diff --git a/README b/README
index 51f87415143..f45c2ff9e06 100644
--- a/README
+++ b/README
@@ -23,7 +23,7 @@
 
   XRootD requires at minimum following packages (RHEL distro):
 
-  * gcc-c++, cmake(3), krb5-devel, libuuid-devel, libxml2-devel, openssl-devel, systemd-devel, zlib-devel
+  * gcc-c++ cmake(3) krb5-devel libuuid-devel libxml2-devel openssl-devel systemd-devel zlib-devel
   * devtoolset-7 (only RHEL7)
 
 2.1 Build system
diff --git a/docs/ReleaseNotes.txt b/docs/ReleaseNotes.txt
index f143ffb3786..7bb72bcbe78 100644
--- a/docs/ReleaseNotes.txt
+++ b/docs/ReleaseNotes.txt
@@ -11,9 +11,13 @@ Version 5.5.2
 
 + **Major bug fixes**
   **[Python]** Avoid crash during prepare call
+  **[TLS]** XrdTlsContext: Recreate session cache in the Clone() method.
   **[XrdCl]** Be sure to only read the header of kXR_status messages at first
   **[XrdCl]** Ensure URL::GetChannelId returns an Id which can be parsed again as a url
+  **[XrdCl]** Fix regression in ZIP CD parsing.
   **[XrdHttpTPC]** Fixes the HTTP TPC PULL transfer issue when authentication is necessary to perform a transfer
+  **[XrdHttpTPC]** Fix file size request failure due to missing configuration of the server CA before calling the HEAD request
+  **[XrdOuc]** Fix checksum verification in XrdOucPgrwUtils::csVer
 
 + **Minor bug fixes**
   **[Server]** Fix a short writev recovery case
@@ -21,14 +25,19 @@ Version 5.5.2
   **[Server]** Make sure Mkdir returns a negative code for an EEXIST error
   **[XrdApps]** Fix small memory leak when checksum fails
   **[XrdClHttp]** Link against XrdUtils for XrdOucCRC::Calc32C symbol
+  **[XrdSecgsi]** Avoid nullptr dereference in XrdSecProtocolgsi::ClientDoInit
+  **[XrdVoms]** Fix handling of VOMS attributes when role is empty
 
 + **Miscellaneous**
   **[Apps]** Cleanup xrdcp help information.
   **[CMake]** Use upstream FindOpenSSL.cmake
   **[CMake]** Make switches for server-only options dependent on XRCL_ONLY=FALSE
   **[Macaroons]** Implement XrdSciTokensHelper interface for macaroons
+  **[Pss]** Convert leftover print statement to debug action
   **[Python]** Use setuptools over setuptools._distutils.core
   **[XrdCl]** xrdcp: extended # of parallel copy jobs to 128.
+  **[XrdOssCsi]** Fix build failure with GCC 13
+  **[XrdPosix]** Fix build failure due to possible large memory allocation
 
 -------------
 Version 5.5.1
diff --git a/src/XrdCl/XrdClClassicCopyJob.cc b/src/XrdCl/XrdClClassicCopyJob.cc
index 6e96a0cee50..236884bba1c 100644
--- a/src/XrdCl/XrdClClassicCopyJob.cc
+++ b/src/XrdCl/XrdClClassicCopyJob.cc
@@ -1798,9 +1798,13 @@ namespace
         {
           std::string targeturl;
           pFile->GetProperty( "LastURL", targeturl );
+          targeturl = URL( targeturl ).GetLocation();
           if( symlink( targeturl.c_str(), cptarget.c_str() ) == -1 )
             log->Warning( UtilityMsg, "Could not create cp-target symlink: %s",
                           XrdSysE2T( errno ) );
+          else
+            log->Info( UtilityMsg, "Created cp-target symlink: %s -> %s",
+                       cptarget.c_str(), targeturl.c_str() );
         }
 
