diff --git a/shadow-4.11.1.tar.xz b/shadow-4.11.1.tar.xz
deleted file mode 100644
index 8ffbf1f..0000000
--- a/shadow-4.11.1.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:41f093ce58b2ae5f389a1c5553e0c18bc73e6fe27f66273891991198a7707c95
-size 1656584
diff --git a/shadow-4.11.1.tar.xz.asc b/shadow-4.11.1.tar.xz.asc
deleted file mode 100644
index f2a7fd2..0000000
--- a/shadow-4.11.1.tar.xz.asc
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmHSaooACgkQNXDaFycK
-ziQEowf8CnA6H9sohv45+YPfwzFs9Drj4iUX8q/v6z0SwzWtY2NeKGazABryeu9Q
-DadmXeSFqIUQgzMWV1FMNwP0wFACSxsodfzusRQ/eKHjG4+5elVAqXHnxhJDZqvt
-83iWXtGd+/L9mlpKfaWhSrSI/VPfzUQYYrmz/cMbkP3ijPmaCvW1Ke5pWrnhky5I
-Iur+BqkiA5+Gi/mChhDZzBuE3eaIDRPVOYkmL5tyDjK7SyFmsM0lhGNwZQ525gDJ
-9/NbkIAgz59lfcLZXjZ9Ui4hTh+YKjlSbsMlmo6Bpp29crwzfC3ppe69mwBywA3K
-nt2BZxeFv3mkBnQXPabCBE8gaR8ZIQ==
-=8xjr
------END PGP SIGNATURE-----
diff --git a/shadow-4.12.3.tar.xz b/shadow-4.12.3.tar.xz
new file mode 100644
index 0000000..248f68c
--- /dev/null
+++ b/shadow-4.12.3.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3d3ec447cfdd11ab5f0486ebc47d15718349d13fea41fc8584568bc118083ccd
+size 1747620
diff --git a/shadow-4.12.3.tar.xz.asc b/shadow-4.12.3.tar.xz.asc
new file mode 100644
index 0000000..3a2e7e6
--- /dev/null
+++ b/shadow-4.12.3.tar.xz.asc
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEqb0/8XByttt4D8+UNXDaFycKziQFAmMDfQYACgkQNXDaFycK
+ziQvPQf9HGXVezTAIW+tqa3T/Fpc1q8JPVXJO/GzNQPuyoqZCtHZihqgvc3gkdcB
+ZXIYXy1pB5lX6SEpSJjIeugXiUDBS465Q+Is1C76HqGh8dH7ws8tn4/ypA0S8/pv
+rkFT+sSjEqJLGCRpoRNoH2r++WkzUlags9aPabhZgJKHny31rSRAre0bsva7IGPs
+6iq1r4apKl8YssybAus3jmstxKj6y9S2Cmv+iEN0jY/+Oagrbl45p+NuHf/E0TSp
+sCnZCLtzUBb5LTeIfz15P+MfG+hDhFLPedWlLVTr7YZSWJVwf4gwttUWUOmSkkuF
+PEy7hhvMAd7X5Rtz/GVtfas+UUfekA==
+=WZd1
+-----END PGP SIGNATURE-----
diff --git a/shadow.changes b/shadow.changes
index 1887d68..1315405 100644
--- a/shadow.changes
+++ b/shadow.changes
@@ -1,3 +1,98 @@
+-------------------------------------------------------------------
+Mon Aug 22 13:59:35 UTC 2022 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.12.3:
+  Revert removal of subid_init, which should have bumped soname.
+  So note that 4.12 through 4.12.2 were broken for subid users.
+
+-------------------------------------------------------------------
+Fri Aug 19 06:32:28 UTC 2022 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.12.2:
+  * Address CVE-2013-4235 (TOCTTOU when copying directories) [bsc#916845]
+- Refresh useradd-userkeleton.patch:
+  LSTAT() was removed with https://github.com/shadow-maint/shadow/pull/545
+  Let's use fstatat() now.
+
+-------------------------------------------------------------------
+Mon Aug 15 17:42:01 UTC 2022 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.12.1:
+  * Fix uk manpages
+- Remove shadow-4.12-remove-uk.patch: fixed upstream
+
+-------------------------------------------------------------------
+Fri Aug 12 06:05:35 UTC 2022 - Michael Vetter <mvetter@suse.com>
+
+- Update to 4.12:
+  * Add absolute path hint to --root
+  * Various cleanups
+  * Fix Ubuntu release used in CI tests
+  * add -F options to userad
+  * useradd manpage updates
+  * Check for ownerid (not just username) in subid ranges
+  * Declare file local functions static
+  * Use strict prototypes
+  * Do not drop const qualifier for Basename
+  * Constify various pointers
+  * Don't return uninitialized memory
+  * Don't let compiler optimize away memory cleaning
+  * Remove many obsolete compatibility checks  and defines
+  * Modify ID range check in useradd
+  * Use "extern "C"" to make libsubid easier to use from C++
+  * French translation updates
+  * Fix s/with-pam/with-libpam/
+  * Spanish translation updates
+  * French translation fixes
+  * Default max group name length to 32
+  * Fix PAM service files without-selinux
+  * Improve manpages
+    - groupadd, useradd, usermod
+    - groups and id
+    - pwck
+  * Add fedora to CI builds
+  * Fix condition under which pw_dir check happens
+  * logoutd: switch to strncat
+  * AUTHORS: improve markdown output
+  * Handle ERANGE errors correctly
+  * Check for fopen NULL return
+  * Split get_salt() into its own fn juyin)
+  * Get salt before chroot to ensure /dev/urandom.
+  * Chpasswd code cleanup
+  * Work around git safe.directory enforcement
+  * Alphabetize order in usermod help
+  * Erase password copy on error branches
+  * Suggest using --badname if needed
+  * Update translation files
+  * Correct badnames option to badname
+  * configure: replace obsolete autoconf macros
+  * tests: replace egrep with grep -E
+  * Update Ukrainian translations
+  * Cleanups
+    - Remove redeclared variable
+    - Remove commented out code and FIXMEs
+    - Add header guards
+    - Initialize local variables
+  * CI updates
+    - Create github workflow to install dependencies
+    - Enable CodeQL
+    - Update actions version
+  * libmisc: use /dev/urandom as fallback if other methods fail
+- Add shadow-4.12-remove-uk.patch:
+  Disable non working Ukranian translation for now
+  https://github.com/shadow-maint/shadow/issues/547
+
+-------------------------------------------------------------------
+Tue Aug  9 06:29:07 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
+
+- Remove duplicate pam.d/useradd entry
+- Provide /etc/login.defs.d on SLE15 since we support and use it
+
+-------------------------------------------------------------------
+Mon Aug  8 13:00:46 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
+
+- Use %_pam_vendordir macro
+
 -------------------------------------------------------------------
 Wed Jan 12 16:52:39 UTC 2022 - Stanislav Brabec <sbrabec@suse.com>
 
