diff --git a/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch b/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
new file mode 100644
index 0000000..1c46ea0
--- /dev/null
+++ b/0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
@@ -0,0 +1,46 @@
+From c069e4f179d5e6653a84fb236816c375dca82515 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Fri, 21 May 2021 12:22:31 -0500
+Subject: [PATCH] tpm2_import: fix fixed AES key CVE-2021-3565
+
+tpm2_import used a fixed AES key for the inner wrapper, which means that
+a MITM attack would be able to unwrap the imported key. Even the
+use of an encrypted session will not prevent this. The TPM only
+encrypts the first parameter which is the fixed symmetric key.
+
+To fix this, ensure the key size is 16 bytes or bigger and use
+OpenSSL to generate a secure random AES key.
+
+Fixes: #2738
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+---
+ tools/tpm2_import.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tpm2_import.c b/tools/tpm2_import.c
+index cfb6f207..f44326c8 100644
+--- a/tools/tpm2_import.c
++++ b/tools/tpm2_import.c
+@@ -118,7 +118,17 @@ static tool_rc key_import(ESYS_CONTEXT *ectx, TPM2B_PUBLIC *parent_pub,
+     TPM2B_DATA enc_sensitive_key = {
+         .size = parent_pub->publicArea.parameters.rsaDetail.symmetric.keyBits.sym / 8
+     };
+-    memset(enc_sensitive_key.buffer, 0xFF, enc_sensitive_key.size);
++
++    if(enc_sensitive_key.size < 16) {
++        LOG_ERR("Calculated wrapping keysize is less than 16 bytes, got: %u", enc_sensitive_key.size);
++        return tool_rc_general_error;
++    }
++
++    int ossl_rc = RAND_bytes(enc_sensitive_key.buffer, enc_sensitive_key.size);
++    if (ossl_rc != 1) {
++        LOG_ERR("RAND_bytes failed: %s", ERR_error_string(ERR_get_error(), NULL));
++        return tool_rc_general_error;
++    }
+ 
+     /*
+      * Calculate the object name.
+-- 
+2.26.3
+
diff --git a/fix_pie_linking.patch b/fix_pie_linking.patch
deleted file mode 100644
index f0d1ebc..0000000
--- a/fix_pie_linking.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Index: tpm2-tools-5.0/Makefile.am
-===================================================================
---- tpm2-tools-5.0.orig/Makefile.am
-+++ tpm2-tools-5.0/Makefile.am
-@@ -45,7 +45,7 @@ lib_libcommon_a_SOURCES = $(LIB_SRC)
- lib_libcommon_a_CFLAGS = -fPIC $(AM_CFLAGS)
- 
- tools_fapi_tss2_CFLAGS = $(FAPI_CFLAGS) -DTSS2_TOOLS_MAX="$(words $(tss2_tools))"
--tools_fapi_tss2_LDFLAGS = $(TSS2_FAPI_LIBS)
-+tools_fapi_tss2_LDFLAGS = $(EXTRA_LDFLAGS) $(TSS2_FAPI_LIBS)
- tools_fapi_tss2_SOURCES = \
- 	tools/fapi/tss2_template.c \
- 	tools/fapi/tss2_template.h \
diff --git a/fix_warnings.patch b/fix_warnings.patch
deleted file mode 100644
index d491ed4..0000000
--- a/fix_warnings.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-Index: tpm2-tools-5.0/tools/tpm2_getekcertificate.c
-===================================================================
---- tpm2-tools-5.0.orig/tools/tpm2_getekcertificate.c
-+++ tpm2-tools-5.0/tools/tpm2_getekcertificate.c
-@@ -190,8 +190,8 @@ static char *base64_encode(const unsigne
-     return final_string;
- }
- 
--static size_t writecallback(void *contents, size_t size, size_t nitems,
--    char *CERT_BUFFER) {
-+static size_t writecallback(char *contents, size_t size, size_t nitems,
-+    void *CERT_BUFFER) {
- 
-     strncpy(CERT_BUFFER, (const char *)contents, nitems * size);
-     ctx.rsa_cert_buffer_size = nitems * size;
-Index: tpm2-tools-5.0/lib/tpm2_util.c
-===================================================================
---- tpm2-tools-5.0.orig/lib/tpm2_util.c
-+++ tpm2-tools-5.0/lib/tpm2_util.c
-@@ -49,7 +49,7 @@ bool tpm2_util_concat_buffer(TPM2B_MAX_B
-         return false;
-     }
- 
--    if ((result->size + append->size) > TPM2_MAX_DIGEST_BUFFER) {
-+    if (((size_t)result->size + append->size) > TPM2_MAX_DIGEST_BUFFER) {
-         return false;
-     }
- 
diff --git a/tpm2-tools-5.0.tar.gz b/tpm2-tools-5.0.tar.gz
deleted file mode 100644
index cef1ed3..0000000
--- a/tpm2-tools-5.0.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e1b907fe29877628052e08ad84eebc6c3f7646d29505ed4862e96162a8c91ba1
-size 990855
diff --git a/tpm2-tools-5.1.tar.gz b/tpm2-tools-5.1.tar.gz
new file mode 100644
index 0000000..16d99e8
--- /dev/null
+++ b/tpm2-tools-5.1.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e2d37b4376f968d6ce480e71b9b26a56a1960c844f4816335570c141c03642cd
+size 1042653
diff --git a/tpm2.0-tools.changes b/tpm2.0-tools.changes
index 73e0ab0..093a6d4 100644
--- a/tpm2.0-tools.changes
+++ b/tpm2.0-tools.changes
@@ -1,3 +1,130 @@
+-------------------------------------------------------------------
+Fri May 28 10:24:21 UTC 2021 - Matthias Gerstner <matthias.gerstner@suse.com>
+
+- add 0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch: no longer use a
+  fixed AES key in the context of the tpm2_import command. Fixes CVE-2021-3565
+  (bsc#1186490).