         StatInfo *info = 0;
diff --git a/src/XrdCl/XrdClZipArchive.cc b/src/XrdCl/XrdClZipArchive.cc
index fd82f6a0c19..cba1e464d2f 100644
--- a/src/XrdCl/XrdClZipArchive.cc
+++ b/src/XrdCl/XrdClZipArchive.cc
@@ -438,14 +438,15 @@ namespace XrdCl
                                         else
                                           std::tie( cdvec, cdmap ) = CDFH::Parse( buff, eocd->cdSize, eocd->nbCdRec );
                                         log->Dump( ZipMsg, "[0x%x] CD records parsed.", this );
-										uint64_t sumCompSize = 0;
-										for (auto it = cdvec.begin(); it != cdvec.end(); it++) {
-											sumCompSize += (*it)->compressedSize;
-											if ((*it)->offset > archsize || (*it)->offset + (*it)->compressedSize > archsize)
-												throw bad_data();
-										}
-										if (sumCompSize > archsize)
-											throw bad_data();
+                                        uint64_t sumCompSize = 0;
+                                        for (auto it = cdvec.begin(); it != cdvec.end(); it++)
+                                        {
+                                          sumCompSize += (*it)->IsZIP64() ? (*it)->extra->compressedSize : (*it)->compressedSize;
+                                          if ((*it)->offset > archsize || (*it)->offset + (*it)->compressedSize > archsize)
+                                            throw bad_data();
+                                        }
+                                        if (sumCompSize > archsize)
+                                          throw bad_data();
                                       }
                                       catch( const bad_data &ex )
                                       {
diff --git a/src/XrdMacaroons/XrdMacaroonsAuthz.cc b/src/XrdMacaroons/XrdMacaroonsAuthz.cc
index 2494e6750ff..6c47d476931 100644
--- a/src/XrdMacaroons/XrdMacaroonsAuthz.cc
+++ b/src/XrdMacaroons/XrdMacaroonsAuthz.cc
@@ -261,7 +261,7 @@ Authz::Access(const XrdSecEntity *Entity, const char *path,
     if (Entity && check_helper.GetSecName().size()) {
         const std::string &username = check_helper.GetSecName();
         m_log.Log(LogMask::Debug, "Access", "Setting the request name to", username.c_str());
-        Entity->eaAPI->Add("request.name", username);
+        Entity->eaAPI->Add("request.name", username,true);
     }
 
     // We passed verification - give the correct privilege.
diff --git a/src/XrdOssCsi/XrdOssCsiPages.hh b/src/XrdOssCsi/XrdOssCsiPages.hh
index 852a3add6f9..cd1c1b4a392 100644
--- a/src/XrdOssCsi/XrdOssCsiPages.hh
+++ b/src/XrdOssCsi/XrdOssCsiPages.hh
@@ -38,6 +38,7 @@
 #include "XrdOssCsiRanges.hh"
 #include <memory>
 #include <mutex>
+#include <string>
 #include <utility>
 #include <cinttypes>
 #include <cstdio>
diff --git a/src/XrdOuc/XrdOucPgrwUtils.cc b/src/XrdOuc/XrdOucPgrwUtils.cc
index 8ca4d2ade5c..a1bdcee0d28 100644
--- a/src/XrdOuc/XrdOucPgrwUtils.cc
+++ b/src/XrdOuc/XrdOucPgrwUtils.cc
@@ -203,9 +203,11 @@ bool XrdOucPgrwUtils::csVer(dataInfo &dInfo, off_t &bado, int &badc)
        if (pgNum >= 0)
           {bado = dInfo.offs + (pgPageSize * pgNum);
            int xlen = (bado - dInfo.offs);
+           dInfo.data  += xlen;
            dInfo.offs  += xlen;
            dInfo.count -= xlen;
            badc = (dInfo.count <= pgPageSize ? dInfo.count : pgPageSize);
+           dInfo.data  += badc;
            dInfo.offs  += badc;
            dInfo.count -= badc;
            dInfo.csval += (pgNum+1);
diff --git a/src/XrdPosix/XrdPosixAdmin.cc b/src/XrdPosix/XrdPosixAdmin.cc
index 2cad5517ee5..eb8ccdecd9e 100644
--- a/src/XrdPosix/XrdPosixAdmin.cc
+++ b/src/XrdPosix/XrdPosixAdmin.cc
@@ -29,6 +29,7 @@
 /******************************************************************************/
 