diff --git a/shadow.spec b/shadow.spec
index 9c4024e..39dcd47 100644
--- a/shadow.spec
+++ b/shadow.spec
@@ -22,20 +22,20 @@
   %define no_config 1
 %endif
 Name:           shadow
-Version:        4.11.1
+Version:        4.12.3
 Release:        0
 Summary:        Utilities to Manage User and Group Accounts
 License:        BSD-3-Clause AND GPL-2.0-or-later
 Group:          System/Base
 URL:            https://github.com/shadow-maint/shadow
-Source:         https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz
+Source:         https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
 Source1:        pamd.tar.bz2
 Source3:        useradd.local
 Source4:        userdel-pre.local
 Source5:        userdel-post.local
 Source6:        shadow.service
 Source7:        shadow.timer
-Source42:       https://github.com/shadow-maint/shadow/releases/download/v%{version}/shadow-%{version}.tar.xz.asc
+Source42:       https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz.asc
 Source43:       %{name}.keyring
 # SOURCE-FEATURE-SUSE shadow-login_defs-check.sh sbrabec@suse.com -- Supplementary script that verifies coverage of variables in shadow-login_defs-unused-by-pam.patch and other patches.
 Source44:       shadow-login_defs-check.sh
@@ -231,9 +231,11 @@ rm %{buildroot}/%{_libdir}/libsubid.{la,a}
 # Move /etc to /usr/etc
 if [ ! -d %{buildroot}%{_distconfdir} ]; then
     mkdir -p %{buildroot}%{_distconfdir}
-    mv %{buildroot}%{_sysconfdir}/{login.defs,pam.d} %{buildroot}%{_distconfdir}
-    mkdir -p %{buildroot}%{_sysconfdir}/login.defs.d
+    mkdir -p %{buildroot}%{_pam_vendordir}
+    mv %{buildroot}%{_sysconfdir}/login.defs %{buildroot}%{_distconfdir}
+    mv %{buildroot}%{_sysconfdir}/pam.d/* %{buildroot}%{_pam_vendordir}/
 fi
+mkdir -p %{buildroot}%{_sysconfdir}/login.defs.d
 
