diff --git a/.kernel.checksum b/.kernel.checksum
index 0d38cecd8e49630e95f2413b0482c43c6bdffe51..c8bd85d441f5d7f85f0cdb5d9d29297c010e002c 100644
--- a/.kernel.checksum
+++ b/.kernel.checksum
@@ -1 +1 @@
-18a65a2cef93a1180a8ab86f6fdf6ec14c2835a51a9fafc8d0d2e77444ee3441
+b2dbb36c2dee70eaa9fb8af57369709fda48deb030fbc41523f7c7c0f6f54a6b
diff --git a/.kernel.metadata b/.kernel.metadata
index a79558fddad67175e56a47cbe5031b4cdd61f617..ad62cb50c394af4d9d421bb030632b614789e653 100644
--- a/.kernel.metadata
+++ b/.kernel.metadata
@@ -1,9 +1,3 @@
-a0d1d9d826f5cd9019a9a43ce009d9b64f217ba65a4597d527fc13061db1cd53 SOURCES/kernel-abi-stablelists-5.14.0-503.19.1.el9_5.tar.bz2
-3167413ce4e53f0e473277ab4c0d6655974e977af0f45b6d94ebad659bde40d0 SOURCES/kernel-kabi-dw-5.14.0-503.19.1.el9_5.tar.bz2
-047b0f26d41b81a709d036e1fb7763f5a42757b636eb1b269447f100aced700f SOURCES/linux-5.14.0-503.19.1.el9_5.tar.xz
-ca3aa0979f9426736d382747bba165e71ea4c42a2fb736d78fd8a4c4b7b58ad4 SOURCES/nvidiagpuoot001.x509
-af61197112f29a3a52f3825d363fe3103dc98cad269763071ee86eb2aedc139b SOURCES/rheldup3.x509
-b466265282193c17b3256b199ecc3bdd986797b4a82ad841de4a132132e9f6ab SOURCES/rhelima.x509
-535ad7cda08187bc7dc22c62456e10990a42d7f87d1c741454525d1035430ebe SOURCES/rhelima_centos.x509
-adf5bbf5871e9658adaeadcfb7d6f7592f1091f8701c1e06dff9bd99cc893dda SOURCES/rhelimaca1.x509
-59385d0b89010159180c6aa71a06f46e3381f6576341627b4b96363dfceeed68 SOURCES/rhelkpatch1.x509
+c0aee52727293519687cc774a44d374a30b7bd335628b4019890d5046f1215e6 SOURCES/kernel-abi-stablelists-5.14.0-503.21.1.el9_5.tar.bz2
+c1e74a6d4feeed9704fd6482b64fce070dde5c9e0e9a16f6571868d0e3fcf1b1 SOURCES/kernel-kabi-dw-5.14.0-503.21.1.el9_5.tar.bz2
+39e2cb29ddffe791a2f993367c2acca97c071478438e139812f1e81288fffd48 SOURCES/linux-5.14.0-503.21.1.el9_5.tar.xz
diff --git a/SOURCES/Makefile.rhelver b/SOURCES/Makefile.rhelver
index 99b8eb0796878d29d8af6500fae8c83cd9ba9582..814217fae5fa8904c4f2265e86b23e32c5a6cedb 100644
--- a/SOURCES/Makefile.rhelver
+++ b/SOURCES/Makefile.rhelver
@@ -12,7 +12,7 @@ RHEL_MINOR = 5
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 503.19.1
+RHEL_RELEASE = 503.21.1
 
 #
 # ZSTREAM
diff --git a/SOURCES/kernel.changelog b/SOURCES/kernel.changelog
index 9fc95e0cd0b1ec66199af74ef0112148a51cf191..b6b749807563685623d34974ba345d397e811326 100644
--- a/SOURCES/kernel.changelog
+++ b/SOURCES/kernel.changelog
@@ -1,3 +1,52 @@
+* Thu Dec 19 2024 Lucas Zampieri <lzampier@redhat.com> [5.14.0-503.21.1.el9_5]
+- mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address (CKI Backport Bot) [RHEL-66899] {CVE-2024-50252}
+- CVE-2024-53122 mptcp: cope racing subflow creation in mptcp_rcv_space_adjust (Patrick Talbert) [RHEL-70083 RHEL-69670] {CVE-2024-53122}
+- mm: make show_free_areas() static (Aristeu Rozanski) [RHEL-66998 RHEL-27743]
+- mm: remove arguments of show_mem() (Aristeu Rozanski) [RHEL-66998 RHEL-27743]
+- KVM: s390: Change virtual to physical address access in diag 0x258 handler (Thomas Huth) [RHEL-67922 RHEL-65229]
+- KVM: s390: gaccess: Check if guest address is in memslot (Thomas Huth) [RHEL-67922 RHEL-65229]
+- KVM: s390: Fix SORTL and DFLTCC instruction format error in __insn32_query (Thomas Huth) [RHEL-67922 RHEL-65229]
+- s390/uv: Panic for set and remove shared access UVC errors (Thomas Huth) [RHEL-67922 RHEL-65229]
+- KVM: s390: remove useless include (Thomas Huth) [RHEL-67922 RHEL-65229]
+- s390/mm: Re-enable the shared zeropage for !PV and !skeys KVM guests (Thomas Huth) [RHEL-67922 RHEL-65229]
+- mm/userfaultfd: Do not place zeropages when zeropages are disallowed (Thomas Huth) [RHEL-67922 RHEL-65229]