 #include <cerrno>
+#include <limits>
 #include <unistd.h>
 #include <sys/stat.h>
 #include <sys/types.h>
@@ -66,6 +67,8 @@ XrdCl::URL *XrdPosixAdmin::FanOut(int &num)
 // Allocate an array large enough to hold this information
 //
    if (!(i = info->GetSize())) {delete info; return 0;}
+   if (i > std::numeric_limits<ptrdiff_t>::max() / sizeof(XrdCl::URL))
+      {delete info; return 0;}
    uVec = new XrdCl::URL[i];
 
 // Now start filling out the array
diff --git a/src/XrdPss/XrdPss.cc b/src/XrdPss/XrdPss.cc
index ec30e565a01..b9e55b567f3 100644
--- a/src/XrdPss/XrdPss.cc
+++ b/src/XrdPss/XrdPss.cc
@@ -1111,6 +1111,8 @@ ssize_t XrdPssFile::Write(const void *buff, off_t offset, size_t blen)
 
 int XrdPssFile::Fstat(struct stat *buff)
 {
+   EPNAME("fstat");
+
 // If we have a file descriptor then return a stat for it
 //
    if (fd >= 0) return (XrdPosixXrootd::Fstat(fd, buff) ? -errno : XrdOssOK);
@@ -1148,8 +1150,7 @@ int XrdPssFile::Fstat(struct stat *buff)
             if (rpInfo->dstURL) free(rpInfo->dstURL);
             rpInfo->dstURL = strdup(lnkbuff);
             rpInfo->fSize = 1;
-std::cerr<<"Pss_fstat: "<<tident<<" "<<rpInfo->tprPath<<" maps "
-         <<tpcPath<<" -> "<<lnkbuff<<"\n"<<std::flush;
+            DEBUG(tident,rpInfo->tprPath<<" maps "<<tpcPath<<" -> "<<lnkbuff);
           }
       }
 
