diff --git a/SOURCES/mod_auth_mellon-0.13.1-CVE-2019-3878.patch b/SOURCES/mod_auth_mellon-0.13.1-CVE-2019-3878.patch
new file mode 100644
index 0000000..5b2fa26
--- /dev/null
+++ b/SOURCES/mod_auth_mellon-0.13.1-CVE-2019-3878.patch
@@ -0,0 +1,26 @@
+diff --git a/mod_auth_mellon.c b/mod_auth_mellon.c
+index 3d44460..36a3184 100644
+--- a/mod_auth_mellon.c
++++ b/mod_auth_mellon.c
+@@ -204,6 +204,12 @@ static int am_create_request(request_rec *r)
+ 
+ static void register_hooks(apr_pool_t *p)
+ {
++    /* Our handler needs to run before mod_proxy so that it can properly
++     * return ECP AuthnRequest messages when running as a reverse proxy.
++     * See: https://github.com/Uninett/mod_auth_mellon/pull/196
++     */
++    static const char * const run_handler_before[]={ "mod_proxy.c", NULL };
++
+     ap_hook_access_checker(am_auth_mellon_user, NULL, NULL, APR_HOOK_MIDDLE);
+     ap_hook_check_user_id(am_check_uid, NULL, NULL, APR_HOOK_MIDDLE);
+     ap_hook_post_config(am_global_init, NULL, NULL, APR_HOOK_MIDDLE);
+@@ -219,7 +225,7 @@ static void register_hooks(apr_pool_t *p)
+      * Therefore this hook must run before any handler that may check
+      * r->handler and decide that it is the only handler for this URL.
+      */
+-    ap_hook_handler(am_handler, NULL, NULL, APR_HOOK_FIRST);
++    ap_hook_handler(am_handler, NULL, run_handler_before, APR_HOOK_FIRST);
+     return;
+ }
+ 
diff --git a/SPECS/mod_auth_mellon.spec b/SPECS/mod_auth_mellon.spec
index d9ce847..a669407 100644
--- a/SPECS/mod_auth_mellon.spec
+++ b/SPECS/mod_auth_mellon.spec
@@ -3,7 +3,7 @@
 Summary: A SAML 2.0 authentication module for the Apache Httpd Server
 Name: %{?scl:%scl_prefix}mod_auth_mellon
 Version: 0.13.1
-Release: 2%{?dist}
+Release: 2%{?dist}.1
 Group: System Environment/Daemons
 Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/mod_auth_mellon-%{version}.tar.gz
 Source1: auth_mellon.conf
@@ -35,6 +35,7 @@ Patch3: lasso_error_check.patch
 Patch4: mellon_user_case_insensitive.patch
 Patch5: log_no_idp.patch
 Patch6: update_log_invalid_dst.patch
+Patch7: mod_auth_mellon-0.13.1-CVE-2019-3878.patch
 
 %description
 The mod_auth_mellon module is an authentication service that implements the
@@ -49,6 +50,7 @@ received in assertions generated by a IdP server.
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
 
 %build
 %if 0%{?scl:1}
@@ -118,6 +120,10 @@ tar -C %{buildroot}%{_pkgdocdir} -xf %{SOURCE5}
 %dir %{_localstatedir}/run/mod_auth_mellon/
 
 %changelog
+* Wed Apr 03 2019 Lubos Uhliarik <luhliari@redhat.com> - 0.13.1-2.1
+- Resolves: #1692458 - CVE-2019-3878 httpd24-mod_auth_mellon: mod_auth_mellon:
+  authentication bypass in ECP flow
+
 * Fri Jan 05 2018 Luboš Uhliarik <luhliari@redhat.com> - 0.13.1-2
 - Resolves: #1514391 - [RFE] Include mod_auth_mellon for RHSCL httpd24
 - Merged with RHEL-7.5 branch, SCLized spec