diff --git a/httpd-2.4.37-r1857129.patch b/httpd-2.4.37-r1857129.patch
deleted file mode 100644
index 4dbf05a..0000000
--- a/httpd-2.4.37-r1857129.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-# ./pullrev.sh 1857129
-http://svn.apache.org/viewvc?view=revision&revision=1857129
-
---- httpd-2.4.37/modules/filters/mod_reqtimeout.c
-+++ httpd-2.4.37/modules/filters/mod_reqtimeout.c
-@@ -31,7 +31,7 @@
- #define UNSET                            -1
- #define MRT_DEFAULT_handshake_TIMEOUT     0 /* disabled */
- #define MRT_DEFAULT_handshake_MAX_TIMEOUT 0
--#define MRT_DEFAULT_handshake_MIN_RATE    APR_INT32_MAX
-+#define MRT_DEFAULT_handshake_MIN_RATE    0
- #define MRT_DEFAULT_header_TIMEOUT       20
- #define MRT_DEFAULT_header_MAX_TIMEOUT   40
- #define MRT_DEFAULT_header_MIN_RATE      500
-@@ -220,7 +220,7 @@
-     if (block == APR_NONBLOCK_READ || mode == AP_MODE_INIT
-         || mode == AP_MODE_EATCRLF) {
-         rv = ap_get_brigade(f->next, bb, mode, block, readbytes);
--        if (ccfg->cur_stage.rate_factor > 0 && rv == APR_SUCCESS) {
-+        if (ccfg->cur_stage.rate_factor && rv == APR_SUCCESS) {
-             extend_timeout(ccfg, bb);
-         }
-         return rv;
-@@ -254,7 +254,7 @@
-             }
- 
-             if (!APR_BRIGADE_EMPTY(bb)) {
--                if (ccfg->cur_stage.rate_factor > 0) {
-+                if (ccfg->cur_stage.rate_factor) {
-                     extend_timeout(ccfg, bb);
-                 }
- 
-@@ -315,7 +315,7 @@
-          * the real (relevant) bytes to be asked later, within the
-          * currently alloted time.
-          */
--        if (ccfg->cur_stage.rate_factor > 0 && rv == APR_SUCCESS
-+        if (ccfg->cur_stage.rate_factor && rv == APR_SUCCESS
-                 && mode != AP_MODE_SPECULATIVE) {
-             extend_timeout(ccfg, bb);
-         }
-@@ -638,17 +638,17 @@
-     ap_hook_post_read_request(reqtimeout_before_body, NULL, NULL,
-                               APR_HOOK_MIDDLE);
- 
--#if MRT_DEFAULT_HANDSHAKE_MIN_RATE > 0
-+#if MRT_DEFAULT_handshake_MIN_RATE
-     default_handshake_rate_factor = apr_time_from_sec(1) /
--                                    MRT_DEFAULT_HANDSHAKE_MIN_RATE;
-+                                    MRT_DEFAULT_handshake_MIN_RATE;
- #endif
--#if MRT_DEFAULT_HEADER_MIN_RATE > 0
-+#if MRT_DEFAULT_header_MIN_RATE
-     default_header_rate_factor = apr_time_from_sec(1) /
--                                 MRT_DEFAULT_HEADER_MIN_RATE;
-+                                 MRT_DEFAULT_header_MIN_RATE;
- #endif
--#if MRT_DEFAULT_BODY_MIN_RATE > 0
-+#if MRT_DEFAULT_body_MIN_RATE
-     default_body_rate_factor = apr_time_from_sec(1) /
--                               MRT_DEFAULT_BODY_MIN_RATE;
-+                               MRT_DEFAULT_body_MIN_RATE;
- #endif
- }
- 
diff --git a/httpd-2.4.37-r1861793+.patch b/httpd-2.4.37-r1861793+.patch
index c522c7c..22886e2 100644
--- a/httpd-2.4.37-r1861793+.patch
+++ b/httpd-2.4.37-r1861793+.patch
@@ -46,7 +46,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1862612
 +        " -5  Force SHA-512 crypt() hash of the password (very secure)." NL
 +        " -B  Force bcrypt aencryption of the password (very secure)." NL
          " -C  Set the computing time used for the bcrypt algorithm" NL
-         "     (higher is more secure but slower, default: %d, valid: 4 to 31)." NL
+         "     (higher is more secure but slower, default: %d, valid: 4 to 17)." NL
 +        " -r  Set the number of rounds used for the SHA-256, SHA-512 algorithms" NL
 +        "     (higher is more secure but slower, default: 5000)." NL
          " -d  Force CRYPT encryption of the password (8 chars max, insecure)." NL
@@ -237,7 +237,7 @@ http://svn.apache.org/viewvc?view=revision&revision=1862612
  .TP
 @@ -79,11 +85,14 @@
  \fB-C\fR
- This flag is only allowed in combination with \fB-B\fR (bcrypt encryption)\&. It sets the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 31)\&.  
+ This flag is only allowed in combination with \fB-B\fR (bcrypt encryption)\&. It sets the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 17)\&.  
  .TP
 +\fB-r\fR
 +This flag is only allowed in combination with \fB-2\fR or \fB-5\fR\&. It sets the number of hash rounds used for the SHA-2 algorithms (higher is more secure but slower; the default is 5,000)\&.  
diff --git a/httpd-2.4.39-r1842929+.patch b/httpd-2.4.39-r1842929+.patch
index 9fea432..0bf7292 100644
--- a/httpd-2.4.39-r1842929+.patch
+++ b/httpd-2.4.39-r1842929+.patch
@@ -118,41 +118,6 @@ http://svn.apache.org/viewvc?view=revision&revision=1853631
      dav_hook_gather_propsets(dav_fs_gather_propsets, NULL, NULL,
                               APR_HOOK_MIDDLE);
      dav_hook_find_liveprop(dav_fs_find_liveprop, NULL, NULL, APR_HOOK_MIDDLE);
---- httpd-2.4.39/modules/md/mod_md_config.c.r1842929+
-+++ httpd-2.4.39/modules/md/mod_md_config.c
-@@ -54,10 +54,18 @@
- 
- #define DEF_VAL     (-1)
- 
-+#ifndef MD_DEFAULT_BASE_DIR
-+#define MD_DEFAULT_BASE_DIR "md"
-+#endif
-+
- /* Default settings for the global conf */
- static md_mod_conf_t defmc = {
-     NULL,
--    "md",
-+#if 1
-+    NULL, /* apply default state-dir-relative */
-+#else
-+    MD_DEFAULT_BASE_DIR,
-+#endif
-     NULL,
-     NULL,
-     80,
-@@ -864,6 +872,12 @@
-     if (mc->hsts_max_age > 0) {
-         mc->hsts_header = apr_psprintf(p, "max-age=%d", mc->hsts_max_age);
-     }
-+
-+#if 1
-+    if (mc->base_dir == NULL) {
-+        mc->base_dir = ap_state_dir_relative(p, MD_DEFAULT_BASE_DIR);
-+    }
-+#endif
-     
-     return APR_SUCCESS;
- }
 --- httpd-2.4.39/server/core.c.r1842929+
 +++ httpd-2.4.39/server/core.c
 @@ -129,6 +129,8 @@
diff --git a/httpd.spec b/httpd.spec
index 69c630c..ed18bf1 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -12,8 +12,8 @@
 
