diff --git a/0001-Fix-fencer-get-target-by-attribute-working-again.patch b/0001-Fix-fencer-get-target-by-attribute-working-again.patch
new file mode 100644
index 0000000..efd8292
--- /dev/null
+++ b/0001-Fix-fencer-get-target-by-attribute-working-again.patch
@@ -0,0 +1,30 @@
+From d4bd89fc5ad9eca7949f590843e9557a4b49e906 Mon Sep 17 00:00:00 2001
+From: Ken Gaillot <kgaillot@redhat.com>
+Date: Fri, 3 Jun 2022 08:51:08 -0500
+Subject: [PATCH] Fix: fencer: get target-by-attribute working again
+
+Regression in 2.1.3 introduced by b09f16eb1
+
+This was papered over by the separate regression in cts-lab introduced by
+4a6d1879, which caused target-by-attribute to no longer be tested, and which
+was recently fixed by caf9a3bc.
+---
+ daemons/fenced/fenced_commands.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/daemons/fenced/fenced_commands.c b/daemons/fenced/fenced_commands.c
+index aa070dd..a43a88f 100644
+--- a/daemons/fenced/fenced_commands.c
++++ b/daemons/fenced/fenced_commands.c
+@@ -1549,7 +1549,7 @@ unpack_level_kind(xmlNode *level)
+     }
+     if (!stand_alone /* if standalone, there's no attribute manager */
+         && (crm_element_value(level, XML_ATTR_STONITH_TARGET_ATTRIBUTE) != NULL)
+-        && (crm_element_value(level, XML_ATTR_STONITH_TARGET_VALUE) == NULL)) {
++        && (crm_element_value(level, XML_ATTR_STONITH_TARGET_VALUE) != NULL)) {
+         return fenced_target_by_attribute;
+     }
+     return fenced_target_by_unknown;
+-- 
+1.8.3.1
+
diff --git a/0002-Fix-fencer-avoid-use-after-free-with-self-fencing-an.patch b/0002-Fix-fencer-avoid-use-after-free-with-self-fencing-an.patch
new file mode 100644
index 0000000..68f6268
--- /dev/null
+++ b/0002-Fix-fencer-avoid-use-after-free-with-self-fencing-an.patch
@@ -0,0 +1,94 @@
+From 1ab6a17d1272968a2d465acbf1e62af35344ce32 Mon Sep 17 00:00:00 2001
+From: Ken Gaillot <kgaillot@redhat.com>
+Date: Fri, 3 Jun 2022 11:19:04 -0500
+Subject: [PATCH] Fix: fencer: avoid use-after-free with self-fencing and
+ topology
+
+In the case of self-fencing with topology, handle_fence_request() will
+overwrite F_STONITH_OPERATION in the original request XML, which invalidates
+the request.op pointer created by stonith_command(). The fix is to make
+request.op a copy.
+
+Regression introduced in 2.1.3 by 067d655eb
+---
+ daemons/fenced/fenced_commands.c       |  4 ++--
+ include/crm/common/messages_internal.h |  8 ++++++--
+ lib/common/messages.c                  | 15 +++++++++++++++
+ 3 files changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/daemons/fenced/fenced_commands.c b/daemons/fenced/fenced_commands.c
+index a43a88f..94aa6b8 100644
+--- a/daemons/fenced/fenced_commands.c
++++ b/daemons/fenced/fenced_commands.c
+@@ -3498,7 +3498,7 @@ stonith_command(pcmk__client_t *client, uint32_t id, uint32_t flags,
+             .result         = PCMK__UNKNOWN_RESULT,
+         };
+ 
+-        request.op = crm_element_value(request.xml, F_STONITH_OPERATION);
++        request.op = crm_element_value_copy(request.xml, F_STONITH_OPERATION);
+         CRM_CHECK(request.op != NULL, return);
+ 
+         if (pcmk_is_set(request.call_options, st_opt_sync_call)) {
+@@ -3506,6 +3506,6 @@ stonith_command(pcmk__client_t *client, uint32_t id, uint32_t flags,
+         }
+ 
+         handle_request(&request);
+-        pcmk__reset_result(&request.result);
++        pcmk__reset_request(&request);
+     }
+ }
+diff --git a/include/crm/common/messages_internal.h b/include/crm/common/messages_internal.h
+index edbd836..2ba5bd9 100644
+--- a/include/crm/common/messages_internal.h
++++ b/include/crm/common/messages_internal.h
+@@ -50,11 +50,14 @@ typedef struct {
+      * generically, but each daemon uses a different XML attribute for it,
+      * so the daemon is responsible for populating this field.
+      *
++     * This must be a copy of the XML field, and not just a pointer into xml,
++     * because handlers might modify the original XML.
++     *
+      * @TODO Create a per-daemon struct with IPC handlers, IPC endpoints, etc.,
+      * and the name of the XML attribute for IPC commands, then replace this
+-     * with a convenience function to grab the command.
++     * with a convenience function to copy the command.
+      */
+-    const char *op;                 // IPC command from xml
++    char *op;                       // IPC command name
+ } pcmk__request_t;
+ 
+ #define pcmk__set_request_flags(request, flags_to_set) do {         \
+@@ -72,6 +75,7 @@ typedef struct {
+ const char *pcmk__message_name(const char *name);
+ GHashTable *pcmk__register_handlers(pcmk__server_command_t handlers[]);
+ xmlNode *pcmk__process_request(pcmk__request_t *request, GHashTable *handlers);
++void pcmk__reset_request(pcmk__request_t *request);
+ 
+ /*!
+  * \internal
+diff --git a/lib/common/messages.c b/lib/common/messages.c
+index 4f8777d..1c5f467 100644
+--- a/lib/common/messages.c
++++ b/lib/common/messages.c
+@@ -276,3 +276,18 @@ pcmk__process_request(pcmk__request_t *request, GHashTable *handlers)
+ 
+     return (*handler)(request);
+ }
++
++/*!
++ * \internal
++ * \brief Free memory used within a request (but not the request itself)
++ *
++ * \param[in] request  Request to reset
++ */
++void
++pcmk__reset_request(pcmk__request_t *request)
++{
++    free(request->op);
++    request->op = NULL;
++
++    pcmk__reset_result(&(request->result));
++}
+-- 
+1.8.3.1
+
diff --git a/pacemaker.spec b/pacemaker.spec
index ddeaac8..46a9016 100644
--- a/pacemaker.spec
+++ b/pacemaker.spec
@@ -32,10 +32,10 @@
 ## can be incremented to build packages reliably considered "newer"
 ## than previously built packages with the same pcmkversion)
 %global pcmkversion 2.1.3
-%global specversion 0.2.rc2
+%global specversion 3
 