 %find_lang shadow
 
@@ -299,19 +301,18 @@ test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpm
 %verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/subuid
 %verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/subgid
 %if %{defined no_config}
-%{_distconfdir}/pam.d/chage
-%{_distconfdir}/pam.d/chfn
-%{_distconfdir}/pam.d/chsh
-%{_distconfdir}/pam.d/passwd
-%{_distconfdir}/pam.d/useradd
-%{_distconfdir}/pam.d/chpasswd
-%{_distconfdir}/pam.d/groupadd
-%{_distconfdir}/pam.d/groupdel
-%{_distconfdir}/pam.d/groupmod
-%{_distconfdir}/pam.d/newusers
-%{_distconfdir}/pam.d/useradd
-%{_distconfdir}/pam.d/userdel
-%{_distconfdir}/pam.d/usermod
+%{_pam_vendordir}/chage
+%{_pam_vendordir}/chfn
+%{_pam_vendordir}/chsh
+%{_pam_vendordir}/passwd
+%{_pam_vendordir}/chpasswd
+%{_pam_vendordir}/groupadd
+%{_pam_vendordir}/groupdel
+%{_pam_vendordir}/groupmod
+%{_pam_vendordir}/newusers
+%{_pam_vendordir}/useradd
+%{_pam_vendordir}/userdel
+%{_pam_vendordir}/usermod
 %else
 %config %{_sysconfdir}/pam.d/chage
 %config %{_sysconfdir}/pam.d/chfn
@@ -389,8 +390,8 @@ test -f %{_sysconfdir}/login.defs.rpmsave && mv -v %{_sysconfdir}/login.defs.rpm
 %{_unitdir}/*
 
 %files -n login_defs
-%if %{defined no_config}
 %dir %{_sysconfdir}/login.defs.d
+%if %{defined no_config}
 %attr(0644,root,root) %{_distconfdir}/login.defs
 %else
 %attr(0644,root,root) %config %{_sysconfdir}/login.defs
diff --git a/useradd-userkeleton.patch b/useradd-userkeleton.patch
index deb4db6..0b22f76 100644
--- a/useradd-userkeleton.patch
+++ b/useradd-userkeleton.patch
@@ -27,7 +27,7 @@ Index: src/useradd.c
  static const char *def_create_mail_spool = "yes";
  static const char *def_log_init = "yes";
  
-@@ -185,6 +189,7 @@ static bool home_added = false;
+@@ -188,6 +192,7 @@ static bool home_added = false;
  #define DINACT			"INACTIVE="
  #define DEXPIRE			"EXPIRE="
  #define DSKEL			"SKEL="
@@ -35,7 +35,7 @@ Index: src/useradd.c
  #define DCREATE_MAIL_SPOOL	"CREATE_MAIL_SPOOL="
  #define DLOG_INIT	"LOG_INIT="
  
-@@ -458,6 +463,29 @@ static void get_defaults (void)
+@@ -461,6 +466,29 @@ static void get_defaults (void)
  		}
  
