diff --git a/backport-port-fix-OVERRUN-CWE-119.patch b/backport-port-fix-OVERRUN-CWE-119.patch
deleted file mode 100644
index c3f1886a5568e96fe39eb70fa18584fb72eb2c71..0000000000000000000000000000000000000000
--- a/backport-port-fix-OVERRUN-CWE-119.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 4c16416ebc5f0958d58a1ea1e7890eafd9f8bb75 Mon Sep 17 00:00:00 2001
-From: Iker Pedrosa <ipedrosa@redhat.com>
-Date: Wed, 15 May 2024 12:25:51 +0200
-Subject: [PATCH] port: fix OVERRUN (CWE-119)
-
-```
-shadow-4.15.0/lib/port.c:154:2: alias: Assigning: "port.pt_names" = "ttys". "port.pt_names" now points to element 0 of "ttys" (which consists of 65 8-byte elements).
-shadow-4.15.0/lib/port.c:155:2: cond_const: Checking "j < 64" implies that "j" is 64 on the false branch.
-shadow-4.15.0/lib/port.c:175:2: overrun-local: Overrunning array of 65 8-byte elements at element index 65 (byte offset 527) by dereferencing pointer "port.pt_names + (j + 1)".
-173|           *cp = '\0';
-174|           cp++;
-175|->         port.pt_names[j + 1] = NULL;
-176|
-177|           /*
-```
-
-Resolves: https://issues.redhat.com/browse/RHEL-35383
-
-Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
-Reviewed-by: Alejandro Colomar <alx@kernel.org>
-
-Conflict: N/A
-Reference: https://github.com/shadow-maint/shadow/commit/4c16416ebc5f0958d58a1ea1e7890eafd9f8bb75
-
----
- lib/port.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/port.c b/lib/port.c
-index 05b95651..60ff8989 100644
---- a/lib/port.c
-+++ b/lib/port.c
-@@ -168,7 +168,7 @@ again:
- 	}
- 	*cp = '\0';
- 	cp++;
--	port.pt_names[j + 1] = NULL;
-+	port.pt_names[j] = NULL;
- 
- 	/*
- 	 * Get the list of user names.  It is the second colon
--- 
-2.33.0
-
diff --git a/backport-src-groupmod.c-delete-gr_free_members-grp-to-avoid-d.patch b/backport-src-groupmod.c-delete-gr_free_members-grp-to-avoid-d.patch
index 47193109a711f7f00838780305ebceb77059eec7..6a1a2d9a58587d65c081bfa5192a34f85b8ff373 100644
--- a/backport-src-groupmod.c-delete-gr_free_members-grp-to-avoid-d.patch
+++ b/backport-src-groupmod.c-delete-gr_free_members-grp-to-avoid-d.patch
@@ -35,16 +35,12 @@ Link: <https://github.com/shadow-maint/shadow/issues/265>
 Cc: "Serge E. Hallyn" <serge@hallyn.com>
 Reviewed-by: Alejandro Colomar <alx@kernel.org>
 Signed-off-by: lixinyun <li.xinyun@h3c.com>
-
-Conflict: N/A
-Reference: https://github.com/shadow-maint/shadow/commit/10429edc14673fbb8c78b25f1872c34e88e5f07f
-
 ---
  src/groupmod.c | 2 --
  1 file changed, 2 deletions(-)
 