+- drop fix_pie_linking.patch: now contained in upstream tarball
+- drop fix_warnings.patch: now contained in upstream tarball
+- update to upstream version 5.1:
+  - Minimum tpm2-tss version dependency bumped to 3.1.0
+  - Minimum tpm2-abrmd version dependency bumped to 2.4.0
+  - tss2:
+    - Support in tools for PolicyRef inclusion in policy search per latest TSS.
+    - Support to use TPM objects protected by a policy with PolicySigned.
+    - Enable backward compatibility to old Fapi callback API.
+    - Fix PCR selection for tss2 quote.
+    - Support policy signed policies by implementing Fapi_SetSignCB.
+  - Command/ response parameter support for auditing and pHash policies:
+    - lib/tpm2_util.c: Add method to determine hashing alg for cp/rphash
+    - Add support to calculate rphash for tpm2_create, tpm2_activatecredential,
+      tpm2_certify, tpm2_certifycreation, tpm2_changeauth, tpm2_changeeps,
+      tpm2_changepps, tpm2_nvdefine, tpm2_nvextend, tpm2_unseal
+    - Add support to calculate cphash for tpm2_changeeps, tpm2_changepps.
+  - Session-support:
+    - tpm2_sessionconfig: Add tool to display and configure session attributes.
+    - tpm2_getrandom: Fix— session input was hardcoded for audit-only
+    - tpm2_startauthsession: Add option to specify the bind object  and its
+      authorization value.
+    - tpm2_startauthsession: support for bounded-only session.
+    - tpm2_startauthsession: support for salted-only session.
+    - tpm2_startauthsession: add option to specify an hmac session type.
+    - Add support for specifying non-authorization sessions for audit and
+      parameter encryption for tpm2_getrandom, tpm2_create, tpm2_nvextend,
+      tpm2_nvdefine, tpm2_unseal, tpm2_activatecredential, tpm2_certify,
+      tpm2_certifycreation, tpm2_changeauth, tpm2_changeeps, tpm2_changepps.
+  - tpm2_eventlog:
+    - Support for event type: EV_IPL extensively used by the Shim and Grub.
+    - Support for event type: EV_EFI_GPT_EVENT to parse.
+      UEFI_PARTITION_TABLE_HEADER and UEFI_PARTITION_ENTRY.
+    - Support for event type: EFI_SIGNATURE_LIST, which contains one or more
+      EFI_SIGNATURE_DATA.
+    - Support for event type EV_EFI_VARIABLE_AUTHORITY.
+    - Parse UEFI_PLATFORM_FIRMWARE_BLOB structure that the CRTM MUST put into
+      the Event Log entry TCG_PCR_EVENT2.event field for event types
+      EV_POST_CODE, EV_S_CRTM_CONTENTS, and EV_EFI_PLATFORM_FIRMWARE_BLOB.
+    - Parse secureboot variable to indicate enable as 'Yes'.
+    - Parse BootOrder variable to a more readable format.
+    - Parse Boot variables per EFI_LOAD_OPTION described in more details in
+      UEFI Spec Section 3.1.3
+    - Parse Device-path in a readable format using the efivar library.
+    - Support for logs longer than 64 kilobytes.
+    - Perform verification for event types where digest can be verified from
+      their event payload.
+    - Better support for multiline strings.
+    - Fix handling of event log EV_POST_CODE data where field is empty and len
+      is specified.
+  - scripts/utils: Add a utility to read the cert chain of embedded CA.
+  - tpm2_getekcertificate: Fix tool failing to return error/non-zero for HTTP
+    404.
+  - tpm2_nvdefine: allow setting hash algorithm by command line parameter for NV
+    indices set in extend mode.
+  - tpm2_duplicate, tpm2_import: support duplicating non-TPM keys to a remote
+    TPM without first requiring them to be loaded to a local TPM.
+  - tpm2_dictionarylockout: Fix issue where setting value for one parameter
+    caused to reset the others.
