diff --git a/SOURCES/0001-Fix-off-by-one-in-hdrblobGet-making-last-entry-unrea.patch b/SOURCES/0001-Fix-off-by-one-in-hdrblobGet-making-last-entry-unrea.patch
new file mode 100644
index 0000000..14d4b1e
--- /dev/null
+++ b/SOURCES/0001-Fix-off-by-one-in-hdrblobGet-making-last-entry-unrea.patch
@@ -0,0 +1,37 @@
+From e219c9548d16a3c18dd261f7043bb8d221b87c77 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Wed, 31 Jul 2019 11:56:26 +0300
+Subject: [PATCH] Fix off-by-one in hdrblobGet() making last entry unreachable
+ (RhBug:1722921)
+
+hdrblobGet() introduced in commits acfde0d0e812e9f8e153ab6be8c9f2682bdd4763
+and 9821de18811db97238c34a564221e315f5f35b44 has an off-by-one thinko
+(perhaps the idea was to skip the first, region tag) which causes
+the last entry to be unreachable. In typical packages, that is
+RPMSIG_PAYLOADSIZE which is not used at all in this context so it doesn't
+matter, but in large packages use RPMSIG_LONGARCHIVESIZE which has a lower
+tag number and leaves either RPMSIGTAG_MD5 or RPMSIGTAG_GPG last,
+unreachable and thus unverifiable. Oops.
+
+This fixes the regression introduced in rpm 4.14, affecting verification
+of large packages (ie having RPMSIG_LONGARCHIVESIZE)
+---
+ lib/header.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/header.c b/lib/header.c
+index 33623884a..9ec7ed0e4 100644
+--- a/lib/header.c
++++ b/lib/header.c
+@@ -2015,7 +2015,7 @@ rpmRC hdrblobGet(hdrblob blob, uint32_t tag, rpmtd td)
+     memset(&einfo, 0, sizeof(einfo));
+     rpmtdReset(td);
+ 
+-    for (int i = 1; i < blob->il; i++, pe++) {
++    for (int i = 0; i < blob->il; i++, pe++) {
+ 	if (pe->tag != ntag)
+ 	    continue;
+ 	ei2h(pe, &einfo);
+-- 
+2.21.0
+
diff --git a/SPECS/rpm.spec b/SPECS/rpm.spec
index 6957894..d5455fe 100644
--- a/SPECS/rpm.spec
+++ b/SPECS/rpm.spec
@@ -30,7 +30,7 @@
 
 %global rpmver 4.14.2
 #global snapver rc2
-%global rel 10
+%global rel 11
 
 %global srcver %{version}%{?snapver:-%{snapver}}
 %global srcdir %{?snapver:testing}%{!?snapver:%{name}-%(echo %{version} | cut -d'.' -f1-2).x}
@@ -78,6 +78,7 @@ Patch102: 0001-Document-noverify-in-the-man-page-RhBug-1646458.patch
 Patch103: 0001-Handle-unsupported-digests-the-same-as-disabled-ones.patch
 Patch104: 0001-Mark-elements-with-associated-problems-as-failed.patch
 Patch105: 0001-Fix-packages-getting-erased-on-failed-update-with-dn.patch
+Patch106: 0001-Fix-off-by-one-in-hdrblobGet-making-last-entry-unrea.patch
 
 # These are not yet upstream
 # Audit support
@@ -617,6 +618,9 @@ make check || cat tests/rpmtests.log
 %doc doc/librpm/html/*
 
 %changelog
+* Fri Aug 16 2019 Panu Matilainen <pmatilai@redhat.com> - 4.14.2-11
+- Fix off-by-one in hdrblobGet() breaking large package verification (#1736821)
+
 * Wed Jun 12 2019 Panu Matilainen <pmatilai@redhat.com> - 4.14.2-10
 - Fix packages getting removed on failed update via dnf (#1718236)