 diff --git a/src/groupmod.c b/src/groupmod.c
-index a29cf73f..989d7ea3 100644
+index a29cf73f6..989d7ea34 100644
 --- a/src/groupmod.c
 +++ b/src/groupmod.c
 @@ -250,8 +250,6 @@ static void grp_update (void)
@@ -56,6 +52,3 @@ index a29cf73f..989d7ea3 100644
  			grp.gr_mem = XMALLOC(1, char *);
  			grp.gr_mem[0] = NULL;
  		} else {
--- 
-2.33.0
-
diff --git a/backport-src-usermod.c-update_group_file-Fix-RESOURCE_LEAK-CW.patch b/backport-src-usermod.c-update_group_file-Fix-RESOURCE_LEAK-CW.patch
deleted file mode 100644
index 7673f7c2955563ad3f137c7739745e613429ae7a..0000000000000000000000000000000000000000
--- a/backport-src-usermod.c-update_group_file-Fix-RESOURCE_LEAK-CW.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 61964aa06b9e6e0643a6519f64290f18ac04867f Mon Sep 17 00:00:00 2001
-From: Alejandro Colomar <alx@kernel.org>
-Date: Thu, 16 May 2024 13:54:06 +0200
-Subject: [PATCH] src/usermod.c: update_group_file(): Fix RESOURCE_LEAK
- (CWE-772)
-
-Report:
-> shadow-4.15.0/src/usermod.c:734:3: alloc_fn: Storage is returned from allocation function "__gr_dup".
-> shadow-4.15.0/src/usermod.c:734:3: var_assign: Assigning: "ngrp" = storage returned from "__gr_dup(grp)".
-> shadow-4.15.0/src/usermod.c:815:1: leaked_storage: Variable "ngrp" going out of scope leaks the storage it points to.
-> 813|                   gr_free(ngrp);
-> 814|           }
-> 815|-> }
-> 816|
-> 817|   #ifdef SHADOWGRP
-
-Link: https://issues.redhat.com/browse/RHEL-35383
-Reported-by: Iker Pedrosa <ipedrosa@redhat.com>
-Signed-off-by: Alejandro Colomar <alx@kernel.org>
-
-Conflict: N/A
-Reference: https://github.com/shadow-maint/shadow/commit/61964aa06b9e6e0643a6519f64290f18ac04867f
-
----
- src/usermod.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/usermod.c b/src/usermod.c
-index 3048f801..e0cfdd83 100644
---- a/src/usermod.c
-+++ b/src/usermod.c
-@@ -780,9 +780,8 @@ update_group_file(void)
- 			SYSLOG ((LOG_INFO, "add '%s' to group '%s'",
- 			         user_newname, ngrp->gr_name));
- 		}
--		if (!changed) {
--			continue;
--		}
-+		if (!changed)
-+			goto free_ngrp;
- 
- 		changed = false;
- 		if (gr_update (ngrp) == 0) {
-@@ -793,6 +792,7 @@ update_group_file(void)
- 			fail_exit (E_GRP_UPDATE);
- 		}
- 
-+free_ngrp:
- 		gr_free(ngrp);
- 	}
- }
--- 
-2.33.0
-
diff --git a/backport-src-usermod.c-update_gshadow_file-Fix-RESOURCE_LEAK-.patch b/backport-src-usermod.c-update_gshadow_file-Fix-RESOURCE_LEAK-.patch
deleted file mode 100644
index dfa9d1342c9f14ecf3a30ab066f2eb0cb16d4cbb..0000000000000000000000000000000000000000
--- a/backport-src-usermod.c-update_gshadow_file-Fix-RESOURCE_LEAK-.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 71a3238b7996285fc3c8dec841244ba95d663fa5 Mon Sep 17 00:00:00 2001
-From: Alejandro Colomar <alx@kernel.org>
-Date: Fri, 17 May 2024 02:15:15 +0200
-Subject: [PATCH] src/usermod.c: update_gshadow_file(): Fix RESOURCE_LEAK
- (CWE-772)
-
-Report:
-> shadow-4.15.0/src/usermod.c:864:3: alloc_fn: Storage is returned from allocation function "__sgr_dup".
-> shadow-4.15.0/src/usermod.c:864:3: var_assign: Assigning: "nsgrp" = storage returned from "__sgr_dup(sgrp)".
-> shadow-4.15.0/src/usermod.c:964:1: leaked_storage: Variable "nsgrp" going out of scope leaks the storage it points to.
-> 962|                   free (nsgrp);
-> 963|           }
-> 964|-> }
-> 965|   #endif                                /* SHADOWGRP */
-> 966|
-
-Link: https://issues.redhat.com/browse/RHEL-35383
-Reported-by: Iker Pedrosa <ipedrosa@redhat.com>
-Signed-off-by: Alejandro Colomar <alx@kernel.org>
-
-Conflict: N/A
-Reference: https://github.com/shadow-maint/shadow/commit/71a3238b7996285fc3c8dec841244ba95d663fa5
-
----
- src/usermod.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/usermod.c b/src/usermod.c
-index e0cfdd83..bb5d3535 100644
---- a/src/usermod.c
-+++ b/src/usermod.c
-@@ -921,9 +921,8 @@ update_gshadow_file(void)
- 			SYSLOG ((LOG_INFO, "add '%s' to shadow group '%s'",
- 			         user_newname, nsgrp->sg_name));
- 		}
--		if (!changed) {
--			continue;
--		}
-+		if (!changed)
-+			goto free_nsgrp;
- 
- 		changed = false;
- 
-@@ -939,6 +938,7 @@ update_gshadow_file(void)
- 			fail_exit (E_GRP_UPDATE);
- 		}
- 
-+free_nsgrp:
- 		free (nsgrp);
- 	}
- }
--- 
-2.33.0
-
diff --git a/backport-libsubid-Dealocate-memory-on-exit.patch b/shadow-libsubid-Dealocate-memory-on-exit.patch
similarity index 72%
rename from backport-libsubid-Dealocate-memory-on-exit.patch
rename to shadow-libsubid-Dealocate-memory-on-exit.patch
index 2217a3fb55c8399caee5c1794dfcb124671861b0..587db45982d37b15318b7f937f491e5c79bf8395 100644
--- a/backport-libsubid-Dealocate-memory-on-exit.patch
+++ b/shadow-libsubid-Dealocate-memory-on-exit.patch
@@ -1,4 +1,4 @@
-From 7949f2f026f0123467cdaad1e1992d5dc905872c Mon Sep 17 00:00:00 2001
+From 18f113cc4609e00c4f95072dbe954174f2c29be1 Mon Sep 17 00:00:00 2001
 From: Daniel Bershatsky <d.bershatsky2@skoltech.ru>
 Date: Wed, 12 Jun 2024 19:26:45 +0300
 Subject: [PATCH] libsubid: Dealocate memory on exit
@@ -8,13 +8,16 @@ Subject: [PATCH] libsubid: Dealocate memory on exit
  1 file changed, 1 insertion(+)
 