+  - tpm2_getpolicydigest: Add new tool to enable TPM2_CC_PolicyGetDigest.
+  - Fix segfault where optind > argc.
+  - tools/tpm2_checkquote: fix missing initializer
+  - tpm2_convert: fix EVP_EncodeUpdate usage for OSSL < 1.1.0
+  - openssl: fix EVP_ENCODE_CTX_(new|free)
+  - test: Add support for swTPM simulator to the testing framework and make it
+    the default if mssim isn't available.
+  - tpm2_unseal:
+    - Added option **\--rphash**=_FILE_ to specify ile path to record the hash
+      of the response parameters. This is commonly termed as rpHash.
+  - tpm2_nvextend:
+    - Added option **\--rphash**=_FILE_ to specify ile path to record the hash
+      of the response parameters. This is commonly termed as rpHash.
+  - tpm2_nvdefine:
+    - Added option **\--rphash**=_FILE_ to specify ile path to record the hash
+      of the response parameters. This is commonly termed as rpHash.
+  - tpm2_changepps:
+    - Added option **\--cphash**=_FILE_ to specify ile path to record the hash
+      of the command parameters. This is commonly termed as cpHash.
+    - Added option **\--rphash**=_FILE_ to specify ile path to record the hash
+    - Added option **-S**, **\--session** to specify to specify an auxiliary
+      session for auditing and or encryption/decryption of the parameters.
+  - tpm2_changeeps:
+    - Added option **\--cphash**=_FILE_ to specify ile path to record the hash
+      of the command parameters. This is commonly termed as cpHash.
+    - Added option **\--rphash**=_FILE_ to specify ile path to record the hash
+      of the response parameters. This is commonly termed as rpHash.
+    - Added option **-S**, **\--session** to specify to specify an auxiliary
+      session for auditing and or encryption/decryption of the parameters.
+  - tpm2_changeauth:
+    - Added option **\--rphash**=_FILE_ to specify ile path to record the hash
+      of the response parameters. This is commonly termed as rpHash.
+    - Added option **-S**, **\--session** to specify to specify an auxiliary
+      session for auditing and or encryption/decryption of the parameters.
+  - tpm2_certifycreation:
+    - Added option **\--rphash**=_FILE_ to specify ile path to record the hash
+      of the response parameters. This is commonly termed as rpHash.
+    - Added option **-S**, **\--session** to specify to specify an auxiliary
+      session for auditing and or encryption/decryption of the parameters.
+  - tpm2_certify:
+    - Added option **\--rphash**=_FILE_ to specify ile path to record the hash
+      of the response parameters. This is commonly termed as rpHash.
+    - Added option **-S**, **\--session** to specify to specify an auxiliary
+      session for auditing and or encryption/decryption of the parameters.
+  - tpm2_activatecredential:
+    - Added option **\--rphash**=_FILE_ to specify ile path to record the hash
+      of the response parameters. This is commonly termed as rpHash.
+    - Added option **-S**, **\--session** to specify to specify an auxiliary
+      session for auditing and or encryption/decryption of the parameters.
+  - tpm2_create:
+    - Added option **\--rphash**=_FILE_ to specify ile path to record the hash
+      of the response parameters. This is commonly termed as rpHash.
+  - tpm2_unseal:
+    - Added option **-S**, **--session** to specify auxiliary sessions for
+      audit and encryption.
+  - tpm2_nvdefine:
+    - Added option **-S**, **--session** to specify auxiliary sessions for
+      audit and encryption.
+  - tpm2_nvextend:
+    - Added option **-S**, **--session** to specify auxilary sessions for
+      audit and encryption.
+
 -------------------------------------------------------------------
 Tue May  4 08:55:06 UTC 2021 - Matthias Gerstner <matthias.gerstner@suse.com>
 
diff --git a/tpm2.0-tools.spec b/tpm2.0-tools.spec
index 931c2f8..2dbfa60 100644
--- a/tpm2.0-tools.spec
+++ b/tpm2.0-tools.spec
@@ -17,7 +17,7 @@
 
 
 Name:           tpm2.0-tools
-Version:        5.0
+Version:        5.1
 Release:        0
 Summary:        Trusted Platform Module (TPM) 2.0 administration tools
 License:        BSD-3-Clause
@@ -25,8 +25,7 @@ Group:          Productivity/Security
 URL:            https://github.com/tpm2-software/tpm2-tools/releases
 Source0:        https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}/tpm2-tools-%{version}.tar.gz
 Patch0:         fix_bogus_warning.patch
-Patch1:         fix_warnings.patch
-Patch2:         fix_pie_linking.patch
+Patch1:         0001-tpm2_import-fix-fixed-AES-key-CVE-2021-3565.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  gcc-c++
@@ -67,7 +66,6 @@ associated interfaces.
 %setup -q -n tpm2-tools-%{version}
 %patch0 -p1
 %patch1 -p1
-%patch2 -p1
 
 %build
 # TODO: remove autoreconf once fix_pie_linking patch is no longer needed