diff --git a/src/XrdSciTokens/README.md b/src/XrdSciTokens/README.md
index baca00d2c95..87d4948ac51 100644
--- a/src/XrdSciTokens/README.md
+++ b/src/XrdSciTokens/README.md
@@ -55,6 +55,20 @@ default_user = osg
 name_mapfile = /path/to/mapfile
 ```
 
+Duplicate section and settings names (not values) will take the value of the last entry in the file.  For example:
+
+```
+[Issuer https://chtc.cs.wisc.edu/icecube]
+issuer = https://chtc.cs.wisc.edu/icecube
+base_path = /icecube/path1
+
+[Issuer https://chtc.cs.wisc.edu/icecube]
+issuer = https://chtc.cs.wisc.edu/icecube
+base_path = /icecube/path2
+```
+
+Will result in a configuration with `issuer =  https://chtc.cs.wisc.edu/icecube` and `base_path = /icecube/path2`.
+
 Within the `Global` section, the available attributes are:
 
    - `audience` (optional): A comma separated list of acceptable audiences.  The tokens must have an `aud` attribute
diff --git a/src/XrdSciTokens/XrdSciTokensAccess.cc b/src/XrdSciTokens/XrdSciTokensAccess.cc
index 93a72fe2460..22699bd67d3 100644
--- a/src/XrdSciTokens/XrdSciTokensAccess.cc
+++ b/src/XrdSciTokens/XrdSciTokensAccess.cc
@@ -286,6 +286,41 @@ struct IssuerConfig
 
 }
 
+class OverrideINIReader: public INIReader {
+public:
+    OverrideINIReader() {};
+    inline OverrideINIReader(std::string filename) {
+        _error = ini_parse(filename.c_str(), ValueHandler, this);
+    }
+    inline OverrideINIReader(FILE *file) {
+        _error = ini_parse_file(file, ValueHandler, this);
+    }
+protected:
+    /**
+    * Override the ValueHandler function in order override previous values
+    * For example:
+    * [Issuer https://chtc.cs.wisc.edu/icecube]
+    * issuer = https://chtc.cs.wisc.edu/icecube
+    * base_path = /icecube/path1
+
+    * [Issuer https://chtc.cs.wisc.edu/icecube]
+    * issuer = https://chtc.cs.wisc.edu/icecube
+    * base_path = /icecube/path2
+    * 
+    * Will result in a configuration with base_path set to /icecube/path2
+    */
+    inline static int ValueHandler(void* user, const char* section, const char* name,
+                            const char* value) {
+        OverrideINIReader* reader = (OverrideINIReader*)user;
+        std::string key = MakeKey(section, name);
+
+        // Overwrite existing values, if they exist
+        reader->_values[key] = value;
+        reader->_sections.insert(section);
+        return 1;
+    }
+
+};
 
 class XrdAccRules
 {
@@ -1009,7 +1044,7 @@ class XrdAccSciTokens : public XrdAccAuthorize, public XrdSciTokensHelper
         }
         m_log.Log(LogMask::Info, "Reconfig", "Parsing configuration file:", m_cfg_file.c_str());
 
-        INIReader reader(m_cfg_file);
+        OverrideINIReader reader(m_cfg_file);
         if (reader.ParseError() < 0) {
             std::stringstream ss;
             ss << "Error opening config file (" << m_cfg_file << "): " << strerror(errno);
diff --git a/src/XrdSecgsi/XrdSecProtocolgsi.cc b/src/XrdSecgsi/XrdSecProtocolgsi.cc
index c7bcb1d7e98..be97b5e2bf8 100644
--- a/src/XrdSecgsi/XrdSecProtocolgsi.cc
+++ b/src/XrdSecgsi/XrdSecProtocolgsi.cc
@@ -3080,10 +3080,17 @@ int XrdSecProtocolgsi::ClientDoInit(XrdSutBuffer *br, XrdSutBuffer **bm,
       hs->Chain = 0;
       return -1;
    }
+
+   if (!po.cbck) {
+     emsg = "failed to initialize user proxies";
+     hs->Chain = 0;
+     return -1;
+   }
+
    // Save the result
    hs->PxyChain = po.chain;
    hs->Cbck = new XrdSutBucket(*((XrdSutBucket *)(po.cbck)));
-   if (!(sessionKsig = sessionCF->RSA(*(po.ksig)))) {
+   if (!po.ksig || !(sessionKsig = sessionCF->RSA(*(po.ksig)))) {
       emsg = "could not get a copy of the signing key:";
       hs->Chain = 0;
       return -1;
diff --git a/src/XrdTls/XrdTlsContext.cc b/src/XrdTls/XrdTlsContext.cc
index 2dfd12b06d2..d31ae3d6709 100644
--- a/src/XrdTls/XrdTlsContext.cc
+++ b/src/XrdTls/XrdTlsContext.cc