  		/*
@@ -45,7 +45,7 @@ Index: src/useradd.c
 +			if ('\0' == *cp) {
 +				cp = USRSKELDIR;	/* XXX warning: const */
 +			}
-+			
++
 +			if(prefix[0]) {
 +				size_t len;
 +				int wlen;
@@ -65,7 +65,7 @@ Index: src/useradd.c
  		 * Create by default user mail spool or not ?
  		 */
  		else if (MATCH (buf, DCREATE_MAIL_SPOOL)) {
-@@ -499,6 +527,7 @@ static void show_defaults (void)
+@@ -502,6 +530,7 @@ static void show_defaults (void)
  	printf ("EXPIRE=%s\n", def_expire);
  	printf ("SHELL=%s\n", def_shell);
  	printf ("SKEL=%s\n", def_template);
@@ -73,7 +73,7 @@ Index: src/useradd.c
  	printf ("CREATE_MAIL_SPOOL=%s\n", def_create_mail_spool);
  	printf ("LOG_INIT=%s\n", def_log_init);
  }
-@@ -527,6 +556,7 @@ static int set_defaults (void)
+@@ -530,6 +559,7 @@ static int set_defaults (void)
  	bool out_expire = false;
  	bool out_shell = false;
  	bool out_skel = false;
@@ -81,7 +81,7 @@ Index: src/useradd.c
  	bool out_create_mail_spool = false;
  	bool out_log_init = false;
  	size_t len;
-@@ -640,6 +670,9 @@ static int set_defaults (void)
+@@ -643,6 +673,9 @@ static int set_defaults (void)
  		} else if (!out_skel && MATCH (buf, DSKEL)) {
  			fprintf (ofp, DSKEL "%s\n", def_template);
  			out_skel = true;
@@ -91,7 +91,7 @@ Index: src/useradd.c
  		} else if (!out_create_mail_spool
  			   && MATCH (buf, DCREATE_MAIL_SPOOL)) {
  			fprintf (ofp,
-@@ -675,6 +708,8 @@ static int set_defaults (void)
+@@ -678,6 +711,8 @@ static int set_defaults (void)
  		fprintf (ofp, DSHELL "%s\n", def_shell);
  	if (!out_skel)
  		fprintf (ofp, DSKEL "%s\n", def_template);
@@ -100,7 +100,7 @@ Index: src/useradd.c
  
  	if (!out_create_mail_spool)
  		fprintf (ofp, DCREATE_MAIL_SPOOL "%s\n", def_create_mail_spool);
-@@ -2739,6 +2774,8 @@ int main (int argc, char **argv)
+@@ -2756,6 +2791,8 @@ int main (int argc, char **argv)
  		if (home_added) {
  			copy_tree (def_template, prefix_user_home, false, true,
  			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
@@ -113,22 +113,22 @@ Index: libmisc/copydir.c
 ===================================================================
 --- libmisc/copydir.c.orig
 +++ libmisc/copydir.c
-@@ -395,6 +395,14 @@ static int copy_entry (const char *src,
- 			                old_uid, new_uid, old_gid, new_gid);
+@@ -453,6 +453,14 @@ static int copy_entry (const struct path
  		}
  
-+		/*
+ 		/*
 +		 * If the destination already exists do nothing.
 +		 * This is after the copy_dir above to still iterate into subdirectories.
 +		 */
-+		if (LSTAT (dst, &sb) != -1) {
++		if (fstatat(dst->dirfd, dst->name, &sb, AT_SYMLINK_NOFOLLOW) != -1) {
 +			return 0;
 +		}
 +
- #ifdef	S_IFLNK
- 		/*
++		/*
  		 * Copy any symbolic links
-@@ -456,6 +464,7 @@ static int copy_dir (const char *src, co
+ 		 */
+ 
+@@ -511,6 +519,7 @@ static int copy_dir (const struct path_i
                       gid_t old_gid, gid_t new_gid)
  {
  	int err = 0;
@@ -136,20 +136,20 @@ Index: libmisc/copydir.c
  
  	/*
  	 * Create a new target directory, make it owned by
-@@ -467,6 +476,16 @@ static int copy_dir (const char *src, co
+@@ -522,6 +531,16 @@ static int copy_dir (const struct path_i
  		return -1;
  	}
  #endif				/* WITH_SELINUX */
 +
-+	/*
-+	 * If the destination is already a directory, don't change it
-+	 * but copy into it (recursively).
-+	 */
-+	if (LSTAT (dst, &dst_sb) == 0 && S_ISDIR(dst_sb.st_mode)) {
-+		return (copy_tree (src, dst, false, reset_selinux,
-+	                   old_uid, new_uid, old_gid, new_gid) != 0);
-+	}
++        /*
++         * If the destination is already a directory, don't change it
++         * but copy into it (recursively).
++        */
++        if (fstatat(dst->dirfd, dst->name, &dst_sb, AT_SYMLINK_NOFOLLOW) == 0 && S_ISDIR(dst_sb.st_mode)) {
++            return (copy_tree (src, dst, false, reset_selinux,
++                           old_uid, new_uid, old_gid, new_gid) != 0);
++        }
 +
- 	if (   (mkdir (dst, statp->st_mode) != 0)
- 	    || (chown_if_needed (dst, statp,
+ 	if (   (mkdirat (dst->dirfd, dst->name, statp->st_mode) != 0)
+ 	    || (chownat_if_needed (dst, statp,
  	                         old_uid, new_uid, old_gid, new_gid) != 0)