diff --git a/SOURCES/Always-free-ciphertext-data-in-gp_encrypt_buffer.patch b/SOURCES/Always-free-ciphertext-data-in-gp_encrypt_buffer.patch
new file mode 100644
index 0000000..560eff3
--- /dev/null
+++ b/SOURCES/Always-free-ciphertext-data-in-gp_encrypt_buffer.patch
@@ -0,0 +1,31 @@
+From 0c886210b7a740744e8319b3987845f2c27261e1 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 27 Aug 2020 15:35:40 -0400
+Subject: [PATCH] Always free ciphertext data in gp_encrypt_buffer
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+[rharwood@redhat.com: rewrote commit message]
+Reviewed-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit fe9e3c29caab90daf19028fb31ff28622d8708a9)
+---
+ proxy/src/gp_export.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/proxy/src/gp_export.c b/proxy/src/gp_export.c
+index a5681c0..fb2f81b 100644
+--- a/proxy/src/gp_export.c
++++ b/proxy/src/gp_export.c
+@@ -308,10 +308,9 @@ static int gp_encrypt_buffer(krb5_context context, krb5_keyblock *key,
+     ret = gp_conv_octet_string(enc_handle.ciphertext.length,
+                                enc_handle.ciphertext.data,
+                                out);
+-    if (ret) {
+-        free(enc_handle.ciphertext.data);
+-        goto done;
+-    }
++    /* the conversion function copies the data, so free our copy
++     * unconditionally, or we leak */
++    free(enc_handle.ciphertext.data);
+ 
+ done:
+     free(padded);
diff --git a/SPECS/gssproxy.spec b/SPECS/gssproxy.spec
index 26640ff..dd89dd4 100644
--- a/SPECS/gssproxy.spec
+++ b/SPECS/gssproxy.spec
@@ -1,6 +1,6 @@
 Name:		gssproxy
 Version:	0.7.0
-Release:	29%{?dist}
+Release:	30%{?dist}
 Summary:	GSSAPI Proxy
 
 Group:		System Environment/Libraries
@@ -64,6 +64,7 @@ Patch46: Avoid-uninitialized-free-when-allocating-buffers.patch
 Patch47: Update-docs-to-reflect-actual-behavior-of-krb5_princ.patch
 Patch48: Fix-double-free-of-popt-context-when-querying-versio.patch
 Patch49: Make-syslog-of-call-status-configurable.patch
+Patch50: Always-free-ciphertext-data-in-gp_encrypt_buffer.patch
 
 ### Dependencies ###
 
@@ -159,6 +160,7 @@ A proxy for GSSAPI credential handling
 %patch47 -p2 -b .Update-docs-to-reflect-actual-behavior-of-krb5_princ
 %patch48 -p2 -b .Fix-double-free-of-popt-context-when-querying-versio
 %patch49 -p2 -b .Make-syslog-of-call-status-configurable
+%patch50 -p2 -b .Always-free-ciphertext-data-in-gp_encrypt_buffer
 
 %build
 autoreconf -f -i
@@ -221,6 +223,10 @@ rm -rf -- "%{buildroot}"
 
 
 %changelog
+* Mon May 17 2021 Robbie Harwood <rharwood@redhat.com> 0.7.0-30
+- Always free ciphertext data in gp_encrypt_buffer
+- Resolves: #1887438
+
 * Mon Apr 06 2020 Robbie Harwood <rharwood@redhat.com> 0.7.0-29
 - Make syslog of call status configurable
 - Resolves: #1373421