 Summary: Apache HTTP Server
 Name: httpd
-Version: 2.4.39
-Release: 13%{?dist}
+Version: 2.4.41
+Release: 1%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@@ -83,8 +83,6 @@ Patch42: httpd-2.4.37-r1828172+.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1397243
 Patch58: httpd-2.4.34-r1738878.patch
 Patch60: httpd-2.4.34-enable-sslv3.patch
-# https://bz.apache.org/bugzilla/show_bug.cgi?id=63325
-Patch61: httpd-2.4.37-r1857129.patch
 
 # Security fixes
 
@@ -223,7 +221,6 @@ interface for storing and accessing per-user session data.
 
 %patch58 -p1 -b .r1738878
 %patch60 -p1 -b .enable-sslv3
-%patch61 -p1 -b .r1857129
 
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -744,6 +741,9 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Thu Aug 15 2019 Joe Orton <jorton@redhat.com> - 2.4.41-1
+- update to 2.4.41
+
 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.39-13
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 
diff --git a/sources b/sources
index 248974a..c6aa939 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (httpd-2.4.39.tar.bz2) = 9742202040b3dc6344b301540f54b2d3f8e36898410d24206a7f8dcecb1bea7d7230fabc7256752724558af249facf64bffe2cf678b8f7cccb64076737abfda7
+SHA512 (httpd-2.4.41.tar.bz2) = 350cc7dcd2c439e0590338fa6da3f44df44f9bb885c381e91f91b14c2f48597f6f0bbac0ea118a8a67eaa70ae7edbb769beace368643ed73f6daee44c307b335