+- s390: allow pte_offset_map_lock() to fail (Thomas Huth) [RHEL-67922 RHEL-54248]
+- KVM: s390: vsie: Use virt_to_phys for crypto control block (Thomas Huth) [RHEL-67922 RHEL-65229]
+- KVM: s390: vsie: Use virt_to_phys for facility control block (Thomas Huth) [RHEL-67922 RHEL-65229]
+- gfs2: Prevent inode creation race (Andreas Gruenbacher) [RHEL-68137 RHEL-68102]
+- gfs2: Only defer deletes when we have an iopen glock (Andreas Gruenbacher) [RHEL-68137 RHEL-68102]
+- gfs2: Randomize GLF_VERIFY_DELETE work delay (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Use mod_delayed_work in gfs2_queue_try_to_evict (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Update to the evict / remote delete documentation (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Call gfs2_queue_verify_delete from gfs2_evict_inode (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Clean up delete work processing (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Minor delete_work_func cleanup (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Return enum evict_behavior from gfs2_upgrade_iopen_glock (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Rename dinode_demise to evict_behavior (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Rename GIF_{DEFERRED -> DEFER}_DELETE (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Faster gfs2_upgrade_iopen_glock wakeups (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Fix unlinked inode cleanup (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Allow immediate GLF_VERIFY_DELETE work (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Initialize gl_no_formal_ino earlier (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Rename GLF_VERIFY_EVICT to GLF_VERIFY_DELETE (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: make timeout values more explicit (Wolfram Sang) [RHEL-62105 RHEL-60945]
+- gfs2: Simplify function gfs2_upgrade_iopen_glock (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Rename SDF_DEACTIVATING to SDF_KILL (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- smb: client: fix use-after-free of signing key (Jay Shin) [RHEL-69306 RHEL-66206]
+- net/iucv: fix use after free in iucv_sock_close() (Mete Durlu) [RHEL-60300 RHEL-53992]
+- KVM: arm64: Ensure vgic_ready() is ordered against MMIO registration (CKI Backport Bot) [RHEL-70294]
+Resolves: RHEL-60300, RHEL-62105, RHEL-66899, RHEL-66998, RHEL-67922, RHEL-68137, RHEL-69306, RHEL-70083, RHEL-70294
+
+* Thu Dec 12 2024 Lucas Zampieri <lzampier@redhat.com> [5.14.0-503.20.1.el9_5]
+- bnxt_en: Add support for user configured RSS key (Michal Schmidt) [RHEL-68699 RHEL-54645]
+- bnxt_en: Add function to calculate Toeplitz hash (Michal Schmidt) [RHEL-68699 RHEL-54645]
+- kvm: Note an RCU quiescent state on guest exit (Leonardo Bras) [RHEL-65734 RHEL-20288]
+- rcu: Add rcutree.nohz_full_patience_delay to reduce nohz_full OS jitter (Leonardo Bras) [RHEL-65734 RHEL-20288]
+- context_tracking: Fix KCSAN noinstr violation (Leonardo Bras) [RHEL-65734 RHEL-20288]
+- perf/aux: Fix AUX buffer serialization (Michael Petlan) [RHEL-67495] {CVE-2024-46713}
+- RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages (Mohammad Heib) [RHEL-66669 RHEL-52759] {CVE-2024-50208}
+Resolves: RHEL-65734, RHEL-66669, RHEL-67495, RHEL-68699
+
 * Fri Dec 06 2024 Lucas Zampieri <lzampier@redhat.com> [5.14.0-503.19.1.el9_5]
 - xfrm: validate new SA's prefixlen using SA family when sel.family is unset (Sabrina Dubroca) [RHEL-66462 RHEL-66461] {CVE-2024-50142}
 - xfrm: fix one more kernel-infoleak in algo dumping (CKI Backport Bot) [RHEL-65960] {CVE-2024-50110}