 ## Upstream commit (full commit ID, abbreviated commit ID, or tag) to build
-%global commit dff7c3a7265f02e37804d6302dd1bf1f4e4c1f17
+%global commit da2fd79c89a8b148a2505b57b31e22a187c10d4f
 
 ## Since git v2.11, the extent of abbreviation is autoscaled by default
 ## (used to be constant of 7), so we need to convey it for non-tags, too.
@@ -217,6 +217,8 @@ Source0:       https://codeload.github.com/%{github_owner}/%{name}/tar.gz/%{arch
 Source1:       https://codeload.github.com/%{github_owner}/%{nagios_name}/tar.gz/%{nagios_archive_github_url}
 
 # upstream commits
+Patch0:        0001-Fix-fencer-get-target-by-attribute-working-again.patch
+Patch1:        0002-Fix-fencer-avoid-use-after-free-with-self-fencing-an.patch
 
 Requires:      resource-agents
 Requires:      %{pkgname_pcmk_libs}%{?_isa} = %{version}-%{release}
@@ -810,6 +812,13 @@ exit 0
 %license %{nagios_name}-%{nagios_hash}/COPYING
 
 %changelog
+* Tue Jun 7 2022 Klaus Wenninger <kwenning@redhat.com> - 2.1.3-3
+- Update for new upstream release tarball: Pacemaker-2.1.3
+  for full details, see included ChangeLog file or
+  https://github.com/ClusterLabs/pacemaker/releases/tag/Pacemaker-2.1.3
+- get target-by-attribute working again
+- avoid use-after-free with self-fencing and topology
+
 * Mon May 23 2022 Klaus Wenninger <kwenning@redhat.com> - 2.1.3-0.2.rc2
 - Update for new upstream tarball for release candidate: Pacemaker-2.1.3-rc2,
   for full details, see included ChangeLog file or
diff --git a/sources b/sources
index fed611b..91255a0 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 SHA512 (nagios-agents-metadata-105ab8a7b2c16b9a29cf1c1596b80136eeef332b.tar.gz) = 11ddeb48a4929e7642b6dfa9c7962aa1d7a1af1c569830f55ed6cd6773abac13377317327bc1db8411c8077884f83f81cc54d746c834b63a99fa6dc219b5caad
-SHA512 (pacemaker-dff7c3a72.tar.gz) = 0a21e98dc721b01a93faf057f3af225863c077134fdaeba84d1f153f9ac3a0c7312be584ec0fcd94fbd49443108fb69c3f8d44d7483b8f077b86c2d325399576
+SHA512 (pacemaker-da2fd79c8.tar.gz) = 881bafd528a25a18e618bf56cecd776d4114231ff72c87a57b83fe786092ad6b90aef069ecdd95357ca6fe77f8b4ba87379221d6426963dba46c7df723b3ff8a