diff --git a/openssh-8.0p1-pkcs11-uri.patch b/openssh-8.0p1-pkcs11-uri.patch
index d55df23..0713ffe 100644
--- a/openssh-8.0p1-pkcs11-uri.patch
+++ b/openssh-8.0p1-pkcs11-uri.patch
@@ -2159,12 +2159,13 @@ index a302c79c..879fe917 100644
  	if (rv != CKR_OK) {
  		error("C_GetAttributeValue failed: %lu", rv);
  		return (NULL);
-@@ -717,18 +874,19 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+@@ -717,19 +874,19 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+ 	 * ensure that none of the others are zero length.
  	 * XXX assumes CKA_ID is always first.
  	 */
- 	if (key_attr[1].ulValueLen == 0 ||
+-	if (key_attr[1].ulValueLen == 0 ||
 -	    key_attr[2].ulValueLen == 0) {
-+	    key_attr[2].ulValueLen == 0 ||
++	if (key_attr[2].ulValueLen == 0 ||
 +	    key_attr[3].ulValueLen == 0) {
  		error("invalid attribute length");
  		return (NULL);
@@ -2259,12 +2260,13 @@ index a302c79c..879fe917 100644
  	if (rv != CKR_OK) {
  		error("C_GetAttributeValue failed: %lu", rv);
  		return (NULL);
-@@ -838,18 +998,19 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+@@ -838,19 +998,19 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+ 	 * ensure that none of the others are zero length.
  	 * XXX assumes CKA_ID is always first.
  	 */
- 	if (key_attr[1].ulValueLen == 0 ||
+-	if (key_attr[1].ulValueLen == 0 ||
 -	    key_attr[2].ulValueLen == 0) {
-+	    key_attr[2].ulValueLen == 0 ||
++	if (key_attr[2].ulValueLen == 0 ||
 +	    key_attr[3].ulValueLen == 0) {
  		error("invalid attribute length");
  		return (NULL);
diff --git a/openssh.spec b/openssh.spec
index afe431d..b9b1e7a 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -51,7 +51,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.4p1
-%global openssh_rel 4
+%global openssh_rel 5
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 1
 
@@ -673,9 +673,12 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
-* Tue Dec 01 2020 David Abdurachmanov <david.abdurachmanov@sifive.com> - 8.4p1-4.0.riscv64 + 0.10.4-1.0.riscv64
+* Thu May 06 2021 David Abdurachmanov <david.abdurachmanov@gmail.com> - 8.4p1-5 + 0.10.4-1.0.riscv64
 - Dissable seccomp_filter on riscv64
 
+* Wed Feb 03 2021 Jakub Jelen <jjelen@redhat.com> - 8.4p1-5 + 0.10.4-1
+- Accept empty labels for keys from PKCS#11 (#1919007)
+
 * Tue Dec 01 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-4 + 0.10.4-1
 - Remove "PasswordAuthentication yes" from vendor configuration as it is
   already default and it might be hard to override.