diff --git a/oath-toolkit-2.6.9-lockfile.patch b/oath-toolkit-2.6.12-lockfile.patch
similarity index 90%
rename from oath-toolkit-2.6.9-lockfile.patch
rename to oath-toolkit-2.6.12-lockfile.patch
index 4d23589..72a2092 100644
--- a/oath-toolkit-2.6.9-lockfile.patch
+++ b/oath-toolkit-2.6.12-lockfile.patch
@@ -1,5 +1,5 @@
 diff --git a/liboath/global.c b/liboath/global.c
-index 8c60c20..acaa3eb 100644
+index d1a0e4d..4c6e5ca 100644
 --- a/liboath/global.c
 +++ b/liboath/global.c
 @@ -25,9 +25,12 @@
@@ -61,7 +61,7 @@ index 8c60c20..acaa3eb 100644
 +  return OATH_OK;
 +}
 diff --git a/liboath/liboath.map b/liboath/liboath.map
-index 5493358..a1be2fb 100644
+index d980107..a001f6d 100644
 --- a/liboath/liboath.map
 +++ b/liboath/liboath.map
 @@ -75,6 +75,7 @@ LIBOATH_2.2.0
@@ -73,7 +73,7 @@ index 5493358..a1be2fb 100644
  
  LIBOATH_2.6.0
 diff --git a/liboath/oath.h b/liboath/oath.h
-index 3a4077f..bd592c8 100644
+index 01b7a3c..a5d7787 100644
 --- a/liboath/oath.h
 +++ b/liboath/oath.h
 @@ -159,11 +159,15 @@ extern "C"
@@ -93,7 +93,7 @@ index 3a4077f..bd592c8 100644
  
    extern OATHAPI const char *oath_strerror (int err);
 diff --git a/liboath/oath.h.in b/liboath/oath.h.in
-index b14df98..2bc89de 100644
+index b8b4fbd..99e5fd0 100644
 --- a/liboath/oath.h.in
 +++ b/liboath/oath.h.in
 @@ -159,11 +159,15 @@ extern "C"
@@ -113,7 +113,7 @@ index b14df98..2bc89de 100644
  
    extern OATHAPI const char *oath_strerror (int err);
 diff --git a/liboath/usersfile.c b/liboath/usersfile.c
-index 582c657..f8f6446 100644
+index 68268a2..eb78fe0 100644
 --- a/liboath/usersfile.c
 +++ b/liboath/usersfile.c
 @@ -325,9 +325,18 @@ update_usersfile (const char *usersfile,
@@ -136,13 +136,13 @@ index 582c657..f8f6446 100644
 +        return OATH_PRINTF_ERROR;
 +    }
  
-     lockfh = fopen (lockfile, "w");
+     lockfh = fopen (lockfile, "wx");
      if (!lockfh)
 diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c
-index 0a88a1c..28afd9b 100644
+index 2a85030..6a83195 100644
 --- a/pam_oath/pam_oath.c
 +++ b/pam_oath/pam_oath.c
-@@ -73,6 +73,7 @@ struct cfg
+@@ -75,6 +75,7 @@ struct cfg
    int try_first_pass;
    int use_first_pass;
    char *usersfile;
@@ -150,7 +150,7 @@ index 0a88a1c..28afd9b 100644
    unsigned digits;
    unsigned window;
  };
-@@ -87,6 +88,7 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
+@@ -89,6 +90,7 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
    cfg->try_first_pass = 0;
    cfg->use_first_pass = 0;
    cfg->usersfile = NULL;
@@ -158,7 +158,7 @@ index 0a88a1c..28afd9b 100644
    cfg->digits = -1;
    cfg->window = 5;
  