 diff --git a/src/getsubids.c b/src/getsubids.c
-index fb645b194..0753abd7a 100644
+index fb645b19..0753abd7 100644
 --- a/src/getsubids.c
 +++ b/src/getsubids.c
-@@ -44,5 +44,6 @@ int main(int argc, char *argv[])
+@@ -45,5 +45,6 @@ int main(int argc, char *argv[])
  		printf("%d: %s %lu %lu\n", i, owner,
  			ranges[i].start, ranges[i].count);
  	}
 +	free(ranges);
  	return 0;
  }
+-- 
+2.27.0
+
diff --git a/shadow.spec b/shadow.spec
index c1b5f5762c1456dbf770b753e0bce9a6cff91423..ce5c6a46b3e12c4b85dae6a950dd779194278711 100644
--- a/shadow.spec
+++ b/shadow.spec
@@ -1,6 +1,6 @@
 Name: shadow
 Version: 4.14.3
-Release: 7
+Release: 8
 Epoch: 2
 License: BSD and GPLv2+
 Summary: Tools for managing accounts and shadow password files
@@ -19,19 +19,15 @@ Source7: newusers
 Patch0: usermod-unlock.patch
 Patch1: shadow-add-sm3-crypt-support.patch
 Patch2: shadow-Remove-encrypted-passwd-for-useradd-gr.patch
-Patch3: backport-port-fix-OVERRUN-CWE-119.patch
-Patch4: backport-src-usermod.c-update_group_file-Fix-RESOURCE_LEAK-CW.patch
-Patch5: backport-src-usermod.c-update_gshadow_file-Fix-RESOURCE_LEAK-.patch
-Patch6: backport-src-groupmod.c-delete-gr_free_members-grp-to-avoid-d.patch
-
-Patch7: backport-lib-idmapping.c--Use-long-constants-in-prctl-2.patch
-Patch8: backport-libsubid-Dealocate-memory-on-exit.patch
-Patch9: backport-man-lastlog-remove-wrong-use-of-keyword-term.patch
-Patch10: limit-username-length-to-32.patch
-Patch11: backport-lib-csrand.c-Fix-the-lower-part-of-the-domain-of-csr.patch
-Patch12: backport-src-useradd.c-get_groups-Fix-memory-leak.patch
-Patch13: backport-src-gpasswd-Clear-password-in-more-cases.patch
-Patch14: backport-lib-encrypt.c-Do-not-exit-in-error-case.patch
+Patch3: shadow-libsubid-Dealocate-memory-on-exit.patch
+Patch4: backport-lib-idmapping.c--Use-long-constants-in-prctl-2.patch
+Patch5: backport-man-lastlog-remove-wrong-use-of-keyword-term.patch
+Patch6: backport-lib-csrand.c-Fix-the-lower-part-of-the-domain-of-csr.patch
+Patch7: limit-username-length-to-32.patch
+Patch8: backport-src-useradd.c-get_groups-Fix-memory-leak.patch
+Patch9: backport-src-gpasswd-Clear-password-in-more-cases.patch
+Patch10: backport-lib-encrypt.c-Do-not-exit-in-error-case.patch
+Patch11: backport-src-groupmod.c-delete-gr_free_members-grp-to-avoid-d.patch
 
 BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel
 BuildRequires: libacl-devel, libattr-devel
@@ -201,25 +197,27 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.{la,a}
 %{_mandir}/*/*
 
 %changelog
+* Tue May 27 2025 Funda Wang <fundawang@yeah.net> - 2:4.14.3-8
+- fix upstream bug#1013: src/groupmod.c: bug; possibly use-after-free
+
 * Tue Mar 11 2025 yixiangzhike <yixiangzhike007@163.com> - 2:4.14.3-7
 - backport patches from upstream
 
-* Wed Feb 12 2025 beta <beta@yfqm.date> - 2:4.14.3-6
-- chpasswd fix coredump with s parameter
+* Sat Feb 8 2025 hugel <gengqihu2@h-partners.com> - 2:4.14.3-6
+- limit username length to 32
 
-* Fri Feb 7 2025 hugel <gengqihu2@h-partners.com> - 2:4.14.3-5
+* Mon Dec 16 2024 beta <beta@yfqm.date> - 2:4.14.3-5
 - backport patches from upstream
 
-* Fri Jan 17 2025 zhangshaoning <zhangshaoning@uniontech.com> - 2:4.14.3-4
-- limit username length to 32
+* Wed Dec 11 2024 beta <beta@yfqm.date> - 2:4.14.3-4
+- chpasswd fix coredump with s parameter
 
-* Thu Sep 26 2024 zhangxingrong <zhangxingrong@uniontech.cn> - 2:4.14.3-3
-- lib/idmapping.c: Use long constants in prctl(2) 
-- libsubid: Dealocate memory on exit 
+* Wed Oct 9 2024 zhangxingrong <zhangxingrong@uniontech.com> - 2:4.14.3-3
+- lib/idmapping.c: Use long constants in prctl(2)
 - man/lastlog: remove wrong use of keyword term
 
-* Mon Jul 15 2024 wangziliang <wangziliang@kylinos.cn> - 2:4.14.3-2
-- backport patches from upstream
+* Fri Sep 6 2024 zhangzikang <zhangzikang@kylinos.cn> - 2:4.14.3-2
+- libsubid: Dealocate memory on exit
 
 * Thu Feb 1 2024 zhengxiaoxiao <zhengxiaoxiao2@huawei.com> - 2:4.14.3-1
 - update version to 4.14.3