@@ -72,6 +72,8 @@ struct XrdTlsContextImpl
     bool                          crlRunning;
     bool                          flsRunning;
     time_t                        lastCertModTime = 0;
+    int                           sessionCacheOpts = -1;
+    std::string                   sessionCacheId;
 };
   
 /******************************************************************************/
@@ -779,7 +781,13 @@ XrdTlsContext *XrdTlsContext::Clone(bool full,bool startCRLRefresh)
 
 // Verify that the context was built
 //
-   if (xtc->isOK()) return xtc;
+   if (xtc->isOK()) {
+       if(pImpl->sessionCacheOpts != -1){
+           //A SessionCache() call was done for the current context, so apply it for this new cloned context
+           xtc->SessionCache(pImpl->sessionCacheOpts,pImpl->sessionCacheId.c_str(),pImpl->sessionCacheId.size());
+       }
+       return xtc;
+   }
 
 // We failed, cleanup.
 //
@@ -940,6 +948,9 @@ int XrdTlsContext::SessionCache(int opts, const char *id, int idlen)
    long sslopt = 0;
    int flushT = opts & scFMax;
 
+   pImpl->sessionCacheOpts = opts;
+   pImpl->sessionCacheId = id;
+
 // If initialization failed there is nothing to do
 //
    if (pImpl->ctx == 0) return 0;
diff --git a/src/XrdTpc/XrdTpcTPC.cc b/src/XrdTpc/XrdTpcTPC.cc
index dd32cc65104..6d327806bcd 100644
--- a/src/XrdTpc/XrdTpcTPC.cc
+++ b/src/XrdTpc/XrdTpcTPC.cc
@@ -965,18 +965,18 @@ int TPCHandler::ProcessPullReq(const std::string &resource, XrdHttpExtReq &req)
         }
     }
     rec.streams = streams;
-    bool hasSetOpaque;
+    bool hasSetOpaque = false;
     std::string full_url = prepareURL(req, hasSetOpaque);
     std::string authz = GetAuthz(req);
     curl_easy_setopt(curl, CURLOPT_URL, resource.c_str());
+    ConfigureCurlCA(curl);
 #ifdef XRD_CHUNK_RESP
     {
         //Get the content-length of the source file and pass it to the OSS layer
         //during the open
         uint64_t sourceFileContentLength = 0;
         bool success;
-        TPCLogRecord getContentLengthRec;
-        GetContentLengthTPCPull(curl, req, sourceFileContentLength, success, getContentLengthRec);
+        GetContentLengthTPCPull(curl, req, sourceFileContentLength, success, rec);
         if(success) {
             //In the case we cannot get the information from the source server (offline or other error)
             //we just don't add the size information to the opaque of the local file to open
@@ -1004,7 +1004,6 @@ int TPCHandler::ProcessPullReq(const std::string &resource, XrdHttpExtReq &req)
         fh->close();
         return resp_result;
     }
-    ConfigureCurlCA(curl);
     Stream stream(std::move(fh), streams * m_pipelining_multiplier, streams > 1 ? m_block_size : m_small_block_size, m_log);
     State state(0, stream, curl, false);
     state.CopyHeaders(req);
diff --git a/src/XrdVoms/XrdVomsMapfile.cc b/src/XrdVoms/XrdVomsMapfile.cc
index 824edd94a49..8ffbe921875 100644
--- a/src/XrdVoms/XrdVomsMapfile.cc
+++ b/src/XrdVoms/XrdVomsMapfile.cc
@@ -269,11 +269,11 @@ XrdVomsMapfile::Apply(XrdSecEntity &entity)
 
     int from_vorg = 0, from_role = 0, from_grps = 0;
     XrdOucString vorg = entity.vorg, entry_vorg;
-    XrdOucString role = entity.role, entry_role;
+    XrdOucString role = entity.role ? entity.role : "", entry_role = "NULL";
     XrdOucString grps = entity.grps, entry_grps;
     if (m_edest) m_edest->Log(LogMask::Debug, "VOMSMapfile", "Applying VOMS mapfile to incoming credential");
     while (((from_vorg = vorg.tokenize(entry_vorg, from_vorg, ' ')) != -1) &&
-           ((from_role = role.tokenize(entry_role, from_role, ' ')) != -1) &&
+           ((role == "") || (from_role = role.tokenize(entry_role, from_role, ' ')) != -1) &&
            ((from_grps = grps.tokenize(entry_grps, from_grps, ' ')) != -1))
     {
         auto fqan = MakePath(entry_grps);