diff --git a/SOURCES/0002-net-Fix-TLS-cert-validation-not-being-done-for-any-n.patch b/SOURCES/0002-net-Fix-TLS-cert-validation-not-being-done-for-any-n.patch
new file mode 100644
index 0000000..743d4bc
--- /dev/null
+++ b/SOURCES/0002-net-Fix-TLS-cert-validation-not-being-done-for-any-n.patch
@@ -0,0 +1,33 @@
+From cd2472e506dafb1bb8ae510e34ad4797f63e263e Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess@hadess.net>
+Date: Mon, 21 Jun 2021 15:00:14 +0200
+Subject: [PATCH 2/2] net: Fix TLS cert validation not being done for any
+ network call
+
+The default SoupSessionAsync behaviour does not perform any TLS certificate
+validation, unless the ssl-use-system-ca-file property is set to true.
+
+See https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/
+
+This mitigates CVE-2016-20011.
+
+Closes: #146
+---
+ libs/net/grl-net-wc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libs/net/grl-net-wc.c b/libs/net/grl-net-wc.c
+index 5a8e89f..5ff1d17 100644
+--- a/libs/net/grl-net-wc.c
++++ b/libs/net/grl-net-wc.c
+@@ -314,6 +314,7 @@ grl_net_wc_init (GrlNetWc *wc)
+   wc->priv = grl_net_wc_get_instance_private (wc);
+ 
+   wc->priv->session = soup_session_async_new ();
++  g_object_set (G_OBJECT (wc->priv->session), "ssl-use-system-ca-file", TRUE, NULL);
+   wc->priv->pending = g_queue_new ();
+ 
+   set_thread_context (wc);
+-- 
+2.31.1
+
diff --git a/SPECS/grilo.spec b/SPECS/grilo.spec
index e856ca2..8346538 100644
--- a/SPECS/grilo.spec
+++ b/SPECS/grilo.spec
@@ -3,15 +3,18 @@
 
 Name:           grilo
 Version:        0.3.6
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Content discovery framework
 
 License:        LGPLv2+
 URL:            https://wiki.gnome.org/Projects/Grilo
 Source0:        https://download.gnome.org/sources/grilo/%{release_version}/grilo-%{version}.tar.xz
 Patch0001:      0001-Include-file-to-build-docs-with-meson.patch
+# https://gitlab.gnome.org/GNOME/grilo/-/merge_requests/78
+Patch0002:      0002-net-Fix-TLS-cert-validation-not-being-done-for-any-n.patch
 
 BuildRequires:  meson
+BuildRequires:  git
 BuildRequires:  chrpath
 BuildRequires:  gnome-common
 BuildRequires:  intltool
@@ -45,7 +48,7 @@ This package contains the core library and elements, as well as
 general and API documentation.
 
 %prep
-%autosetup -p1
+%autosetup -p1 -S git
 
 %build
 %meson -Denable-gtk-doc=true
@@ -97,6 +100,11 @@ rm -f $RPM_BUILD_ROOT%{_bindir}/grilo-simple-playlist
 %{_datadir}/vala/
 
 %changelog
+* Wed Aug 25 2021 Bastien Nocera <bnocera@redhat.com> - 0.3.6-3
++ grilo-0.3.6-3
+- Fix TLS not being validated correctly
+- Resolves: rhbz#1997234
+
 * Sat Jul 28 2018 Victor Toso <victortoso@redhat.com> - 0.3.6-2
 - Switch to meson build system