diff --git a/SOURCES/nvidiagpuoot001.x509 b/SOURCES/nvidiagpuoot001.x509
new file mode 100644
index 0000000000000000000000000000000000000000..de1b6016bc372b345bb6b0a47c90079918776f85
Binary files /dev/null and b/SOURCES/nvidiagpuoot001.x509 differ
diff --git a/SOURCES/rheldup3.x509 b/SOURCES/rheldup3.x509
new file mode 100644
index 0000000000000000000000000000000000000000..5df3b4f30de160efb9bd4dfbe9b831ee44a74007
Binary files /dev/null and b/SOURCES/rheldup3.x509 differ
diff --git a/SOURCES/rhelima.x509 b/SOURCES/rhelima.x509
new file mode 100644
index 0000000000000000000000000000000000000000..a286bfb4dc393c84388c7e599e9c061714f6753f
Binary files /dev/null and b/SOURCES/rhelima.x509 differ
diff --git a/SOURCES/rhelima_centos.x509 b/SOURCES/rhelima_centos.x509
new file mode 100644
index 0000000000000000000000000000000000000000..691678fabb58879eff6f62eb75f12d414f5237c9
Binary files /dev/null and b/SOURCES/rhelima_centos.x509 differ
diff --git a/SOURCES/rhelimaca1.x509 b/SOURCES/rhelimaca1.x509
new file mode 100644
index 0000000000000000000000000000000000000000..b5501502d12a30f6faaa9728bd5d9a50364ba9e1
Binary files /dev/null and b/SOURCES/rhelimaca1.x509 differ
diff --git a/SOURCES/rhelkpatch1.x509 b/SOURCES/rhelkpatch1.x509
new file mode 100644
index 0000000000000000000000000000000000000000..0c774ba73bd27a421e59a2488cbf6f398fe03e2a
Binary files /dev/null and b/SOURCES/rhelkpatch1.x509 differ
diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec
index 01edf8406fa57d0cd78e4b8ebd4c4fa3dad18eda..5375f44a3957205a6ac93622b1b36f1480fa3c14 100644
--- a/SPECS/kernel.spec
+++ b/SPECS/kernel.spec
@@ -165,15 +165,15 @@ Summary: The Linux kernel
 # define buildid .local
 %define specversion 5.14.0
 %define patchversion 5.14
-%define pkgrelease 503.19.1
+%define pkgrelease 503.21.1
 %define kversion 5
-%define tarfile_release 5.14.0-503.19.1.el9_5
+%define tarfile_release 5.14.0-503.21.1.el9_5
 # This is needed to do merge window version magic
 %define patchlevel 14
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 503.19.1%{?buildid}%{?dist}
+%define specrelease 503.21.1%{?buildid}%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 5.14.0-503.19.1.el9_5
+%define kabiversion 5.14.0-503.21.1.el9_5
 
 #
 # End of genspec.sh variables
@@ -3795,10 +3795,57 @@ fi
 #
 #
 %changelog
-* Thu Dec 19 2024 Release Engineering <releng@rockylinux.org> - 5.14.0-503.19.1
+* Wed Jan 08 2025 Release Engineering <releng@rockylinux.org> - 5.14.0-503.21.1
 - Porting to Rocky Linux 9, debranding and Rocky branding
 - Ensure aarch64 kernel is not compressed
 
+* Thu Dec 19 2024 Lucas Zampieri <lzampier@redhat.com> [5.14.0-503.21.1.el9_5]
+- mlxsw: spectrum_ipip: Fix memory leak when changing remote IPv6 address (CKI Backport Bot) [RHEL-66899] {CVE-2024-50252}
+- CVE-2024-53122 mptcp: cope racing subflow creation in mptcp_rcv_space_adjust (Patrick Talbert) [RHEL-70083 RHEL-69670] {CVE-2024-53122}
+- mm: make show_free_areas() static (Aristeu Rozanski) [RHEL-66998 RHEL-27743]
+- mm: remove arguments of show_mem() (Aristeu Rozanski) [RHEL-66998 RHEL-27743]
+- KVM: s390: Change virtual to physical address access in diag 0x258 handler (Thomas Huth) [RHEL-67922 RHEL-65229]
+- KVM: s390: gaccess: Check if guest address is in memslot (Thomas Huth) [RHEL-67922 RHEL-65229]
+- KVM: s390: Fix SORTL and DFLTCC instruction format error in __insn32_query (Thomas Huth) [RHEL-67922 RHEL-65229]
+- s390/uv: Panic for set and remove shared access UVC errors (Thomas Huth) [RHEL-67922 RHEL-65229]
+- KVM: s390: remove useless include (Thomas Huth) [RHEL-67922 RHEL-65229]
