diff --git a/SOURCES/freeradius-EAP-PWD-curve-handling.patch b/SOURCES/freeradius-EAP-PWD-curve-handling.patch
new file mode 100644
index 0000000..3b24a48
--- /dev/null
+++ b/SOURCES/freeradius-EAP-PWD-curve-handling.patch
@@ -0,0 +1,45 @@
+diff --git a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+index 7f91e4b230..848ca2055e 100644
+--- a/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
++++ b/src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c
+@@ -373,11 +373,26 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
+ 	data_len = BN_num_bytes(session->order);
+ 	BN_bin2bn(ptr, data_len, session->peer_scalar);
+
++	/* validate received scalar */
++	if (BN_is_zero(session->peer_scalar) ||
++	    BN_is_one(session->peer_scalar) ||
++	    BN_cmp(session->peer_scalar, session->order) >= 0) {
++		ERROR("Peer's scalar is not within the allowed range");
++		goto finish;
++	}
++
+ 	if (!EC_POINT_set_affine_coordinates_GFp(session->group, session->peer_element, x, y, bnctx)) {
+ 		DEBUG2("pwd: unable to get coordinates of peer's element");
+ 		goto finish;
+ 	}
+
++	/* validate received element */
++	if (!EC_POINT_is_on_curve(session->group, session->peer_element, bnctx) ||
++	    EC_POINT_is_at_infinity(session->group, session->peer_element)) {
++		ERROR("Peer's element is not a point on the elliptic curve");
++		goto finish;
++	}
++
+ 	/* check to ensure peer's element is not in a small sub-group */
+ 	if (BN_cmp(cofactor, BN_value_one())) {
+ 		if (!EC_POINT_mul(session->group, point, NULL, session->peer_element, cofactor, NULL)) {
+@@ -391,6 +406,13 @@ int process_peer_commit (pwd_session_t *session, uint8_t *in, size_t in_len, BN_
+ 		}
+ 	}
+
++	/* detect reflection attacks */
++	if (BN_cmp(session->peer_scalar, session->my_scalar) == 0 ||
++	    EC_POINT_cmp(session->group, session->peer_element, session->my_element, bnctx) == 0) {
++		ERROR("Reflection attack detected");
++		goto finish;
++	}
++
+ 	/* compute the shared key, k */
+ 	if ((!EC_POINT_mul(session->group, K, NULL, session->pwe, session->peer_scalar, bnctx)) ||
+ 	    (!EC_POINT_add(session->group, K, K, session->peer_element, bnctx)) ||
diff --git a/SPECS/freeradius.spec b/SPECS/freeradius.spec
index da5e9ac..1b22f88 100644
--- a/SPECS/freeradius.spec
+++ b/SPECS/freeradius.spec
@@ -1,7 +1,7 @@
 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius
 Version: 3.0.13
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Daemons
 URL: http://www.freeradius.org/
@@ -37,6 +37,7 @@ Patch13: freeradius-FR-GV-303-do-memchr-of-end-p-not-q-p.patch
 Patch14: freeradius-FR-GV-304-check-for-option-overflowing-the-packet.patch
 Patch15: freeradius-FR-GV-201-check-input-output-length-in-make_secret.patch
 Patch16: freeradius-Fix-double-free-in-rlm_sql-acct_redundant.patch
+Patch17: freeradius-EAP-PWD-curve-handling.patch
 
 %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
 
@@ -209,6 +210,7 @@ This plugin provides the unixODBC support for the FreeRADIUS server project.
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
+%patch17 -p1
 
 %build
 # Force compile/link options, extra security for network facing daemon
@@ -809,6 +811,10 @@ exit 0
 %{_libdir}/freeradius/rlm_sql_unixodbc.so
 
 %changelog
+* Thu Apr 25 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.13-10
+- Fixes two EAP-PWD security issues
+  Resolves: bz#1699413 authentication bypass with an invalid curve attack
+
 * Thu Feb 22 2018 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.13-9
 - Fix double free in rlm_sql acct_redundant
   Resolves: Bug#1551069 Radius service crashes with "Bad talloc magic value -