diff --git a/SOURCES/0001-Out-of-bounds-heap-read-in-service_search_attr_req-f.patch b/SOURCES/0001-Out-of-bounds-heap-read-in-service_search_attr_req-f.patch
new file mode 100644
index 0000000..cb71522
--- /dev/null
+++ b/SOURCES/0001-Out-of-bounds-heap-read-in-service_search_attr_req-f.patch
@@ -0,0 +1,55 @@
+From 6821472c7509c54c5b1ef4744af8f6eab9be4aa7 Mon Sep 17 00:00:00 2001
+From: Fedora Bluez maintainers <bluez-owner@fedoraproject.org>
+Date: Mon, 11 Sep 2017 11:19:18 -0400
+Subject: [PATCH] Out of bounds heap read in service_search_attr_req function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When a long response is returned to a specific search attribute request, a
+continuation state is returned to allow reception of additional fragments, via
+additional requests that contain the last continuation state sent. However, the
+incoming “cstate” that requests additional fragments isn’t validated properly,
+and thus an out-of-bounds read of the response buffer (pResponse) can be
+achieved, leading to information disclosure of the heap.
+---
+ src/sdpd-request.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/src/sdpd-request.c b/src/sdpd-request.c
+index 1eefdce..ddeea7f 100644
+--- a/src/sdpd-request.c
++++ b/src/sdpd-request.c
+@@ -918,15 +918,20 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
+ 		/* continuation State exists -> get from cache */
+ 		sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
+ 		if (pCache) {
+-			uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
+-			pResponse = pCache->data;
+-			memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
+-			buf->data_size += sent;
+-			cstate->cStateValue.maxBytesSent += sent;
+-			if (cstate->cStateValue.maxBytesSent == pCache->data_size)
+-				cstate_size = sdp_set_cstate_pdu(buf, NULL);
+-			else
+-				cstate_size = sdp_set_cstate_pdu(buf, cstate);
++			if (cstate->cStateValue.maxBytesSent >= pCache->data_size) {
++				status = SDP_INVALID_CSTATE;
++				SDPDBG("Got bad cstate with invalid size");
++			} else {
++				uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
++				pResponse = pCache->data;
++				memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
++				buf->data_size += sent;
++				cstate->cStateValue.maxBytesSent += sent;
++				if (cstate->cStateValue.maxBytesSent == pCache->data_size)
++					cstate_size = sdp_set_cstate_pdu(buf, NULL);
++				else
++					cstate_size = sdp_set_cstate_pdu(buf, cstate);
++			}
+ 		} else {
+ 			status = SDP_INVALID_CSTATE;
+ 			SDPDBG("Non-null continuation state, but null cache buffer");
+-- 
+2.13.5
+
diff --git a/SPECS/bluez.spec b/SPECS/bluez.spec
index 92954ba..651a5e5 100644
--- a/SPECS/bluez.spec
+++ b/SPECS/bluez.spec
@@ -1,7 +1,7 @@
 Summary: Bluetooth utilities
 Name: bluez
 Version: 5.44
-Release: 2%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: Applications/System
 URL: http://www.bluez.org/
@@ -16,6 +16,7 @@ Patch3: 0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch
 Patch4: 0001-obex-Use-GLib-helper-function-to-manipulate-paths.patch
 Patch5: 0002-autopair-Don-t-handle-the-iCade.patch
 Patch7: 0004-agent-Assert-possible-infinite-loop.patch
+Patch8: 0001-Out-of-bounds-heap-read-in-service_search_attr_req-f.patch
 
 %global _hardened_build 1
 
@@ -251,6 +252,14 @@ sed -i 's/#\[Policy\]$/\[Policy\]/; s/#AutoEnable=false/AutoEnable=false/' ${RPM
 /lib/udev/rules.d/97-hid2hci.rules
 
 %changelog
+* Mon Sep 11 2017 Don Zickus <dzickus@redhat.com> 5.44-4
+- forgot to bump rev
+Resolves: #1490010
+
+* Mon Sep 11 2017 Don Zickus <dzickus@redhat.com> 5.44-3
+- sdpd heap fix
+Resolves: #1490010
+
 * Mon Mar 27 2017 David Arcari <darcari@redhat.com> 5.44-2
 - added missing updates for sources and .gitignore
 Resolves: #1434581, #1401501