-@@ -102,6 +104,8 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
+@@ -104,6 +106,8 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
  	cfg->use_first_pass = 1;
        if (strncmp (argv[i], "usersfile=", 10) == 0)
  	cfg->usersfile = (char *) argv[i] + 10;
@@ -167,7 +167,7 @@ index 0a88a1c..28afd9b 100644
        if (strncmp (argv[i], "digits=", 7) == 0)
  	cfg->digits = atoi (argv[i] + 7);
        if (strncmp (argv[i], "window=", 7) == 0)
-@@ -127,6 +131,7 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
+@@ -129,6 +133,7 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
        D (("try_first_pass=%d", cfg->try_first_pass));
        D (("use_first_pass=%d", cfg->use_first_pass));
        D (("usersfile=%s", cfg->usersfile ? cfg->usersfile : "(null)"));
@@ -175,7 +175,7 @@ index 0a88a1c..28afd9b 100644
        D (("digits=%d", cfg->digits));
        D (("window=%d", cfg->window));
      }
-@@ -337,6 +342,17 @@ pam_sm_authenticate (pam_handle_t * pamh,
+@@ -369,6 +374,17 @@ pam_sm_authenticate (pam_handle_t *pamh,
        goto done;
      }
  
diff --git a/oath-toolkit.spec b/oath-toolkit.spec
index 6676d44..ed5a470 100644
--- a/oath-toolkit.spec
+++ b/oath-toolkit.spec
@@ -1,6 +1,6 @@
 Name:          oath-toolkit
-Version:       2.6.11
-Release:       6%{?dist}
+Version:       2.6.12
+Release:       1%{?dist}
 # Automatically converted from old format: GPLv3+ - review is highly recommended.
 License:       GPL-3.0-or-later
 Summary:       One-time password components
@@ -20,7 +20,7 @@ Source1:       https://download.savannah.nongnu.org/releases/%{name}/%{name}-%{v
 # gpg2 --armor --export D73CF638C53C06BE > keyring.asc
 Source2:       keyring.asc
 URL:           https://www.nongnu.org/oath-toolkit/
-Patch0:        oath-toolkit-2.6.9-lockfile.patch
+Patch0:        oath-toolkit-2.6.12-lockfile.patch
 
 %description
 The OATH Toolkit provide components for building one-time password
@@ -189,6 +189,12 @@ mkdir -p -m 0600 %{buildroot}%{_sysconfdir}/liboath
 %{_libdir}/security/pam_oath.so
 
 %changelog
+* Thu Oct 10 2024 Jaroslav Škarvada <jskarvad@redhat.com> - 2.6.12-1
+- New version
+  Resolves: rhbz#2316447
+- Dropped privileges when operating on user files
+  Resolves: CVE-2024-47191
+
 * Thu Jul  25 2024 Miroslav Suchý <msuchy@redhat.com> - 2.6.11-6
 - convert license to SPDX
 
diff --git a/sources b/sources
index 39df953..fa23e79 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (oath-toolkit-2.6.11.tar.gz) = 42df879bebccdde3d38558ba735e09db14d0c916b9f0d3a1842e0ecc80614b7d1ee44db39d3097970a2a7108446da6eefd09bdd32dd2fb81d6aed06dc19552fd
-SHA512 (oath-toolkit-2.6.11.tar.gz.sig) = 07126e759ea6688b6964d51769d7414e2568228c6b0c271117e95db1a29b5b6faccff1b2aee8cfe34e8c27309bdbf067b522fc1cd089e864692b92302277bcf5
+SHA512 (oath-toolkit-2.6.12.tar.gz) = f82967e4b86bac57bec4b048fedd351ca7ae6f368f4b3a61135057c28c531a2c9845b51660dee2a6f5db66d5065619d22921b94229c672d1889077a710a0f0ce
+SHA512 (oath-toolkit-2.6.12.tar.gz.sig) = 1596132d6e88f3c0f4af8b8ac57815d448d05af51f3f276b9dd3ba4d41d1a95f2d6ba726f1963e63d4d2aa967cfc0d08983b61ff62454f1355e5e67206a09f82