diff --git a/0001-websocket-process-the-frame-as-soon-as-we-read-data.patch b/0001-websocket-process-the-frame-as-soon-as-we-read-data.patch
deleted file mode 100644
index 2ecc8be8aa2fd241559b424f201a04a8f35748a1..0000000000000000000000000000000000000000
--- a/0001-websocket-process-the-frame-as-soon-as-we-read-data.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be Mon Sep 17 00:00:00 2001
-From: Ignacio Casal Quinteiro <qignacio@amazon.com>
-Date: Wed, 11 Sep 2024 11:52:11 +0200
-Subject: [PATCH] websocket: process the frame as soon as we read data
-
-Otherwise we can enter in a read loop because we were not
-validating the data until the all the data was read.
-
-Fixes #391
----
- libsoup/websocket/soup-websocket-connection.c | 4 ++--
- tests/websocket-test.c                        | 4 +++-
- 2 files changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/libsoup/websocket/soup-websocket-connection.c b/libsoup/websocket/soup-websocket-connection.c
-index 2f7d920..df8f67d 100644
---- a/libsoup/websocket/soup-websocket-connection.c
-+++ b/libsoup/websocket/soup-websocket-connection.c
-@@ -1165,9 +1165,9 @@ soup_websocket_connection_read (SoupWebsocketConnection *self)
- 		}
- 
- 		priv->incoming->len = len + count;
--	} while (count > 0);
- 
--	process_incoming (self);
-+		process_incoming (self);
-+	} while (count > 0 && !priv->close_sent && !priv->io_closing);
- 
- 	if (end) {
- 		if (!priv->close_sent || !priv->close_received) {
-diff --git a/tests/websocket-test.c b/tests/websocket-test.c
-index b954b01..5cb3ca2 100644
---- a/tests/websocket-test.c
-+++ b/tests/websocket-test.c
-@@ -1489,8 +1489,9 @@ test_receive_invalid_encode_length_64 (Test *test,
- 	GError *error = NULL;
- 	InvalidEncodeLengthTest context = { test, NULL };
- 	guint i;
-+	guint error_id;
- 
--	g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
-+	error_id = g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
- 	g_signal_connect (test->client, "message", G_CALLBACK (on_binary_message), &received);
- 
- 	/* We use 127(\x7f) as payload length with 65535 extended length */
-@@ -1503,6 +1504,7 @@ test_receive_invalid_encode_length_64 (Test *test,
- 	WAIT_UNTIL (error != NULL || received != NULL);
- 	g_assert_error (error, SOUP_WEBSOCKET_ERROR, SOUP_WEBSOCKET_CLOSE_PROTOCOL_ERROR);
- 	g_clear_error (&error);
-+	g_signal_handler_disconnect (test->client, error_id);
- 	g_assert_null (received);
- 
-         g_thread_join (thread);
--- 
-2.43.0
-
diff --git a/backport-CVE-2025-4476.patch b/backport-CVE-2025-4476.patch
new file mode 100644
index 0000000000000000000000000000000000000000..7aaaa2b74a02aba90079bf15148973b015caa83f
--- /dev/null
+++ b/backport-CVE-2025-4476.patch
@@ -0,0 +1,33 @@
+From e64c221f9c7d09b48b610c5626b3b8c400f0907c Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Thu, 8 May 2025 09:27:01 -0500
+Subject: [PATCH] auth-digest: fix crash in
+ soup_auth_digest_get_protection_space()
+
+We need to validate the Domain parameter in the WWW-Authenticate header.
+
+Unfortunately this crash only occurs when listening on default ports 80
+and 443, so there's no good way to test for this. The test would require
+running as root.
+
+Fixes #440
+---
+ libsoup/auth/soup-auth-digest.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
+index d8bb2910..292f2045 100644
+--- a/libsoup/auth/soup-auth-digest.c
++++ b/libsoup/auth/soup-auth-digest.c
+@@ -220,7 +220,7 @@ soup_auth_digest_get_protection_space (SoupAuth *auth, GUri *source_uri)
+ 			if (uri &&
+                             g_strcmp0 (g_uri_get_scheme (uri), g_uri_get_scheme (source_uri)) == 0 &&
+ 			    g_uri_get_port (uri) == g_uri_get_port (source_uri) &&
+-			    !strcmp (g_uri_get_host (uri), g_uri_get_host (source_uri)))
++			    !g_strcmp0 (g_uri_get_host (uri), g_uri_get_host (source_uri)))
+ 				dir = g_strdup (g_uri_get_path (uri));
+ 			else
+ 				dir = NULL;
+-- 
+GitLab
+
diff --git a/libsoup-3.4.4.tar.xz b/libsoup-3.4.4.tar.xz
deleted file mode 100644
index f08c2a15fb9eeed01510caaa8dca8d41c001f38c..0000000000000000000000000000000000000000
Binary files a/libsoup-3.4.4.tar.xz and /dev/null differ
diff --git a/libsoup-3.4.5.tar.xz b/libsoup-3.4.5.tar.xz
new file mode 100644
index 0000000000000000000000000000000000000000..edb5ad7f1ba66e3e3141a855d7a3c0e2dc540585
Binary files /dev/null and b/libsoup-3.4.5.tar.xz differ
diff --git a/libsoup3.spec b/libsoup3.spec
index 1dd4d8f151d852930b61213f32098f83d771eaf7..d21e9e01794112824c37f5c82da322ce9ec10f5c 100644
--- a/libsoup3.spec
+++ b/libsoup3.spec
@@ -3,15 +3,15 @@
 %bcond_without sysprof
 
 Name:          libsoup3
-Version:       3.4.4
-Release:       5
+Version:       3.4.5
+Release:       1
 Summary:       Soup, an HTTP library implementation
 License:       LGPL-2.0-or-later
 URL:           https://wiki.gnome.org/Projects/libsoup
 Source0:       https://download.gnome.org/sources/libsoup/3.4/libsoup-%{version}.tar.xz
 
-Patch0001:     0001-websocket-process-the-frame-as-soon-as-we-read-data.patch
 Patch0002:     backport-CVE-2024-52530.patch
+Patch0004:     backport-CVE-2025-4476.patch
 
 BuildRequires: gcc gettext vala krb5-devel samba-winbind-clients
 BuildRequires: meson >= 0.54
@@ -84,9 +84,12 @@ install -m 644 -D tests/libsoup.supp %{buildroot}%{_datadir}/libsoup-3.0/libsoup
 
 %files help
 %doc README NEWS AUTHORS
-%{_datadir}/doc
+%doc %{_datadir}/doc/libsoup-3.0
 
 %changelog
+* Fri Jan 17 2025 Funda Wang <fundawang@yeah.net> - 3.4.5-1
+- update to 3.4.5
+
 * Fri Nov 22 2024 Funda Wang <fundawang@yeah.net> - 3.4.4-5
 - enable sysprof feature by default