.orig/doc/systemd/socket-activated/ocserv.socket
++++ ocserv-0.10.9/doc/systemd/socket-activated/ocserv.socket
 @@ -2,8 +2,8 @@
  Description=OpenConnect SSL VPN server Socket
  
diff --git a/ocserv.spec b/ocserv.spec
index 0c09ec0..1c77023 100644
--- a/ocserv.spec
+++ b/ocserv.spec
@@ -16,7 +16,7 @@
 #
 
 Name:           ocserv
-Version:	0.10.5
+Version:	0.10.9
 Release:	0
 License:	GPL-2.0+
 Summary:	OpenConnect VPN Server
@@ -120,7 +120,7 @@ install -m 0644 doc/systemd/socket-activated/ocserv.service %{buildroot}%{_unitd
 
 %files
 %defattr(-,root,root)
-%doc AUTHORS ChangeLog LICENSE NEWS README COPYING TODO
+%doc AUTHORS ChangeLog LICENSE NEWS README.md COPYING TODO
 %config %{_sysconfdir}/ocserv
 %{_bindir}/occtl
 %{_bindir}/ocpasswd