+- s390/mm: Re-enable the shared zeropage for !PV and !skeys KVM guests (Thomas Huth) [RHEL-67922 RHEL-65229]
+- mm/userfaultfd: Do not place zeropages when zeropages are disallowed (Thomas Huth) [RHEL-67922 RHEL-65229]
+- s390: allow pte_offset_map_lock() to fail (Thomas Huth) [RHEL-67922 RHEL-54248]
+- KVM: s390: vsie: Use virt_to_phys for crypto control block (Thomas Huth) [RHEL-67922 RHEL-65229]
+- KVM: s390: vsie: Use virt_to_phys for facility control block (Thomas Huth) [RHEL-67922 RHEL-65229]
+- gfs2: Prevent inode creation race (Andreas Gruenbacher) [RHEL-68137 RHEL-68102]
+- gfs2: Only defer deletes when we have an iopen glock (Andreas Gruenbacher) [RHEL-68137 RHEL-68102]
+- gfs2: Randomize GLF_VERIFY_DELETE work delay (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Use mod_delayed_work in gfs2_queue_try_to_evict (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Update to the evict / remote delete documentation (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Call gfs2_queue_verify_delete from gfs2_evict_inode (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Clean up delete work processing (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Minor delete_work_func cleanup (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Return enum evict_behavior from gfs2_upgrade_iopen_glock (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Rename dinode_demise to evict_behavior (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Rename GIF_{DEFERRED -> DEFER}_DELETE (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Faster gfs2_upgrade_iopen_glock wakeups (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Fix unlinked inode cleanup (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Allow immediate GLF_VERIFY_DELETE work (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Initialize gl_no_formal_ino earlier (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Rename GLF_VERIFY_EVICT to GLF_VERIFY_DELETE (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: make timeout values more explicit (Wolfram Sang) [RHEL-62105 RHEL-60945]
+- gfs2: Simplify function gfs2_upgrade_iopen_glock (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- gfs2: Rename SDF_DEACTIVATING to SDF_KILL (Andreas Gruenbacher) [RHEL-62105 RHEL-60945]
+- smb: client: fix use-after-free of signing key (Jay Shin) [RHEL-69306 RHEL-66206]
+- net/iucv: fix use after free in iucv_sock_close() (Mete Durlu) [RHEL-60300 RHEL-53992]
+- KVM: arm64: Ensure vgic_ready() is ordered against MMIO registration (CKI Backport Bot) [RHEL-70294]
+
+* Thu Dec 12 2024 Lucas Zampieri <lzampier@redhat.com> [5.14.0-503.20.1.el9_5]
+- bnxt_en: Add support for user configured RSS key (Michal Schmidt) [RHEL-68699 RHEL-54645]
+- bnxt_en: Add function to calculate Toeplitz hash (Michal Schmidt) [RHEL-68699 RHEL-54645]
+- kvm: Note an RCU quiescent state on guest exit (Leonardo Bras) [RHEL-65734 RHEL-20288]
+- rcu: Add rcutree.nohz_full_patience_delay to reduce nohz_full OS jitter (Leonardo Bras) [RHEL-65734 RHEL-20288]
+- context_tracking: Fix KCSAN noinstr violation (Leonardo Bras) [RHEL-65734 RHEL-20288]
+- perf/aux: Fix AUX buffer serialization (Michael Petlan) [RHEL-67495] {CVE-2024-46713}
+- RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages (Mohammad Heib) [RHEL-66669 RHEL-52759] {CVE-2024-50208}
+
 * Fri Dec 06 2024 Lucas Zampieri <lzampier@redhat.com> [5.14.0-503.19.1.el9_5]
 - xfrm: validate new SA's prefixlen using SA family when sel.family is unset (Sabrina Dubroca) [RHEL-66462 RHEL-66461] {CVE-2024-50142}
 - xfrm: fix one more kernel-infoleak in algo dumping (CKI Backport Bot) [RHEL-65960] {CVE-2024-50110}