diff --git a/SOURCES/gnutls-3.6.12-dtls-random.patch b/SOURCES/gnutls-3.6.12-dtls-random.patch
new file mode 100644
index 0000000..b308af7
--- /dev/null
+++ b/SOURCES/gnutls-3.6.12-dtls-random.patch
@@ -0,0 +1,29 @@
+From c01011c2d8533dbbbe754e49e256c109cb848d0d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stefan=20B=C3=BChler?= <stbuehler@web.de>
+Date: Fri, 27 Mar 2020 17:17:57 +0100
+Subject: [PATCH] dtls client hello: fix zeroed random (fixes #960)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This broke with bcf4de03 "handshake: treat reply to HRR as a reply to
+hello verify request", which failed to "De Morgan" properly.
+
+Signed-off-by: Stefan Bühler <stbuehler@web.de>
+---
+ lib/handshake.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: gnutls-3.6.8/lib/handshake.c
+===================================================================
+--- gnutls-3.6.8.orig/lib/handshake.c
++++ gnutls-3.6.8/lib/handshake.c
+@@ -2164,7 +2164,7 @@ static int send_client_hello(gnutls_sess
+ 		/* Generate random data 
+ 		 */
+ 		if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) &&
+-		    !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests == 0)) {
++		    !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests != 0)) {
+ 			ret = _gnutls_gen_client_random(session);
+ 			if (ret < 0) {
+ 				gnutls_assert();
diff --git a/SPECS/gnutls.spec b/SPECS/gnutls.spec
index 007d302..ea01f2b 100644
--- a/SPECS/gnutls.spec
+++ b/SPECS/gnutls.spec
@@ -1,5 +1,5 @@
 Version:	3.6.8
-Release: 9%{?dist}
+Release: 10%{?dist}
 Patch1:	gnutls-3.2.7-rpath.patch
 Patch2:	gnutls-3.6.4-no-now-guile.patch
 Patch3:	gnutls-3.6.5-fix-fips-signature-post.patch
@@ -14,6 +14,7 @@ Patch11: gnutls-3.6.8-fips-rsa-random-selftests.patch
 Patch12: gnutls-3.6.8-decr-len.patch
 Patch13: gnutls-3.6.8-fix-aead-cipher-encryptv2.patch
 Patch14: gnutls-3.6.8-fix-cfb8-decrypt.patch
+Patch15: gnutls-3.6.12-dtls-random.patch
 %bcond_without dane
 %if 0%{?rhel}
 %bcond_with guile
@@ -297,6 +298,9 @@ fi
 %endif
 
 %changelog
+* Tue Apr 21 2020 Daiki Ueno <dueno@redhat.com> - 3.6.8-10
+- Fix CVE-2020-11501 (#1826176)
+
 * Wed Nov  6 2019 Daiki Ueno <dueno@redhat.com> - 3.6.8-9
 - Fix CFB8 decryption when repeatedly called (#1757848)
 - Fix gnutls_aead_cipher_{en,de}cryptv2 with input not multiple of block size (#1757856)