diff --git a/SOURCES/buildah-CVE-2019-10214.patch b/SOURCES/buildah-CVE-2019-10214.patch
new file mode 100644
index 0000000..45fb640
--- /dev/null
+++ b/SOURCES/buildah-CVE-2019-10214.patch
@@ -0,0 +1,16 @@
+diff -up ./buildah-e94b4f98048e7371685731b97eefd6265e2f1fb3/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214 ./buildah-e94b4f98048e7371685731b97eefd6265e2f1fb3/vendor/github.com/containers/image/docker/docker_client.go
+--- buildah-e94b4f98048e7371685731b97eefd6265e2f1fb3/vendor/github.com/containers/image/docker/docker_client.go.CVE-2019-10214	2019-09-12 16:00:45.509807991 +0200
++++ buildah-e94b4f98048e7371685731b97eefd6265e2f1fb3/vendor/github.com/containers/image/docker/docker_client.go	2019-09-12 16:00:45.510808003 +0200
+@@ -480,11 +480,7 @@ func (c *dockerClient) getBearerToken(ct
+ 		authReq.SetBasicAuth(c.username, c.password)
+ 	}
+ 	logrus.Debugf("%s %s", authReq.Method, authReq.URL.String())
+-	tr := tlsclientconfig.NewTransport()
+-	// TODO(runcom): insecure for now to contact the external token service
+-	tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+-	client := &http.Client{Transport: tr}
+-	res, err := client.Do(authReq)
++	res, err := c.client.Do(authReq)
+ 	if err != nil {
+ 		return nil, err
+ 	}
diff --git a/SPECS/buildah.spec b/SPECS/buildah.spec
index a0fd7c0..e6bfd67 100644
--- a/SPECS/buildah.spec
+++ b/SPECS/buildah.spec
@@ -25,11 +25,12 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback no_openssl ${BUIL
 
 Name:           %{repo}
 Version:        1.5
-Release:        3.git%{shortcommit}%{?dist}
+Release:        5.git%{shortcommit}%{?dist}
 Summary:        A command line tool used for creating OCI Images
 License:        ASL 2.0
 URL:            https://%{provider_prefix}
 Source0:        https://%{provider_prefix}/archive/%{commit}/%{repo}-%{shortcommit}.tar.gz
+Patch0: buildah-CVE-2019-10214.patch
 ExclusiveArch:  x86_64 %{arm} aarch64 ppc64le s390x
 # If go_compiler is not set to 1, there is no virtual provide. Use golang instead.
 BuildRequires:  %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang}
@@ -59,6 +60,7 @@ or
 %prep
 %autosetup -Sgit -n %{name}-%{commit}
 
+
 %build
 mkdir _build
 pushd _build
@@ -90,6 +92,12 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} install install.completions
 %{_datadir}/bash-completion/completions/%{name}
 
 %changelog
+* Tue Sep 17 2019 Jindrich Novy <jnovy@redhat.com> - 1.5-5.gite94b4f9
+- Use autosetup macro again.
+
+* Thu Sep 12 2019 Jindrich Novy <jnovy@redhat.com> - 1.5-4.gite94b4f9
+- Fix CVE-2019-10214 (#1734660).
+
 * Tue Dec 18 2018 Frantisek Kluknavsky <fkluknav@redhat.com> - 1.5-3.gite94b4f9
 - re-enable debuginfo