diff --git a/buildflags.md b/buildflags.md
index 723e236..7f85aca 100644
--- a/buildflags.md
+++ b/buildflags.md
@@ -247,7 +247,7 @@ not), but their selection depends on the architecture:
     fully ABI-compatible and has adds very little run-time overhead, but
     is only available on certain architectures (currently aarch64, i386,
     ppc64, ppc64le, s390x, x86_64).
-*   ` -mcet -fcf-protection`: Instrument binaries to guard against
+*   `-fcf-protection`: Instrument binaries to guard against
     ROP/JOP attacks.  Used on i686 and x86_64.
 *   `-m64` and `-m32`: Some GCC builds support both 32-bit and 64-bit in
     the same compilation.  For such architectures, the RPM build process
diff --git a/redhat-rpm-config.spec b/redhat-rpm-config.spec
index 0e2d97c..0dc25af 100644
--- a/redhat-rpm-config.spec
+++ b/redhat-rpm-config.spec
@@ -6,7 +6,7 @@
 
 Summary: Red Hat specific rpm configuration files
 Name: redhat-rpm-config
-Version: 107
+Version: 108
 Release: 1%{?dist}
 # No version specified.
 License: GPL+
@@ -105,8 +105,8 @@ Requires: %{_bindir}/grep
 Requires: %{_bindir}/sed
 Requires: %{_bindir}/xargs
 
-# -fstack-clash-protection and CET requires GCC 8.
-Conflicts: gcc < 8.0
+# -fstack-clash-protection and -fcf-protection require GCC 8.
+Conflicts: gcc < 8.0.1-0.22
 
 Provides: system-rpm-config = %{version}-%{release}
 
@@ -183,6 +183,9 @@ install -p -m 755 -t %{buildroot}%{_rpmconfigdir} kmod.prov
 %{_rpmconfigdir}/macros.d/macros.kmp
 
 %changelog
+* Wed May  2 2018 Florian Weimer <fweimer@redhat.com> - 108-1
+- Use plain -fcf-protection compiler flag, without -mcet (#1570823)
+
 * Fri Apr 20 2018 Jason L Tibbitts III <tibbs@math.uh.edu> - 107-1
 - Add %%_metainfodir macro.
 - %%forgeautosetup tweak to fix patch application.
diff --git a/rpmrc b/rpmrc
index 17161f7..dc8fa85 100644
--- a/rpmrc
+++ b/rpmrc
@@ -3,10 +3,10 @@ include: /usr/lib/rpm/rpmrc
 optflags: i386 %{__global_compiler_flags} -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection
 optflags: i486 %{__global_compiler_flags} -m32 -march=i486 -fasynchronous-unwind-tables -fstack-clash-protection
 optflags: i586 %{__global_compiler_flags} -m32 -march=i586 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection
-optflags: i686 %{__global_compiler_flags} -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -mcet -fcf-protection
+optflags: i686 %{__global_compiler_flags} -m32 -march=i686 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
 optflags: athlon %{__global_compiler_flags} -m32 -march=athlon -fasynchronous-unwind-tables -fstack-clash-protection
 optflags: ia64 %{__global_compiler_flags}
-optflags: x86_64 %{__global_compiler_flags} -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -mcet -fcf-protection
+optflags: x86_64 %{__global_compiler_flags} -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
 
 optflags: alpha %{__global_compiler_flags} -mieee
 optflags: alphaev5 %{__global_compiler_flags} -mieee -mcpu=ev5