diff --git a/.gitignore b/.gitignore
index 98bad1f..c4e3cdf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -23,3 +23,4 @@
 /apache-log4j-2.15.0-src.tar.gz
 /apache-log4j-2.16.0-src.tar.gz
 /apache-log4j-2.17.0-src.tar.gz
+/apache-log4j-2.17.1-src.tar.gz
diff --git a/log4j.spec b/log4j.spec
index f4ba3fc..3c43ae5 100644
--- a/log4j.spec
+++ b/log4j.spec
@@ -1,14 +1,14 @@
 %bcond_without  jp_minimal
 
 Name:           log4j
-Version:        2.17.0
+Version:        2.17.1
 Release:        1%{?dist}
 Summary:        Java logging package
 BuildArch:      noarch
 License:        ASL 2.0
 
-URL:            http://logging.apache.org/%{name}
-Source0:        http://www.apache.org/dist/logging/%{name}/%{version}/apache-%{name}-%{version}-src.tar.gz
+URL:            https://logging.apache.org/%{name}
+Source0:        https://www.apache.org/dist/logging/%{name}/%{version}/apache-%{name}-%{version}-src.tar.gz
 
 Patch2:         logging-log4j-Remove-unsupported-EventDataConverter.patch
 
@@ -284,6 +284,9 @@ rm -r log4j-1.2-api/src/main/java/org/apache/log4j/or/jms
 
 
 %changelog
+* Tue Dec 28 2021 Paul Wouters <paul.wouters@aiven.io> - 2.17.1-1
+- Update log4j to 2.17.1 for CVE-2021-44832 RCE via JDBC Appender (when attacker controls config)
+
 * Sat Dec 18 2021 Paul Wouters <paul.wouters@aiven.io> - 2.17.0-1
 - Update log4j to 2.17.0 for CVE-2021-45105 Denial of Service attack
 
diff --git a/sources b/sources
index 59e1b34..e09283e 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (apache-log4j-2.17.0-src.tar.gz) = 23433baa39a8cc76164ae96307e85b9e4ea671028015df6171bfaf025a1e1aaacf76a94a1beef67aada56952f013a8eae94024869a8530f42a3747ba70cc3a90
+SHA512 (apache-log4j-2.17.1-src.tar.gz) = 21cdfca54eb0d6af261a5ae89ff98197473d9c0203b0ab530f3aef6c90957bfb95a423983c8a19d7fbab05ec194b6fad8e46628e32270dd8b94ddd194a1cb177