diff --git a/cert_support.tar.gz b/cert_support.tar.gz
new file mode 100644
index 0000000..c4d2154
--- /dev/null
+++ b/cert_support.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:12795b0b9f5ec2fd1c4458564823df4c089018e56e9c3f911d7a1eff6652993c
+size 4970
diff --git a/paramiko-2.2.1.tar.gz b/paramiko-2.2.1.tar.gz
deleted file mode 100644
index 6877526..0000000
--- a/paramiko-2.2.1.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ff94ae65379914ec3c960de731381f49092057b6dd1d24d18842ead5a2eb2277
-size 1205818
diff --git a/paramiko-2.3.1.tar.gz b/paramiko-2.3.1.tar.gz
new file mode 100644
index 0000000..75ecfff
--- /dev/null
+++ b/paramiko-2.3.1.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fa6b4f5c9d88f27c60fd9578146ff24e99d4b9f63391ff1343305bfd766c4660
+size 1244407
diff --git a/python-paramiko.changes b/python-paramiko.changes
index 62a969b..04ac941 100644
--- a/python-paramiko.changes
+++ b/python-paramiko.changes
@@ -1,3 +1,55 @@
+-------------------------------------------------------------------
+Thu Oct  5 11:12:50 UTC 2017 - mimi.vx@gmail.com
+
+- update to 2.3.1
+  + cert_support.tar.gz - missing test certificates for testsuite
+  * Certificate support broke the no-certificate case for Ed25519 keys 
+      (symptom is an AttributeError about public_blob.) This went uncaught
+      due to cert autoload behavior (i.e. our test suite never actually ran 
+      the no-cert case, because the cert existed!) Both issues have been fixed. 
+  * Implement basic client-side certificate authentication
+      (as per the OpenSSH vendor extension.)
+  * Added pre-authentication banner support for the server interface
+      (ServerInterface.get_banner plus related support in Transport/AuthHandler.) 
+  * Update Ed25519Key so its constructor offers the same file_obj parameter
+      as its sibling key classes.
+  * Add a gss_trust_dns option to Client and Transport to allow explicitly
+      setting whether or not DNS canonicalization should occur when using GSSAPI. 
+  * Paramiko originally defaulted to zlib compression level 9
+      (when one connects with compression=True; it defaults to off.) This has been
+      found to be quite wasteful and tends to cause much longer transfers in most
+      cases, than is necessar
+  * Enhance documentation around the new SFTP.posix_rename method
+      so it’s referenced in the ‘standard’ rename method for increased visibility.
+  * Modify logic around explicit disconnect messages, and unknown-channel situations,
+      so that they rely on centralized shutdown code instead of running their own.
+      This is at worst removing some unnecessary code, and may help with some
+      situations where Paramiko hangs at the end of a session.
+  * Display exception type and message when logging auth-rejection messages
+      (ones reading Auth rejected: unsupported or mangled public key); previously
+      this error case had a bare except and did not display exactly why the key
+      failed.
+  * Ed25519 keys never got proper API documentation support; this has been fixed.
+  * Update how we use Cryptography‘s signature/verification methods
+        so we aren’t relying on a deprecated API.
+
+-------------------------------------------------------------------
+Thu Oct  5 10:33:48 UTC 2017 - mimi.vx@gmail.com
+
+- update to 2.2.2:
+  * SSHClient now requests the type of host key it has (e.g. from known_hosts)
+    and does not consider a different type to be a “Missing” host key.
+    This fixes a common case where an ECDSA key is in known_hosts and the server
+    also has an RSA host key.
+  * Fix up host-key checking in our GSSAPI support, which was previously
+    using an incorrect API call
+  * Fix key exchange (kex) algorithm list for GSSAPI authentication;
+    reviously, the list used solely out-of-date algorithms, and now contains 
+    newer ones listed preferentially before the old
+  * Clean up GSSAPI authentication procedures so they do not prevent normal
+    fallback to other authentication methods on failure.
+  * Add rekeying support to GSSAPI connections, which was erroneously missing.
+
 -------------------------------------------------------------------
 Thu Aug 10 08:11:25 UTC 2017 - tbechtold@suse.com
 
diff --git a/python-paramiko.spec b/python-paramiko.spec
index fd87d99..eec8e3e 100644
--- a/python-paramiko.spec
+++ b/python-paramiko.spec
@@ -20,13 +20,15 @@
 
 %{?!python_module:%define python_module() python-%{**} python3-%{**}}
 Name:           python-paramiko
-Version:        2.2.1
+Version:        2.3.1
 Release:        0
 Url:            http://www.paramiko.org/
 Summary:        SSH2 protocol library
 License:        LGPL-2.1+
 Group:          Development/Languages/Python
 Source:         https://files.pythonhosted.org/packages/source/p/paramiko/paramiko-%{version}.tar.gz
+# certificates needed by testsuite
+Source1:        cert_support.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  %{python_module PyNaCl >= 1.0.1}
 BuildRequires:  %{python_module bcrypt >= 3.1.3}
@@ -38,7 +40,7 @@ BuildRequires:  fdupes
 BuildRequires:  python-rpm-macros
 Requires:       python-PyNaCl >= 1.0.1
 Requires:       python-bcrypt >= 3.1.3
-Requires:       python-cryptography >= 1.1
+Requires:       python-cryptography >= 1.5
 Requires:       python-pyasn1 >= 0.1.7
 BuildArch:      noarch
 
@@ -67,6 +69,7 @@ This package contains the documentation.
 %setup -q -n paramiko-%{version}
 # Fix non-executable script rpmlint issue:
 find demos -name "*.py" -exec sed -i "/#\!\/usr\/bin\/.*/d" {} \;
+tar xvzf %{SOURCE1} -C tests/
 
 %build
 %python_build