diff --git a/.gitignore b/.gitignore
index d828ae8..4e4f8b6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
 /contrib-5b445f1.tar.gz
-/kubernetes-51dd616.tar.gz
+/kubernetes-2166946.tar.gz
diff --git a/build-with-debug-info.patch b/build-with-debug-info.patch
index 1f28d69..9589515 100644
--- a/build-with-debug-info.patch
+++ b/build-with-debug-info.patch
@@ -1,34 +1,43 @@
-From b02d3b74a43b5d7460e3f7e0a124d2f0d0fe332f Mon Sep 17 00:00:00 2001
+From ed6bae772c83e5bc73daec3bf9031ca235ce67e9 Mon Sep 17 00:00:00 2001
 From: Jan Chaloupka <jchaloup@redhat.com>
-Date: Mon, 25 Feb 2019 20:13:35 +0100
+Date: Thu, 11 Apr 2019 14:22:03 +0200
 Subject: [PATCH] build with debug info
 
 ---
- hack/lib/golang.sh | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
+ hack/lib/golang.sh | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/hack/lib/golang.sh b/hack/lib/golang.sh
-index 9eb52a7..01501e7 100755
+index 7ddc0bb..e00f26b 100755
 --- a/hack/lib/golang.sh
 +++ b/hack/lib/golang.sh
-@@ -586,7 +586,7 @@ kube::golang::build_binaries_for_platform() {
-       -installsuffix static
+@@ -601,7 +601,7 @@ kube::golang::build_binaries_for_platform() {
        ${goflags:+"${goflags[@]}"}
        -gcflags "${gogcflags:-}"
+       -asmflags "${goasmflags:-}"
 -      -ldflags "${goldflags:-}"
 +      -ldflags "-B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') ${goldflags:-}"
      )
      CGO_ENABLED=0 kube::golang::build_some_binaries "${statics[@]}"
    fi
-@@ -595,7 +595,7 @@ kube::golang::build_binaries_for_platform() {
-     build_args=(
+@@ -611,7 +611,7 @@ kube::golang::build_binaries_for_platform() {
        ${goflags:+"${goflags[@]}"}
        -gcflags "${gogcflags:-}"
+       -asmflags "${goasmflags:-}"
 -      -ldflags "${goldflags:-}"
 +      -ldflags "-B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') ${goldflags:-}"
      )
      kube::golang::build_some_binaries "${nonstatics[@]}"
    fi
+@@ -625,7 +625,7 @@ kube::golang::build_binaries_for_platform() {
+       ${goflags:+"${goflags[@]}"} \
+       -gcflags "${gogcflags:-}" \
+       -asmflags "${goasmflags:-}" \
+-      -ldflags "${goldflags:-}" \
++      -ldflags "-B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') ${goldflags:-}" \
+       -o "${outfile}" \
+       "${testpkg}"
+   done
 -- 
 2.7.5
 
diff --git a/kubernetes.spec b/kubernetes.spec
index 1d685e1..fb233d1 100644
--- a/kubernetes.spec
+++ b/kubernetes.spec
@@ -1,6 +1,6 @@
 %if 0%{?fedora}
 %global with_bundled 0
-%global with_debug   1
+%global with_debug   0
 %else
 %global with_bundled 1
 %global with_debug   0
@@ -21,7 +21,7 @@
 
 %global provider_prefix         %{provider}.%{provider_tld}/%{project}/%{repo}
 %global import_path             k8s.io/kubernetes
-%global commit                  51dd616cdd25d6ee22c83a858773b607328a18ec
+%global commit                  2166946f41b36dea2c4626f90a77706f426cdea2
 %global shortcommit              %(c=%{commit}; echo ${c:0:7})
 
 %global con_provider            github
@@ -33,7 +33,7 @@
 %global con_commit              5b445f1c53aa8d6457523526340077935f62e691
 %global con_shortcommit         %(c=%{con_commit}; echo ${c:0:7})
 
-%global kube_version            1.12.5
+%global kube_version            1.13.5
 %global kube_git_version        v%{kube_version}
 
 # Needed otherwise "version_ldflags=$(kube::version_ldflags)" doesn't work
@@ -43,7 +43,7 @@
 ##############################################
 Name:           kubernetes
 Version:        %{kube_version}
-Release:        2%{?dist}
+Release:        1%{?dist}
 Summary:        Container cluster management
 License:        ASL 2.0
 URL:            https://%{import_path}
@@ -187,7 +187,12 @@ export KUBE_EXTRA_GOPATH=$(pwd)/Godeps/_workspace
 %ifarch ppc64le
 export GOLDFLAGS='-linkmode=external'
 %endif
-make WHAT="cmd/hyperkube cmd/kube-apiserver cmd/kubeadm"
+# Build each binary separately to generate a unique build-id.
+# Otherwise: Duplicate build-ids /builddir/build/BUILDROOT/kubernetes-1.13.5-1.fc31.x86_64/usr/bin/kube-apiserver and /builddir/build/BUILDROOT/kubernetes-1.13.5-1.fc31.x86_64/usr/bin/kubeadm
+make WHAT="cmd/hyperkube"
+make WHAT="cmd/kube-apiserver"
+make WHAT="cmd/kubeadm"
+
 
 # convert md to man
 ./hack/generate-docs.sh || true
@@ -363,7 +368,7 @@ getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \
 %systemd_preun kube-apiserver kube-scheduler kube-controller-manager
 
 %postun master
-%systemd_postun
+%systemd_postun kube-apiserver kube-scheduler kube-controller-manager
 
 
 %pre node
@@ -382,10 +387,14 @@ fi
 %systemd_preun kubelet kube-proxy
 
 %postun node
-%systemd_postun
+%systemd_postun kubelet kube-proxy
 
 ############################################
 %changelog
+* Thu Apr 11 2019 Jan Chaloupka <jchaloup@redhat.com> - 1.13.5-1
+- Update to v1.13.5 (CVE-2019-1002101 - Mishandling of symlinks allows for arbitrary file write via `kubectl cp`)
+  resolves: #1693884
+
 * Tue Mar 05 2019 Jan Chaloupka <jchaloup@redhat.com> - 1.12.5-2
 - Allow to install cri-o as alternative to docker
   resolves: #1631053
diff --git a/sources b/sources
index 524f86c..f5606d2 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 SHA512 (contrib-5b445f1.tar.gz) = 14680c3ddd3108127f9ee368c5e51f000ba5813b054275f3d5c3a66b9da20526642f268424d12aa78b18ada84cd8d87c7bd0ae0d550ee8e9fb6a5c683a4a233f
-SHA512 (kubernetes-51dd616.tar.gz) = def92e81b34355fa2eb68a6eaa81756c9f0dec560f73d0f015885ffe51c8c3bc0532e5ef7dcccc5e614547388241565c6dddbc340fdd7b4873d62aa0afd0e310
+SHA512 (kubernetes-2166946.tar.gz) = 2894fcc791cf5641445d586fe4a38ea569b5001b0cf0e34d30498bea9004ce8b5b82205c99dc5ba2421f3a42c79efbacfa1f5bc301c1197de41759f2bd9f6086