diff --git a/SOURCES/bind99-CVE-2015-1349.patch b/SOURCES/bind99-CVE-2015-1349.patch
new file mode 100644
index 0000000..e484587
--- /dev/null
+++ b/SOURCES/bind99-CVE-2015-1349.patch
@@ -0,0 +1,25 @@
+diff -up bind-9.9.4/lib/dns/zone.c.CVE-2015-1349 bind-9.9.4/lib/dns/zone.c
+--- bind-9.9.4/lib/dns/zone.c.CVE-2015-1349 2015-03-02 11:18:36.138872044 +0100
++++ bind-9.9.4/lib/dns/zone.c 2015-03-02 11:20:15.941032102 +0100
+@@ -8456,6 +8456,12 @@ keyfetch_done(isc_task_t *task, isc_even
+ namebuf, tag);
+ trustkey = ISC_TRUE;
+ }
++ } else {
++ /*
++ * No previously known key, and the key is not
++ * secure, so skip it.
++ */
++ continue;
+ }
+
+ /* Delete old version */
+@@ -8504,7 +8510,7 @@ keyfetch_done(isc_task_t *task, isc_even
+ trust_key(zone, keyname, &dnskey, mctx);
+ }
+
+- if (!deletekey)
++ if (secure && !deletekey)
+ set_refreshkeytimer(zone, &keydata, now);
+ }
+
diff --git a/SPECS/bind.spec b/SPECS/bind.spec
index 1f0f345..62c42f0 100644
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
@@ -29,7 +29,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: ISC
Version: 9.9.4
-Release: 18%{?PATCHVER}%{?PREVER}%{?dist}
+Release: 18%{?PATCHVER}%{?PREVER}%{?dist}.1
Epoch: 32
Url: http://www.isc.org/products/BIND/
Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -97,6 +97,7 @@ Patch144:bind99-rh1067424.patch
Patch145:bind99-rh1072379.patch
Patch146:bind99-rh1098959.patch
Patch147:bind99-CVE-2014-8500.patch
+Patch148:bind99-CVE-2015-1349.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -323,6 +324,7 @@ popd
%patch145 -p1 -b .rh1072379
%patch146 -p1 -b .rh1098959
%patch147 -p1 -b .CVE-2014-8500
+%patch148 -p1 -b .CVE-2015-1349
%if %{SDB}
%patch101 -p1 -b .old-api
@@ -942,6 +944,9 @@ rm -rf ${RPM_BUILD_ROOT}
%endif
%changelog
+* Mon Mar 02 2015 Tomas Hozza <thozza@redhat.com> - 32:9.9.4-18.1
+- Fix CVE-2015-1349
+
* Wed Dec 10 2014 Tomas Hozza <thozza@redhat.com> - 32:9.9.4-18
- Fix CVE-2014-8500 (#1171976)