diff --git a/xstream-distribution-1.4.20-src.zip b/xstream-distribution-1.4.21-src.zip
similarity index 77%
rename from xstream-distribution-1.4.20-src.zip
rename to xstream-distribution-1.4.21-src.zip
index cd78351fb569860f836c213c8c0423f551d3c4fa..53f94087cd7f4d672a43a56243ed59f67f77e02e 100644
Binary files a/xstream-distribution-1.4.20-src.zip and b/xstream-distribution-1.4.21-src.zip differ
diff --git a/xstream.spec b/xstream.spec
index 6575526229792fcd1deffaa9d35ffd4ea1350b93..b4ca5ea02ef048c27f4efbac0912d27990ca0fd7 100644
--- a/xstream.spec
+++ b/xstream.spec
@@ -1,12 +1,12 @@
 %bcond_with jp_minimal
 Name:                xstream
-Version:             1.4.20
+Version:             1.4.21
 Release:             1
 Summary:             Java XML serialization library
-License:             BSD
+License:             BSD-3-Clause
 URL:                 http://x-stream.github.io/
 BuildArch:           noarch
-Source0:             http://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/%{version}/xstream-distribution-%{version}-src.zip
+Source0:             https://repo1.maven.org/maven2/com/thoughtworks/%{name}/%{name}-distribution/%{version}/%{name}-distribution-%{version}-src.zip
 
 BuildRequires:       maven-local mvn(cglib:cglib) mvn(dom4j:dom4j) mvn(javax.xml.bind:jaxb-api)
 BuildRequires:       mvn(joda-time:joda-time) mvn(net.sf.kxml:kxml2-min)
@@ -129,6 +129,47 @@ rm xstream-benchmark/src/java/com/thoughtworks/xstream/tools/benchmark/products/
 %license LICENSE.txt
 
 %changelog
+* Mon Nov 11 2024 yaoxin <yao_xin001@hoperun.com> - 1.4.21-1
+- Update to 1.4.21
+  * Security fixes
+    - This maintenance release addresses the security vulnerability
+      CVE-2024-47072 (bsc#1233085), when using the BinaryDriver to
+      unmarshal a manipulated input stream causing a Denial of
+      Service due to a stack overflow.
+  * Major changes
+    - #350: Optimize memory allocation
+    - Add a converter for the WeakHashMap which does not write any
+      elements of the map. Avoids also access to the ReentrantLock
+      contained in the WeakHashMap since Java 19.
+  * Minor changes
+    - #335: Allow PrettyPrintWriter to replace invalid XML
+      characters when not running in quirks mode
+    - #331, #326: Fix handling of empty
+      java.util.concurrent.atomic.AtomicReference
+    - #334: Fix remaining buffer size calculation in QuickWriter
+    - #342: Optimize internal handling of children in DomReader
+      avoiding O(n^2) access times for siblings
+    - #349: Fix support of lambda objects for Java 21 and above
+    - #359: Add KEYS file with public keys to verify signed
+      artifacts.
+    - Detect input manipulation in
+      c.t.x.io.binary.BinaryStreamReader.
+    - Use Jettison 1.5.4 by default for Java Runtimes version 8 or
+      higher.
+  * API changes
+    - Added constant
+      c.t.x.io.xml.PrettyPrintWriter.XML_1_0_REPLACEMENT.
+    - Added constant
+      c.t.x.io.xml.PrettyPrintWriter.XML_1_1_REPLACEMENT.
+    - Added c.t.x.converters.collections.WeakHashMapConverter.
+    - Protected field fieldsToOmit of
+      c.t.x.mapper.ElementIgnoringMapper set to private.
+    - Protected field unknownElementsToIgnore of
+      c.t.x.mapper.ElementIgnoringMapper set to private.
+  * Stream compatibility
+    - The WeakHashMaps, that have been written with previous
+      versions of XStream, can still be deserialized.
+
 * Mon Dec 11 2023 yaoxin <yao_xin001@hoperun.com> - 1.4.20-1
 - Upgrade to 1.4.20 for fix CVE-2022-40151 and CVE-2022-41966